EXPLORE
Sign In
← Back to Explore
splunk_escuHunting

MCP Github Suspicious Operation

This detection identifies potentially malicious activity through MCP GitHub server connections, monitoring for secret hunting in code searches, organization and repository reconnaissance, branch protection abuse, CI/CD workflow manipulation, sensitive file access, and vulnerability intelligence gathering. These patterns indicate potential supply chain attacks, credential harvesting, or pre-attack reconnaissance.

MITRE ATT&CK

T1552.001

Detection Query

`mcp_server` direction=inbound
| eval dest=host
| eval
    query_lower=lower('params.query'),
    file_path_lower=lower('params.path'),
    search_query='params.query',
    file_path='params.path',
    target_owner='params.owner',
    is_secret_hunting=if(method="search_code" AND (like(query_lower, "%password%") OR like(query_lower, "%api_key%") OR like(query_lower, "%secret%") OR like(query_lower, "%token%") OR like(query_lower, "%aws_%") OR like(query_lower, "%private_key%") OR like(query_lower, "%credential%") OR like(query_lower, "%.env%") OR like(query_lower, "%config%")), 1, 0),
    is_org_recon=if(method IN ("list_repositories", "get_repository", "get_organization", "list_organization_members", "get_collaborators", "list_forks", "fork_repository"), 1, 0),
    is_branch_protection_abuse=if(method IN ("update_branch_protection", "delete_branch_protection"), 1, 0),
    is_workflow_manipulation=if((method IN ("create_or_update_file", "push_files")) AND like(file_path_lower, "%github/workflows%"), 1, 0),
    is_sensitive_file_access=if((method IN ("create_or_update_file", "push_files", "get_file_contents")) AND (like(file_path_lower, "%dockerfile%") OR like(file_path_lower, "%package.json%") OR like(file_path_lower, "%requirements.txt%") OR like(file_path_lower, "%.env%") OR like(file_path_lower, "%settings.py%") OR like(file_path_lower, "%config%")), 1, 0),
    is_issue_intel=if(method IN ("list_issues", "search_issues") AND (like(query_lower, "%vulnerability%") OR like(query_lower, "%cve%") OR like(query_lower, "%security%") OR like(query_lower, "%exploit%") OR like(query_lower, "%bug%")), 1, 0)
| where is_secret_hunting=1 OR is_org_recon=1 OR is_branch_protection_abuse=1 OR is_workflow_manipulation=1 OR is_sensitive_file_access=1 OR is_issue_intel=1
| eval attack_type=case(
    is_secret_hunting=1, "Secret Hunting",
    is_branch_protection_abuse=1, "Branch Protection Abuse",
    is_workflow_manipulation=1, "Workflow Manipulation",
    is_sensitive_file_access=1, "Sensitive File Access",
    is_issue_intel=1, "Vulnerability Intelligence Gathering",
    is_org_recon=1, "Organization Reconnaissance",
    1=1, "Unknown")
| stats count min(_time) as firstTime max(_time) as lastTime values(method) as methods values(search_query) as search_queries values(file_path) as file_paths values(target_owner) as target_owners values(attack_type) as attack_types dc(attack_type) as attack_diversity by dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table dest firstTime lastTime count attack_diversity attack_types methods search_queries file_paths target_owners
| `mcp_github_suspicious_operation_filter`

