Techniques
Sample rules
LLM Model File Creation
- source: splunk
- technicques:
- T1543
Description
Detects the creation of Large Language Model (LLM) files on Windows endpoints by monitoring file creation events for specific model file formats and extensions commonly used by local AI frameworks. This detection identifies potential shadow AI deployments, unauthorized model downloads, and rogue LLM infrastructure by detecting file creation patterns associated with quantized models (.gguf, .ggml), safetensors model format files, and Ollama Modelfiles. These file types are characteristic of local inference frameworks such as Ollama, llama.cpp, GPT4All, LM Studio, and similar tools that enable running LLMs locally without cloud dependencies. Organizations can use this detection to identify potential data exfiltration risks, policy violations related to unapproved AI usage, and security blind spots created by decentralized AI deployments that bypass enterprise governance and monitoring.
Detection logic
| tstats `security_content_summariesonly` count
min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Filesystem
where Filesystem.file_name IN (
"*.gguf*",
"*ggml*",
"*Modelfile*",
"*safetensors*"
)
by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time
Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path
Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id
Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `llm_model_file_creation_filter`