Suspicious Processes Connecting to Large Language Model Endpoints

This detection identifies instances where suspicious processes are communicating with known Large Language Model (LLM) endpoints. The activity suggests potential command and control behavior, where malware or unauthorized scripts leverage LLMs to dynamically execute actions on compromised systems. This behavior emerged in late 2025 and continues to evolve. The rule focuses on detecting DNS queries originating from unsigned binaries or common scripting utilities like PowerShell, mshta.exe, and wscript.exe. The targeting scope includes both Windows and macOS systems. Defenders should be aware of this technique as attackers increasingly integrate LLMs to enhance malware capabilities and evade traditional detection methods.

Attack Chain

1. A user inadvertently executes a malicious script or binary, potentially delivered through social engineering or drive-by download.
2. The malicious script, such as a PowerShell script or JavaScript within mshta.exe, is launched.
3. The script executes code to perform reconnaissance, gathering system information or user credentials.
4. The script constructs a query for a Large Language Model (LLM) endpoint, such as api.openai.com, using a common scripting utility.
5. The DNS query is resolved, and a network connection is established to the LLM API endpoint, bypassing standard network security controls.
6. The malicious script sends data to the LLM API, requesting instructions or performing tasks such as code generation or data exfiltration.
7. The LLM responds with instructions or processed data, which the script then executes on the compromised system.
8. The attacker gains control over the compromised system by leveraging the LLM to perform various malicious activities, like lateral movement or data theft.

Impact

Compromised systems could be remotely controlled via LLM APIs, allowing attackers to perform data exfiltration, lateral movement, or deploy ransomware. Successful exploitation can lead to significant data breaches, financial loss, and reputational damage. The number of victims is currently unknown, but the attack vector affects organizations across all sectors.

Recommendation

• Deploy the Sigma rules in this brief to your SIEM to identify suspicious processes querying LLM endpoints.
• Enable DNS query logging on both Windows and macOS endpoints to provide the necessary data source for the detections.
• Investigate any alerts generated by the Sigma rules, focusing on identifying the parent process and associated network activity.
• Implement application control policies to restrict the execution of unsigned binaries and common scripting utilities from untrusted locations.
• Review and update network firewall rules to restrict outbound connections to known malicious or suspicious domains.
• Monitor process creation events for command-line arguments that indicate the use of scripting engines to perform DNS queries to LLM domains.