legitimate developers using llm assistants to generate scripts or automation tools, devops engineers creating deployment scripts, and system administrators generating batch files for maintenance tasks.

Techniques

T1059

Sample rules

MCP Filesystem Server Suspicious Extension Write

source: splunk
technicques:
- T1059

Description

This detection identifies attempts to create executable or script files through MCP filesystem server connections. Threat actors leveraging LLM-based tools may attempt to write malicious executables, scripts, or batch files to disk for persistence or code execution. The detection prioritizes files written to system directories or startup locations which indicate higher likelihood of malicious intent.

Detection logic

`mcp_server` method IN ("write_file", "create_file") direction=inbound

| spath output=file_path path=params.path

| spath output=file_content path=params.content

| eval dest=host

| eval file_extension=lower(mvindex(split(file_path, "."), -1))

| where file_extension IN (
    "exe", "dll", "ps1", "bat", "cmd", "vbs", "js", "scr", "msi", "hta", "wsf", "wsh", "pif", "com", "cpl",
    "sh", "bash", "zsh", "ksh", "csh", "tcsh", "fish",
    "py", "pl", "rb", "php", "lua", "awk",
    "so", "dylib", "bin", "elf", "run", "AppImage",
    "deb", "rpm", "pkg", "dmg",
    "plist", "service", "timer", "socket", "conf"
    )

| eval
    file_path_lower=lower(file_path),
    is_system_path = if(match(file_path_lower, "(windows
|system32
|syswow64
|program files
|/usr
|/bin
|/sbin
|/lib
|/lib64
|/etc
|/opt)"), 1, 0),
    is_startup_path = if(match(file_path_lower, "(startup
|autorun
|cron\.d
|crontab
|launchd
|launchagents
|launchdaemons
|systemd
|init\.d
|rc\.d
|rc\.local
|profile\.d
|bashrc
|zshrc
|bash_profile)"), 1, 0),
    is_hidden_unix = if(match(file_path, "/\.[^/]+$"), 1, 0),
    content_length=len(file_content)

| stats count min(_time) as firstTime max(_time) as lastTime values(file_path) as file_paths values(file_extension) as extensions max(is_system_path) as targets_system_path max(is_startup_path) as targets_startup_path max(is_hidden_unix) as targets_hidden_file avg(content_length) as avg_content_size by dest, method

| eval
    targets_system_path=if(isnull(targets_system_path), 0, targets_system_path),
    targets_startup_path=if(isnull(targets_startup_path), 0, targets_startup_path),
    targets_hidden_file=if(isnull(targets_hidden_file), 0, targets_hidden_file)

| sort - targets_startup_path, - targets_system_path, - targets_hidden_file, - count

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| table dest firstTime lastTime count method extensions file_paths targets_system_path targets_startup_path targets_hidden_file avg_content_size

| `mcp_filesystem_server_suspicious_extension_write_filter`