| ID | Technique | Tactic |
|---|---|---|
| T1552.001 | Credentials In Files | Credential Access |
Detection: MCP Github Suspicious Operation
Description
This detection identifies potentially malicious activity through MCP GitHub server connections, monitoring for secret hunting in code searches, organization and repository reconnaissance, branch protection abuse, CI/CD workflow manipulation, sensitive file access, and vulnerability intelligence gathering. These patterns indicate potential supply chain attacks, credential harvesting, or pre-attack reconnaissance.
Search
1`mcp_server` direction=inbound
2
3| eval dest=host
4
5| eval
6 query_lower=lower('params.query'),
7 file_path_lower=lower('params.path'),
8 search_query='params.query',
9 file_path='params.path',
10 target_owner='params.owner',
11 is_secret_hunting=if(method="search_code" AND (like(query_lower, "%password%") OR like(query_lower, "%api_key%") OR like(query_lower, "%secret%") OR like(query_lower, "%token%") OR like(query_lower, "%aws_%") OR like(query_lower, "%private_key%") OR like(query_lower, "%credential%") OR like(query_lower, "%.env%") OR like(query_lower, "%config%")), 1, 0),
12 is_org_recon=if(method IN ("list_repositories", "get_repository", "get_organization", "list_organization_members", "get_collaborators", "list_forks", "fork_repository"), 1, 0),
13 is_branch_protection_abuse=if(method IN ("update_branch_protection", "delete_branch_protection"), 1, 0),
14 is_workflow_manipulation=if((method IN ("create_or_update_file", "push_files")) AND like(file_path_lower, "%github/workflows%"), 1, 0),
15 is_sensitive_file_access=if((method IN ("create_or_update_file", "push_files", "get_file_contents")) AND (like(file_path_lower, "%dockerfile%") OR like(file_path_lower, "%package.json%") OR like(file_path_lower, "%requirements.txt%") OR like(file_path_lower, "%.env%") OR like(file_path_lower, "%settings.py%") OR like(file_path_lower, "%config%")), 1, 0),
16 is_issue_intel=if(method IN ("list_issues", "search_issues") AND (like(query_lower, "%vulnerability%") OR like(query_lower, "%cve%") OR like(query_lower, "%security%") OR like(query_lower, "%exploit%") OR like(query_lower, "%bug%")), 1, 0)
17
18| where is_secret_hunting=1 OR is_org_recon=1 OR is_branch_protection_abuse=1 OR is_workflow_manipulation=1 OR is_sensitive_file_access=1 OR is_issue_intel=1
19
20| eval attack_type=case(
21 is_secret_hunting=1, "Secret Hunting",
22 is_branch_protection_abuse=1, "Branch Protection Abuse",
23 is_workflow_manipulation=1, "Workflow Manipulation",
24 is_sensitive_file_access=1, "Sensitive File Access",
25 is_issue_intel=1, "Vulnerability Intelligence Gathering",
26 is_org_recon=1, "Organization Reconnaissance",
27 1=1, "Unknown")
28
29| stats count min(_time) as firstTime max(_time) as lastTime values(method) as methods values(search_query) as search_queries values(file_path) as file_paths values(target_owner) as target_owners values(attack_type) as attack_types dc(attack_type) as attack_diversity by dest
30
31| `security_content_ctime(firstTime)`
32
33| `security_content_ctime(lastTime)`
34
35| table dest firstTime lastTime count attack_diversity attack_types methods search_queries file_paths target_owners
36
37| `mcp_github_suspicious_operation_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| MCP Server | Other | 'mcp:jsonrpc' |
'mcp.log' |
Macros Used
| Name | Value |
|---|---|
| mcp_server | (sourcetype="mcp:jsonrpc") |
| mcp_github_suspicious_operation_filter | search * |
mcp_github_suspicious_operation_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
DE.AE
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | False |
This configuration file applies to all detections of type hunting.
Implementation
Install the MCP Technology Add-on from Splunkbase and ensure MCP GitHub server logging is enabled and forwarding to the right index with proper field extraction for params.query, params.path, and params.owner. Schedule the search to run every 5-15 minutes.
Known False Positives
Legitimate developers searching code for refactoring purposes, security teams conducting authorized secret scanning, DevOps engineers modifying workflow files, and repository administrators managing branch protection settings.
Associated Analytic Story
References
-
https://www.docker.com/blog/mcp-horror-stories-github-prompt-injection/
-
https://www.splunk.com/en_us/blog/security/securing-ai-agents-model-context-protocol.html
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | mcp.log |
mcp:jsonrpc |
| Integration | ✅ Passing | Dataset | mcp.log |
mcp:jsonrpc |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1