| ID | Technique | Tactic |
|---|---|---|
| T1059 | Command and Scripting Interpreter | Execution |
Detection: MCP Prompt Injection
Description
This detection identifies potential prompt injection attempts within MCP (Model Context Protocol) communications by monitoring for known malicious phrases and patterns commonly used to manipulate AI assistants. Prompt injection is a critical vulnerability where adversaries embed hidden instructions in content processed by AI tools, attempting to override system prompts, bypass security controls, or hijack the AI's behavior. The search monitors JSON-RPC traffic for phrases such as "IGNORE PREVIOUS INSTRUCTIONS," "SYSTEM PROMPT OVERRIDE," and "ignore all security" which indicate attempts to subvert the AI's intended behavior and potentially execute unauthorized actions through the MCP toolchain.
Search
1`mcp_server` direction=inbound ( "IGNORE PREVIOUS INSTRUCTIONS" OR "AI_INSTRUCTION" OR "SYSTEM PROMPT OVERRIDE" OR "[SYSTEM]:" OR "ignore all security" OR "New directive" OR "ignore security policies" )
2
3| eval dest=host
4
5| eval injection_payload=coalesce('params.content_preview', 'params.result_preview')
6
7| eval target_path='params.path'
8
9| eval sql_query='params.query'
10
11| stats count min(_time) as firstTime max(_time) as lastTime values(method) as method values(target_path) as target_path values(sql_query) as sql_query values(injection_payload) as injection_payload by dest, source
12
13| `security_content_ctime(firstTime)`
14
15| `security_content_ctime(lastTime)`
16
17| table dest firstTime lastTime count source method target_path sql_query injection_payload
18
19| `mcp_prompt_injection_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| MCP Server | Other | 'mcp:jsonrpc' |
'mcp.log' |
Macros Used
| Name | Value |
|---|---|
| mcp_server | (sourcetype="mcp:jsonrpc") |
| mcp_prompt_injection_filter | search * |
mcp_prompt_injection_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Installation
DE.CM
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
This detection requires the MCP Technology Add-on (TA) for Splunk configured to ingest JSON-RPC formatted logs from MCP-enabled AI assistants and agents into the appropiate index with sourcetype mcp:jsonrpc. Ensure the TA parses multivalue fields including params.content_preview, params.result_preview, params.path, and params.query to capture tool inputs and outputs where injection payloads may appear. The macro mcp_prompt_injection_filter should be created to allow environment-specific tuning and whitelisting of known benign patterns.
Known False Positives
Known false positives include security research and testing activities where red teams or developers intentionally test prompt injection defenses, as well as educational content where documentation, tutorials, or training materials discussing prompt injection techniques are legitimately processed by the AI assistant. Additionally, security tool development involving code reviews or development of prompt injection detection mechanisms may contain these patterns, and quoted references in conversations where users discuss or report prompt injection attempts they encountered elsewhere could trigger this detection.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
A prompt injection attempt was detected on $dest$ via MCP server. An attacker attempted to override AI instructions using phrases like IGNORE PREVIOUS INSTRUCTIONS or SYSTEM PROMPT OVERRIDE. This technique (AML.T0051) attempts to manipulate the LLM into bypassing security controls or executing unauthorized actions. Payload detected: $injection_payload$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 80 | No Threat Objects |
References
-
https://www.tenable.com/blog/mcp-prompt-injection-not-just-for-evil
-
https://www.splunk.com/en_us/blog/security/securing-ai-agents-model-context-protocol.html
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | mcp.log |
mcp:jsonrpc |
| Integration | ✅ Passing | Dataset | mcp.log |
mcp:jsonrpc |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1