← ~/DETECTIONS

2024-07-15 // Dylan Evans

Suspicious Ollama API Connections and AI Command Execution

Defender XDR

Detects suspicious activity related to PromptLock ransomware, which abuses the Ollama AI API for command execution and lateral movement.

ransomwarelateral-movementai-toolinggo-executionnetwork-connection

Suspicious AI Activity Related to PromptLock Ransomware

Overview

This detection identifies suspicious activity associated with PromptLock, a ransomware strain that exploits the Ollama AI API (port 11434) for command execution and lateral movement. It flags:

  • Network connections to Ollama’s default port using common Go/Python tools.
  • HTTP requests to Ollama URLs via go-http-client agents.
  • Process creations with ollama-related commands in command lines.

PromptLock abuses the open-source AI framework to evade detection by mimicking legitimate AI workflows while executing malicious payloads.

Query

let timeframe = 24h;
let ollama_port = 11434;
let common_tools = dynamic(["go.exe", "curl.exe", "wget.exe", "python.exe", "python3.exe", "powershell.exe", "pwsh.exe"]);
let suspicious_events = union isfuzzy=true
(DeviceNetworkEvents
| where Timestamp >= ago(timeframe)
| where RemotePort == ollama_port and InitiatingProcessFileName in~ (common_tools)
| extend UserAgent = tostring(parse_json(AdditionalFields).UserAgent)
| project Timestamp, DeviceId, DeviceName, AccountName = InitiatingProcessAccountName, ProcessName = InitiatingProcessFileName, ProcessCommandLine = InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl, UserAgent, ActivityType = "NetworkToOllamaPort"
),
(DeviceNetworkEvents
| where Timestamp >= ago(timeframe)
| where RemoteUrl contains "ollama"
| extend UserAgent = tostring(parse_json(AdditionalFields).UserAgent)
| where UserAgent contains "go-http-client"
| project Timestamp, DeviceId, DeviceName, AccountName = InitiatingProcessAccountName, ProcessName = InitiatingProcessFileName, ProcessCommandLine = InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl, UserAgent, ActivityType = "GoClientToOllamaUrl"
),
(DeviceProcessEvents
| where Timestamp >= ago(timeframe)
| where ActionType == "ProcessCreated" and (ProcessCommandLine contains "ollama" or InitiatingProcessCommandLine contains "ollama")
| project Timestamp, DeviceId, DeviceName, AccountName, ProcessName = FileName, ProcessCommandLine, RemoteIP = tostring(null), RemotePort = toint(null), RemoteUrl = tostring(null), UserAgent = tostring(null), ActivityType = "OllamaInCommandLine"
);
suspicious_events
| summarize StartTime = min(Timestamp), EndTime = max(Timestamp), ActivityTypes = make_set(ActivityType), RemoteIPs = make_set(RemoteIP), RemoteUrls = make_set(RemoteUrl), UserAgents = make_set(UserAgent) by DeviceId, DeviceName, AccountName, ProcessName, ProcessCommandLine
| extend ReportId = strcat(DeviceId, "-", tostring(hash_sha256(strcat(DeviceName, ProcessName, ProcessCommandLine))))
| extend AlertTitle = "Suspicious AI activity related to PromptLock Ransomware Activity"
| extend AlertDescription = strcat("Potential PromptLock activity detected on host ", DeviceName, " by user ", AccountName, ". Observed activities: ", tostring(ActivityTypes), ". Process: ", ProcessName, " with command line: ", ProcessCommandLine)
| project DeviceId, Timestamp = StartTime, ReportId, AccountName, ProcessName, ProcessCommandLine, EndTime, ActivityTypes, RemoteIPs, RemoteUrls, UserAgents

Logic Explanation

The query unions three detection vectors:

  1. Network connections to Ollama’s default port (11434) using Go/Python tools (curl, wget, etc.).
  2. HTTP requests to URLs containing "ollama" via Go HTTP clients (go-http-client in User-Agent).
  3. Process creations with ollama-related strings in command lines (e.g., ollama run, ollama pull).

Aggregation groups events by device, user, and process to surface correlated activity. The report ID uses a SHA256 hash of the host + process + command line for deduplication.

Tuning Notes

  • False positives risk: Legitimate AI tools (e.g., curl in CI/CD pipelines) may trigger NetworkToOllamaPort. Filter by excluding known-good IP ranges or domains.
  • Command-line noise: Non-malicious use of ollama (e.g., Docker containers) could appear in ProcessCreated events. Add a whitelist for expected Ollama versions (ollama version output).
  • User-Agent ambiguity: Some legitimate AI services may use go-http-client. Consider adding a threshold on suspicious UserAgent patterns (e.g., obfuscated strings).

References