Rod- Suspicious Local LLM Frameworks#3780

Merged

patel-bhavin merged 29 commits intodevelopfrom

Nov 24, 2025

Contributor

rosplk commented Nov 12, 2025 •

edited by nasbench

Loading

This PR introduces new analytics to detect Local LLM execution and shadow AI artifacts. Below is a breakdown of what was added.

New Analytics [3]

LLM Model File Creation
Local LLM Framework DNS Query
Windows Local LLM Framework Execution

New Analytic Story [1]

Suspicious Local LLM Frameworks

rosplk added 9 commits

November 12, 2025 09:47


          newstory

0bc6470


          firstdet

66e5a8a


          fixeddatasets

ab083a1


          4688locallmdiscovery

ebe530b


          sys1

11488f2


          sysmon

ebb4f1e


          secsys

233c0a6


          llmdns

7304cfc


          suspdownfix

7d2ceb6

rosplk requested review from ljstella and patel-bhavin as code owners

November 12, 2025 23:57

github-actions bot added Detections Stories labels

rosplk assigned patel-bhavin, nasbench and rosplk and unassigned patel-bhavin and nasbench

rosplk requested a review from nasbench

November 13, 2025 00:27

patel-bhavin reviewed

View reviewed changes

detections/endpoint/local_llm_model_dns_queries.yml Outdated Show resolved Hide resolved

patel-bhavin reviewed

View reviewed changes

detections/endpoint/unauthorized_local_llm_framework_usage.yml Outdated Show resolved Hide resolved

patel-bhavin reviewed

View reviewed changes

detections/endpoint/unauthorized_local_llm_framework_usage.yml Outdated Show resolved Hide resolved

patel-bhavin reviewed

View reviewed changes

detections/endpoint/suspicious_local_llm_framework.yml Outdated Show resolved Hide resolved

patel-bhavin reviewed

View reviewed changes

detections/endpoint/suspicious_local_llm_framework.yml Outdated Show resolved Hide resolved

patel-bhavin reviewed

View reviewed changes

detections/endpoint/suspicious_local_llm_framework.yml Outdated Show resolved Hide resolved

patel-bhavin reviewed

View reviewed changes

detections/endpoint/suspicious_local_llm_framework_download_and_execution_via_sysmon.yml Outdated Show resolved Hide resolved

patel-bhavin reviewed

View reviewed changes

detections/endpoint/unauthorized_llm_model_file_creation_on_endpoint.yml Outdated Show resolved Hide resolved

patel-bhavin reviewed

View reviewed changes

stories/suspicious_local_llm_frameworks.yml Outdated Show resolved Hide resolved

patel-bhavin reviewed

View reviewed changes

detections/endpoint/suspicious_local_llm_framework_download_and_execution_via_sysmon.yml Outdated Show resolved Hide resolved

nasbench reviewed

View reviewed changes

detections/endpoint/suspicious_local_llm_framework.yml Outdated Show resolved Hide resolved

detections/endpoint/suspicious_local_llm_framework_download_and_execution_via_sysmon.yml Outdated Show resolved Hide resolved

detections/endpoint/unauthorized_local_llm_framework_usage.yml Outdated Show resolved Hide resolved

rosplk and others added 10 commits

November 18, 2025 21:44


          windowsexecutionoflocallllmdet

f5b7a08


          fixeddetections

32eaac6


          deletedold

94c5c8e


          fixedsearch

a39017b


          fixedsuspiciouslocalllmframeworkprocessexecnospath

d7e72b3


          Merge branch 'develop' into rodshai

8637e9f


          fixedhowtoimplement

e238ef6


          fixhowtoimp

6ecbaaa


          fixdescription

6fbb3ba


          moredetails

7fd8190

nasbench removed the WIP label

patel-bhavin reviewed

View reviewed changes

detections/endpoint/suspicious_local_llm_framework_download_and_execution_via_sysmon.yml Outdated Show resolved Hide resolved

patel-bhavin reviewed

View reviewed changes

detections/endpoint/unauthorized_llm_model_file_creation_on_endpoint.yml Outdated Show resolved Hide resolved

patel-bhavin reviewed

View reviewed changes

detections/endpoint/unauthorized_local_llm_framework_usage.yml Outdated Show resolved Hide resolved

stories/suspicious_local_llm_frameworks.yml Outdated Show resolved Hide resolved

Contributor

nasbench commented Nov 20, 2025

Working on updating the detection to use CIM where possible.

nasbench added 4 commits

November 21, 2025 00:45


          update detections

099db85


          small fixes

b66a683


          updates

9c75fca


          small change

22ace95

Contributor

nasbench commented Nov 21, 2025

@rosplk @patel-bhavin made changes to the analytics so they are more CIM friendly and I merged some as they were overlapping. The coverage should be the same.

One is failing idk why and i cant see to find the data on Endor to check. So @patel-bhavin when you have some time to check it out,

patel-bhavin and others added 3 commits

November 21, 2025 08:48


          Merge branch 'develop' into rodshai


          various fixes

ce28534


          remove dd for hunting detections

8d9cd1e

Contributor

patel-bhavin commented Nov 21, 2025 •

edited

Loading

@rosplk please avoid adding raw links in this format : https://raw.githubusercontent.com/splunk and .txt.

The preferred way is such that it is a GIT LFS file just like all other yamls -
https://media.githubusercontent.com/media/splunk/attack_data

Also, your current attack data size is 21k events for 2 detections: strongly consider shipping atomic datasets specific to the detection for future

Fixed that in here: splunk/attack_data#1096 .

Also, strongly encouraged to use DMs where feasible and if not use TA built extractions

@nasbench - Thank you for fixing up the detections to use TA fields 😸 I have pushed the remaining changes!

patel-bhavin changed the title ~~Rodshai~~ Rod- Suspicious Local LLM Frameworks


          Merge branch 'develop' into rodshai

patel-bhavin approved these changes

View reviewed changes

nasbench approved these changes

View reviewed changes

patel-bhavin merged commit b53280a into develop

4 checks passed

patel-bhavin deleted the rodshai branch

November 24, 2025 21:06

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Detections Stories