mediumexperimentalLinuxAI/MLOCIT1048.002

LLM Service Uploading Generated Content To OCI Object Storage

Detects LLM service processes using the OCI CLI to upload response, answer, summary, or report files to object storage. Publishing model-generated content to shared storage may distribute misinformation or attacker-influenced outputs at scale.

Updated Jan 15, 2025 · Detection Engineering Team

llmmisinformationlinuxociowasp-llm09

Problem Statement

Uploading model-generated content to object storage can propagate attacker-influenced misinformation to downstream consumers of that storage bucket, multiplying the impact of a single compromised inference.

Sample Logs

{"timestamp":"2025-01-15T18:47:33Z","computer_name":"llm-host-02","user":"llm_svc","image":"/usr/local/bin/oci","command_line":"oci os object put --bucket-name shared-reports --name generated_summary_20250115.txt --file /opt/llm/output/summary.txt","parent_image":"/opt/llm/app/report_publisher.py"}

Required Fields

image

command_line

parent_image

user

computer_name

False Positives

·Approved LLM report generation pipelines that publish outputs to designated OCI buckets

Tuning Guidance

Baseline the approved bucket names and naming conventions for LLM output publishing. Alert on uploads to any bucket outside this approved list.