| ID | Technique | Tactic |
|---|---|---|
| T1059 | Command and Scripting Interpreter | Execution |
Detection: MCP Filesystem Server Suspicious Extension Write
Description
This detection identifies attempts to create executable or script files through MCP filesystem server connections. Threat actors leveraging LLM-based tools may attempt to write malicious executables, scripts, or batch files to disk for persistence or code execution. The detection prioritizes files written to system directories or startup locations which indicate higher likelihood of malicious intent.
Search
1`mcp_server` method IN ("write_file", "create_file") direction=inbound
2
3| spath output=file_path path=params.path
4
5| spath output=file_content path=params.content
6
7| eval dest=host
8
9| eval file_extension=lower(mvindex(split(file_path, "."), -1))
10
11| where file_extension IN (
12 "exe", "dll", "ps1", "bat", "cmd", "vbs", "js", "scr", "msi", "hta", "wsf", "wsh", "pif", "com", "cpl",
13 "sh", "bash", "zsh", "ksh", "csh", "tcsh", "fish",
14 "py", "pl", "rb", "php", "lua", "awk",
15 "so", "dylib", "bin", "elf", "run", "AppImage",
16 "deb", "rpm", "pkg", "dmg",
17 "plist", "service", "timer", "socket", "conf"
18 )
19
20| eval
21 file_path_lower=lower(file_path),
22 is_system_path = if(match(file_path_lower, "(windows
23|system32
24|syswow64
25|program files
26|/usr
27|/bin
28|/sbin
29|/lib
30|/lib64
31|/etc
32|/opt)"), 1, 0),
33 is_startup_path = if(match(file_path_lower, "(startup
34|autorun
35|cron\.d
36|crontab
37|launchd
38|launchagents
39|launchdaemons
40|systemd
41|init\.d
42|rc\.d
43|rc\.local
44|profile\.d
45|bashrc
46|zshrc
47|bash_profile)"), 1, 0),
48 is_hidden_unix = if(match(file_path, "/\.[^/]+$"), 1, 0),
49 content_length=len(file_content)
50
51| stats count min(_time) as firstTime max(_time) as lastTime values(file_path) as file_paths values(file_extension) as extensions max(is_system_path) as targets_system_path max(is_startup_path) as targets_startup_path max(is_hidden_unix) as targets_hidden_file avg(content_length) as avg_content_size by dest, method
52
53| eval
54 targets_system_path=if(isnull(targets_system_path), 0, targets_system_path),
55 targets_startup_path=if(isnull(targets_startup_path), 0, targets_startup_path),
56 targets_hidden_file=if(isnull(targets_hidden_file), 0, targets_hidden_file)
57
58| sort - targets_startup_path, - targets_system_path, - targets_hidden_file, - count
59
60| `security_content_ctime(firstTime)`
61
62| `security_content_ctime(lastTime)`
63
64| table dest firstTime lastTime count method extensions file_paths targets_system_path targets_startup_path targets_hidden_file avg_content_size
65
66| `mcp_filesystem_server_suspicious_extension_write_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| MCP Server | Other | 'mcp:jsonrpc' |
'mcp.log' |
Macros Used
| Name | Value |
|---|---|
| mcp_server | (sourcetype="mcp:jsonrpc") |
| mcp_filesystem_server_suspicious_extension_write_filter | search * |
mcp_filesystem_server_suspicious_extension_write_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Installation
DE.AE
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | False |
This configuration file applies to all detections of type hunting.
Implementation
Install the MCP Technology Add-on from Splunkbase and ensure MCP filesystem server logging is enabled with proper field extraction for params.path and params.content. Schedule the search to run every 5-15 minutes and tune alerting based on whether system or startup paths are targeted.
Known False Positives
Legitimate developers using LLM assistants to generate scripts or automation tools, DevOps engineers creating deployment scripts, and system administrators generating batch files for maintenance tasks.
Associated Analytic Story
References
-
https://cymulate.com/blog/cve-2025-53109-53110-escaperoute-anthropic/
-
https://www.splunk.com/en_us/blog/security/securing-ai-agents-model-context-protocol.html
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | mcp.log |
mcp:jsonrpc |
| Integration | ✅ Passing | Dataset | mcp.log |
mcp:jsonrpc |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1