From ab34f25e5482b0daf10cd1d7883df3580f79c176 Mon Sep 17 00:00:00 2001
From: "Mika Ayenson, PhD" <Mikaayenson@users.noreply.github.com>
Date: Mon, 12 Jan 2026 11:05:15 -0600
Subject: [PATCH] [New Rules] Ollama Detections (#5546)

---
 ...ial_access_ollama_api_external_access.toml | 102 ++++++++++++++++++
 ...llama_model_download_untrusted_source.toml |  86 +++++++++++++++
 2 files changed, 188 insertions(+)
 create mode 100644 rules/cross-platform/initial_access_ollama_api_external_access.toml
 create mode 100644 rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml

diff --git a/rules/cross-platform/initial_access_ollama_api_external_access.toml b/rules/cross-platform/initial_access_ollama_api_external_access.toml
new file mode 100644
index 000000000..4a059992f
--- /dev/null
+++ b/rules/cross-platform/initial_access_ollama_api_external_access.toml
@@ -0,0 +1,102 @@
+[metadata]
+creation_date = "2026/01/09"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2026/01/09"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects when the Ollama LLM server accepts connections from external IP addresses. Ollama lacks built-in authentication,
+so exposed instances allow unauthenticated model theft, prompt injection, and resource hijacking.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.network-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Ollama API Accessed from External Network"
+note = """## Triage and analysis
+
+### Investigating Ollama API Accessed from External Network
+
+This rule detects when Ollama accepts connections from external IP addresses. Ollama binds to localhost:11434 by default but can be exposed via OLLAMA_HOST. Since Ollama lacks authentication, exposed instances allow unauthenticated model theft, prompt injection, and resource hijacking.
+
+### Possible investigation steps
+
+- Check the OLLAMA_HOST environment variable to determine if external exposure was intentional.
+- Review the source IP address to identify if it's a known attacker, scanner, or miscategorized internal system.
+- Examine Ollama logs for suspicious API calls to /api/pull, /api/push, or /api/generate.
+- Check ~/.ollama/models/ for unexpected model downloads that may indicate model poisoning.
+- Review network traffic for data exfiltration following the connection.
+- Look for child processes spawned by Ollama that may indicate exploitation.
+
+### False positive analysis
+
+- Internal networks not properly classified in CIDR ranges may trigger false positives.
+- Load balancers or reverse proxies accessing Ollama from external-facing IPs within trusted infrastructure.
+- Legitimate remote access through VPN or authenticated proxy (add proxy IPs to exclusions).
+
+### Response and remediation
+
+- Restrict access immediately by setting OLLAMA_HOST=127.0.0.1:11434 or applying firewall rules.
+- If exploitation is suspected, stop Ollama and audit ~/.ollama/models/ for unauthorized models.
+- Review Ollama and system logs for signs of compromise.
+- Consider running Ollama in a container with network isolation.
+"""
+references = [
+    "https://www.greynoise.io/blog/threat-actors-actively-targeting-llms",
+    "https://atlas.mitre.org/techniques/AML.T0040",
+    "https://atlas.mitre.org/techniques/AML.T0044",
+]
+risk_score = 47
+rule_id = "d8f2a1b3-c4e5-6789-abcd-ef0123456789"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: macOS",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Initial Access",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+    "Domain: LLM",
+    "Mitre Atlas: T0040",
+    "Mitre Atlas: T0044",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+network where event.action == "connection_accepted" and
+  process.name in ("ollama", "ollama.exe") and
+  destination.port == 11434 and
+  source.ip != null and source.ip != "0.0.0.0" and
+  not cidrmatch(source.ip, 
+    "10.0.0.0/8", 
+    "127.0.0.0/8", 
+    "169.254.0.0/16", 
+    "172.16.0.0/12", 
+    "192.168.0.0/16",
+    "100.64.0.0/10",
+    "::1",
+    "fe80::/10",
+    "fc00::/7",
+    "ff00::/8"
+  )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1190"
+name = "Exploit Public-Facing Application"
+reference = "https://attack.mitre.org/techniques/T1190/"
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
diff --git a/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml b/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml
new file mode 100644
index 000000000..5701fe075
--- /dev/null
+++ b/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml
@@ -0,0 +1,86 @@
+[metadata]
+creation_date = "2026/01/09"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2026/01/09"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Detects Ollama DNS queries to domains outside official infrastructure. Adversaries can redirect Ollama to pull models
+from attacker-controlled servers via OLLAMA_HOST or custom manifests. Malicious models may contain backdoors, exploit
+parsing vulnerabilities like CVE-2025-1975, or poison inference outputs.
+"""
+from = "now-119m"
+index = ["logs-endpoint.events.network-*"]
+interval = "60m"
+language = "eql"
+license = "Elastic License v2"
+name = "Ollama DNS Query to Untrusted Domain"
+references = [
+    "https://www.greynoise.io/blog/threat-actors-actively-targeting-llms",
+    "https://atlas.mitre.org/techniques/AML.T0010.003",
+    "https://nvd.nist.gov/vuln/detail/CVE-2025-1975",
+]
+risk_score = 21
+rule_id = "e9a3b2c1-d4f5-6789-0abc-def123456789"
+severity = "low"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: macOS",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Data Source: Elastic Defend",
+    "Domain: LLM",
+    "Mitre Atlas: T0010.003",
+    "Rule Type: BBR",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+network where event.action == "lookup_requested" and
+  process.name in ("ollama", "ollama.exe") and
+  dns.question.name != null and
+  not dns.question.name : (
+    "ollama.ai", "*.ollama.ai", "ollama.com", "*.ollama.com",
+    "github.com", "*.github.com", "*.githubusercontent.com",
+    "*.r2.cloudflarestorage.com", "*.cloudflare.com", "*.cloudflarestorage.com",
+    "localhost", "*.local", "*.internal", "*.localdomain"
+  )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1105"
+name = "Ingress Tool Transfer"
+reference = "https://attack.mitre.org/techniques/T1105/"
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1195"
+name = "Supply Chain Compromise"
+reference = "https://attack.mitre.org/techniques/T1195/"
+[[rule.threat.technique.subtechnique]]
+id = "T1195.002"
+name = "Compromise Software Supply Chain"
+reference = "https://attack.mitre.org/techniques/T1195/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+