Detection: MCP Sensitive System File Search

Description

This detection identifies MCP filesystem tool usage attempting to search for files containing sensitive patterns such as passwords, credentials, API keys, secrets, and configuration files. Adversaries and malicious insiders may abuse legitimate MCP filesystem capabilities to conduct reconnaissance and discover sensitive data stores for exfiltration or credential harvesting.

Search

 1`mcp_server`
 2(method IN ("read_file", "get_file_contents", "read", "search_files", "find_files", "grep", "search", "list_directory", "read_directory"))
 3(params.path="*.ssh*" OR params.path="*Administrator*" OR params.path="*credentials*" OR params.path="*password*" OR params.path="*.env*" OR params.path="*id_rsa*" OR params.path="*.pem*" OR params.path="*.ppk*" OR params.path="*.key*" OR params.path="*secrets*" OR params.path="*.aws*" OR params.path="*.config*"
 4OR params.pattern="*password*" OR params.pattern="*key*" OR params.pattern="*secret*" OR params.pattern="*credential*" OR params.pattern="*token*" OR params.pattern="*auth*" OR params.pattern="*api_key*" OR params.pattern="*private_key*")
 5
 6| eval dest=host
 7
 8| eval detection_type=case(
 9    method IN ("read_file", "get_file_contents", "read"), "PATH_ACCESS",
10    method IN ("search_files", "find_files", "grep", "search"), "PATTERN_SEARCH",
11    method IN ("list_directory", "read_directory"), "DIRECTORY_ENUM",
12    1=1, "UNKNOWN")
13
14| eval target_path=coalesce('params.path', 'params.directory', 'params.file')
15
16| eval search_pattern=coalesce('params.pattern', 'params.query', 'params.search')
17
18| stats count min(_time) as firstTime max(_time) as lastTime values(detection_type) as detection_types values(target_path) as targeted_paths values(search_pattern) as search_patterns values(method) as methods_used by dest, source
19
20| eval time_span_seconds=lastTime-firstTime
21
22| `security_content_ctime(firstTime)` 
23
24| `security_content_ctime(lastTime)`
25
26| table dest firstTime lastTime count source detection_types methods_used targeted_paths search_patterns time_span_seconds
27
28| `mcp_sensitive_system_file_search_filter`

Data Source

Macros Used

Annotations

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Implementation

This detection requires the MCP Technology Add-on (TA) for Splunk, which ingests logs from MCP-enabled AI coding assistants and agents. Configure the TA to collect events from MCP servers by pointing it to the appropriate log sources (typically JSON-formatted logs from tools like Claude Code, Cursor, or custom MCP implementations). The TA should normalize file search operations into the search_files method with standardized parameter extraction.

Known False Positives

Known false positives include legitimate development activities where developers search for configuration files, environment variables, or authentication modules as part of normal coding tasks, as well as security audits involving authorized security reviews or code scanning tools searching for hardcoded secrets. Additionally, documentation lookups for example config files or authentication documentation may trigger this detection, along with refactoring tasks where developers rename or consolidate credential management code across a codebase, and onboarding activities where new developers explore unfamiliar codebases to understand authentication flows.

Associated Analytic Story

• Suspicious MCP Activities

References

• https://splunkbase.splunk.com/app/8377

• https://www.splunk.com/en_us/blog/security/securing-ai-agents-model-context-protocol.html

Detection Testing

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1