Author

Rod Soto

Created

2026-02-25

Data Sources

MCP Server

References

Tags

Suspicious MCP Activities
Raw Content
name: MCP Github Suspicious Operation
id: 3348aefd-9ed8-451f-9993-1e9fa04b5530
version: 2
date: '2026-02-25'
author: Rod Soto
status: production
type: Hunting
description: This detection identifies potentially malicious activity through MCP GitHub server connections, monitoring for secret hunting in code searches, organization and repository reconnaissance, branch protection abuse, CI/CD workflow manipulation, sensitive file access, and vulnerability intelligence gathering. These patterns indicate potential supply chain attacks, credential harvesting, or pre-attack reconnaissance.
data_source:
    - MCP Server
search: |
    `mcp_server` direction=inbound
    | eval dest=host
    | eval
        query_lower=lower('params.query'),
        file_path_lower=lower('params.path'),
        search_query='params.query',
        file_path='params.path',
        target_owner='params.owner',
        is_secret_hunting=if(method="search_code" AND (like(query_lower, "%password%") OR like(query_lower, "%api_key%") OR like(query_lower, "%secret%") OR like(query_lower, "%token%") OR like(query_lower, "%aws_%") OR like(query_lower, "%private_key%") OR like(query_lower, "%credential%") OR like(query_lower, "%.env%") OR like(query_lower, "%config%")), 1, 0),
        is_org_recon=if(method IN ("list_repositories", "get_repository", "get_organization", "list_organization_members", "get_collaborators", "list_forks", "fork_repository"), 1, 0),
        is_branch_protection_abuse=if(method IN ("update_branch_protection", "delete_branch_protection"), 1, 0),
        is_workflow_manipulation=if((method IN ("create_or_update_file", "push_files")) AND like(file_path_lower, "%github/workflows%"), 1, 0),
        is_sensitive_file_access=if((method IN ("create_or_update_file", "push_files", "get_file_contents")) AND (like(file_path_lower, "%dockerfile%") OR like(file_path_lower, "%package.json%") OR like(file_path_lower, "%requirements.txt%") OR like(file_path_lower, "%.env%") OR like(file_path_lower, "%settings.py%") OR like(file_path_lower, "%config%")), 1, 0),
        is_issue_intel=if(method IN ("list_issues", "search_issues") AND (like(query_lower, "%vulnerability%") OR like(query_lower, "%cve%") OR like(query_lower, "%security%") OR like(query_lower, "%exploit%") OR like(query_lower, "%bug%")), 1, 0)
    | where is_secret_hunting=1 OR is_org_recon=1 OR is_branch_protection_abuse=1 OR is_workflow_manipulation=1 OR is_sensitive_file_access=1 OR is_issue_intel=1
    | eval attack_type=case(
        is_secret_hunting=1, "Secret Hunting",
        is_branch_protection_abuse=1, "Branch Protection Abuse",
        is_workflow_manipulation=1, "Workflow Manipulation",
        is_sensitive_file_access=1, "Sensitive File Access",
        is_issue_intel=1, "Vulnerability Intelligence Gathering",
        is_org_recon=1, "Organization Reconnaissance",
        1=1, "Unknown")
    | stats count min(_time) as firstTime max(_time) as lastTime values(method) as methods values(search_query) as search_queries values(file_path) as file_paths values(target_owner) as target_owners values(attack_type) as attack_types dc(attack_type) as attack_diversity by dest
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | table dest firstTime lastTime count attack_diversity attack_types methods search_queries file_paths target_owners
    | `mcp_github_suspicious_operation_filter`
how_to_implement: Install the MCP Technology Add-on from Splunkbase and ensure MCP GitHub server logging is enabled and forwarding to the right index with proper field extraction for params.query, params.path, and params.owner. Schedule the search to run every 5-15 minutes.
known_false_positives: Legitimate developers searching code for refactoring purposes, security teams conducting authorized secret scanning, DevOps engineers modifying workflow files, and repository administrators managing branch protection settings.
references:
    - https://splunkbase.splunk.com/app/8377
    - https://www.docker.com/blog/mcp-horror-stories-github-prompt-injection/
    - https://www.splunk.com/en_us/blog/security/securing-ai-agents-model-context-protocol.html
tags:
    analytic_story:
        - Suspicious MCP Activities
    asset_type: Web Application
    mitre_attack_id:
        - T1552.001
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/mcp/mcp.log
          sourcetype: mcp:jsonrpc
          source: mcp.log