This detection rule is designed to identify suspicious DNS queries linked to known large language model (LLM) domains generated by unsigned binaries or common Windows scripting utilities. Malicious actors might exploit LLM capabilities to perform unauthorized tasks dynamically on compromised systems. The rule leverages EQL (Event Query Language) to analyze network traffic and scrutinize the execution characteristics of processes involved in such queries. The detection focuses on a range of executable processes that may indicate malicious behavior and looks for DNS queries matching known LLM API endpoints (e.g., various OpenAI, Google, and Hugging Face API endpoints), while also filtering out trusted applications and signatures. The rule includes clear investigation steps to triage alerts, addressing both incident response and false positive handling. It also references specific MITRE ATT&CK techniques related to command and control activities.