Skip to content

Rod- Suspicious Local LLM Frameworks #3780

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 29 commits into
base: develop
Choose a base branch
from
Open

Rod- Suspicious Local LLM Frameworks #3780

wants to merge 29 commits into from
+316 −0

Conversation

@rosplk
Copy link
Contributor

@rosplk rosplk commented Nov 12, 2025
edited by nasbench
Loading

This PR introduces new analytics to detect Local LLM execution and shadow AI artifacts. Below is a breakdown of what was added.

New Analytics [3]

  • LLM Model File Creation
  • Local LLM Framework DNS Query
  • Windows Local LLM Framework Execution

New Analytic Story [1]

  • Suspicious Local LLM Frameworks

@rosplk rosplk requested a review from nasbench November 13, 2025 00:27
patel-bhavin
patel-bhavin reviewed Nov 13, 2025
View reviewed changes
patel-bhavin
patel-bhavin reviewed Nov 13, 2025
View reviewed changes
patel-bhavin
patel-bhavin reviewed Nov 13, 2025
View reviewed changes
patel-bhavin
patel-bhavin reviewed Nov 13, 2025
View reviewed changes
patel-bhavin
patel-bhavin reviewed Nov 13, 2025
View reviewed changes
patel-bhavin
patel-bhavin reviewed Nov 13, 2025
View reviewed changes
patel-bhavin
patel-bhavin reviewed Nov 13, 2025
View reviewed changes
nasbench
nasbench reviewed Nov 14, 2025
View reviewed changes
@nasbench nasbench added this to the v5.19.0 milestone Nov 14, 2025
@nasbench nasbench removed the WIP DO NOT MERGE Work in Progress label Nov 20, 2025
patel-bhavin
patel-bhavin reviewed Nov 20, 2025
View reviewed changes
@nasbench
Copy link
Contributor

nasbench commented Nov 20, 2025

Working on updating the detection to use CIM where possible.

@nasbench
Copy link
Contributor

nasbench commented Nov 21, 2025

@rosplk @patel-bhavin made changes to the analytics so they are more CIM friendly and I merged some as they were overlapping. The coverage should be the same.

One is failing idk why and i cant see to find the data on Endor to check. So @patel-bhavin when you have some time to check it out,

@patel-bhavin
Copy link
Contributor

patel-bhavin commented Nov 21, 2025
edited
Loading

@rosplk please avoid adding raw links in this format : https://raw.githubusercontent.com/splunk and .txt.

The preferred way is such that it is a GIT LFS file just like all other yamls -
https://media.githubusercontent.com/media/splunk/attack_data

Also, your current attack data size is 21k events for 2 detections: strongly consider shipping atomic datasets specific to the detection for future

Fixed that in here: splunk/attack_data#1096 .

Also, strongly encouraged to use DMs where feasible and if not use TA built extractions

@nasbench - Thank you for fixing up the detections to use TA fields 😸 I have pushed the remaining changes!

@patel-bhavin patel-bhavin changed the title Rodshai Rod- Suspicious Local LLM Frameworks Nov 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nasbench nasbench nasbench left review comments

@patel-bhavin patel-bhavin patel-bhavin approved these changes

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

Assignees

@rosplk rosplk

Labels

Detections Stories

Projects

None yet

Milestone

v5.19.0

Development

Successfully merging this pull request may close these issues.

3 participants

@rosplk @nasbench @patel-bhavin