Detection rules › Splunk
Local LLM Framework DNS Query
Detects DNS queries related to local LLM models on endpoints by monitoring Sysmon DNS query events (Event ID 22) for known LLM model domains and services. Local LLM frameworks like Ollama, LM Studio, and GPT4All make DNS calls to repositories such as huggingface.co and ollama.ai for model downloads, updates, and telemetry. These queries can reveal unauthorized AI tool usage or data exfiltration risks on corporate networks.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Reconnaissance | T1590 Gather Victim Network Information |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 22 | DNSEvent (DNS query) |
Rule body splunk
name: Local LLM Framework DNS Query
id: d7ceffc5-a45e-412b-b9fa-2ba27c284503
version: 2
creation_date: '2025-11-24'
modification_date: '2026-05-13'
author: Rod Soto
status: production
type: Hunting
description: |
Detects DNS queries related to local LLM models on endpoints by monitoring Sysmon DNS query events (Event ID 22) for known LLM model domains and services.
Local LLM frameworks like Ollama, LM Studio, and GPT4All make DNS calls to repositories such as huggingface.co and ollama.ai for model downloads, updates, and telemetry.
These queries can reveal unauthorized AI tool usage or data exfiltration risks on corporate networks.
data_source:
- Sysmon EventID 22
search: |
`sysmon`
EventCode=22
QueryName IN (
"*huggingface*",
"*ollama*",
"*jan.ai*",
"*gpt4all*",
"*nomic*",
"*koboldai*",
"*lmstudio*",
"*modelscope*",
"*civitai*",
"*oobabooga*",
"*replicate*",
"*anthropic*",
"*openai*",
"*openrouter*",
"*api.openrouter*",
"*aliyun*",
"*alibabacloud*",
"*dashscope.aliyuncs*"
)
NOT Image IN (
"*\\MsMpEng.exe",
"C:\\ProgramData\\*",
"C:\\Windows\\System32\\*",
"C:\\Windows\\SysWOW64\\*"
)
| stats count
min(_time) as firstTime
max(_time) as lastTime
by src Image process_name QueryName query_count answer answer_count reply_code_id vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `local_llm_framework_dns_query_filter`
how_to_implement: |
Ensure Sysmon is deployed across Windows endpoints and configured to capture DNS query events (Event ID 22). Configure Sysmon's XML configuration file to log detailed command-line arguments, parent process information, and full process image paths. Ingest Sysmon event logs into Splunk via the Splunk Universal Forwarder or Windows Event Log Input, ensuring they are tagged with `sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`. Verify the `sysmon` macro exists in your Splunk environment and correctly references the Sysmon event logs. Create or update the `unauthorized_local_llm_framework_usage_filter` macro in your detections/filters folder to exclude approved systems, authorized developers, sanctioned ML/AI workstations, or known development/lab environments as needed. Deploy this hunting search to your Splunk Enterprise Security or Splunk Enterprise instance and schedule it to run on a regular cadence to detect unauthorized LLM model DNS queries and shadow AI activities. Correlate findings with endpoint asset inventory and user identity data to prioritize investigation.
known_false_positives: |
Legitimate DNS queries to LLM model hosting platforms by authorized developers, ML engineers, and researchers during model training, fine-tuning, or experimentation. Approved AI/ML sandboxes and lab environments where LLM model downloads are expected. Automated ML pipelines and workflows that interact with LLM model hosting services as part of their normal operation. Third-party applications and services that access LLM model platforms for legitimate purposes.
references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://www.splunk.com/en_us/blog/artificial-intelligence/splunk-technology-add-on-for-ollama.html
- https://blogs.cisco.com/security/detecting-exposed-llm-servers-shodan-case-study-on-ollama
analytic_story:
- Suspicious Local LLM Frameworks
asset_type: Endpoint
mitre_attack_id:
- T1590
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/local_llms/sysmon_dns.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: XmlWinEventLog
test_type: unit
Stages and Predicates
Stage 1: search
`sysmon`
EventCode=22
QueryName IN (
"*huggingface*",
"*ollama*",
"*jan.ai*",
"*gpt4all*",
"*nomic*",
"*koboldai*",
"*lmstudio*",
"*modelscope*",
"*civitai*",
"*oobabooga*",
"*replicate*",
"*anthropic*",
"*openai*",
"*openrouter*",
"*api.openrouter*",
"*aliyun*",
"*alibabacloud*",
"*dashscope.aliyuncs*"
)
NOT Image IN (
"*\\MsMpEng.exe",
"C:\\ProgramData\\*",
"C:\\Windows\\System32\\*",
"C:\\Windows\\SysWOW64\\*"
)
Stage 2: stats
| stats count
min(_time) as firstTime
max(_time) as lastTime
by src Image process_name QueryName query_count answer answer_count reply_code_id vendor_product
Stage 3: search
| `security_content_ctime(firstTime)`
Stage 4: search
| `security_content_ctime(lastTime)`
Stage 5: search
| `local_llm_framework_dns_query_filter`
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
Image | in | "*\\MsMpEng.exe", "C:\\ProgramData\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Windows\\System32\\*" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.