Ollama DNS Query to Untrusted Domain
edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.
Ollama DNS Query to Untrusted Domain
editDetects Ollama DNS queries to domains outside official infrastructure. Adversaries can redirect Ollama to pull models from attacker-controlled servers via OLLAMA_HOST or custom manifests. Malicious models may contain backdoors, exploit parsing vulnerabilities like CVE-2025-1975, or poison inference outputs.
Rule type: eql
Rule indices:
- logs-endpoint.events.network-*
Severity: low
Risk score: 21
Runs every: 60m
Searches indices from: now-119m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Linux
- OS: macOS
- OS: Windows
- Use Case: Threat Detection
- Tactic: Command and Control
- Data Source: Elastic Defend
- Domain: LLM
- Mitre Atlas: T0010.003
- Rule Type: BBR
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editnetwork where event.action == "lookup_requested" and
process.name in ("ollama", "ollama.exe") and
dns.question.name != null and
not dns.question.name : (
"ollama.ai", "*.ollama.ai", "ollama.com", "*.ollama.com",
"github.com", "*.github.com", "*.githubusercontent.com",
"*.r2.cloudflarestorage.com", "*.cloudflare.com", "*.cloudflarestorage.com",
"localhost", "*.local", "*.internal", "*.localdomain"
)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Ingress Tool Transfer
- ID: T1105
- Reference URL: https://attack.mitre.org/techniques/T1105/
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Supply Chain Compromise
- ID: T1195
- Reference URL: https://attack.mitre.org/techniques/T1195/
-
Sub-technique:
- Name: Compromise Software Supply Chain
- ID: T1195.002
- Reference URL: https://attack.mitre.org/techniques/T1195/002/