Deployable detection rules
4 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
4 shown of 4MCP Github Suspicious Operation
This detection identifies potentially malicious activity through MCP GitHub server connections, monitoring for secret hunting in code searches, organization and repository reconnaissance, branch protection abuse, CI/CD workflow manipulation, sensitive file access, and vulnerability intelligence gathering. These patterns indicate potential supply chain attacks, credential harvesting, or pre-attack reconnaissance.
Show query
`mcp_server` direction=inbound
| eval dest=host
| eval
query_lower=lower('params.query'),
file_path_lower=lower('params.path'),
search_query='params.query',
file_path='params.path',
target_owner='params.owner',
is_secret_hunting=if(method="search_code" AND (like(query_lower, "%password%") OR like(query_lower, "%api_key%") OR like(query_lower, "%secret%") OR like(query_lower, "%token%") OR like(query_lower, "%aws_%") OR like(query_lower, "%private_key%") OR like(query_lower, "%credential%") OR like(query_lower, "%.env%") OR like(query_lower, "%config%")), 1, 0),
is_org_recon=if(method IN ("list_repositories", "get_repository", "get_organization", "list_organization_members", "get_collaborators", "list_forks", "fork_repository"), 1, 0),
is_branch_protection_abuse=if(method IN ("update_branch_protection", "delete_branch_protection"), 1, 0),
is_workflow_manipulation=if((method IN ("create_or_update_file", "push_files")) AND like(file_path_lower, "%github/workflows%"), 1, 0),
is_sensitive_file_access=if((method IN ("create_or_update_file", "push_files", "get_file_contents")) AND (like(file_path_lower, "%dockerfile%") OR like(file_path_lower, "%package.json%") OR like(file_path_lower, "%requirements.txt%") OR like(file_path_lower, "%.env%") OR like(file_path_lower, "%settings.py%") OR like(file_path_lower, "%config%")), 1, 0),
is_issue_intel=if(method IN ("list_issues", "search_issues") AND (like(query_lower, "%vulnerability%") OR like(query_lower, "%cve%") OR like(query_lower, "%security%") OR like(query_lower, "%exploit%") OR like(query_lower, "%bug%")), 1, 0)
| where is_secret_hunting=1 OR is_org_recon=1 OR is_branch_protection_abuse=1 OR is_workflow_manipulation=1 OR is_sensitive_file_access=1 OR is_issue_intel=1
| eval attack_type=case(
is_secret_hunting=1, "Secret Hunting",
is_branch_protection_abuse=1, "Branch Protection Abuse",
is_workflow_manipulation=1, "Workflow Manipulation",
is_sensitive_file_access=1, "Sensitive File Access",
is_issue_intel=1, "Vulnerability Intelligence Gathering",
is_org_recon=1, "Organization Reconnaissance",
1=1, "Unknown")
| stats count min(_time) as firstTime max(_time) as lastTime values(method) as methods values(search_query) as search_queries values(file_path) as file_paths values(target_owner) as target_owners values(attack_type) as attack_types dc(attack_type) as attack_diversity by dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table dest firstTime lastTime count attack_diversity attack_types methods search_queries file_paths target_owners
| `mcp_github_suspicious_operation_filter`
MCP Sensitive System File Search
This detection identifies MCP filesystem tool usage attempting to search for files containing sensitive patterns such as passwords, credentials, API keys, secrets, and configuration files. Adversaries and malicious insiders may abuse legitimate MCP filesystem capabilities to conduct reconnaissance and discover sensitive data stores for exfiltration or credential harvesting.
Show query
`mcp_server`
(method IN ("read_file", "get_file_contents", "read", "search_files", "find_files", "grep", "search", "list_directory", "read_directory"))
(params.path="*.ssh*" OR params.path="*Administrator*" OR params.path="*credentials*" OR params.path="*password*" OR params.path="*.env*" OR params.path="*id_rsa*" OR params.path="*.pem*" OR params.path="*.ppk*" OR params.path="*.key*" OR params.path="*secrets*" OR params.path="*.aws*" OR params.path="*.config*"
OR params.pattern="*password*" OR params.pattern="*key*" OR params.pattern="*secret*" OR params.pattern="*credential*" OR params.pattern="*token*" OR params.pattern="*auth*" OR params.pattern="*api_key*" OR params.pattern="*private_key*")
| eval dest=host
| eval detection_type=case(
method IN ("read_file", "get_file_contents", "read"), "PATH_ACCESS",
method IN ("search_files", "find_files", "grep", "search"), "PATTERN_SEARCH",
method IN ("list_directory", "read_directory"), "DIRECTORY_ENUM",
1=1, "UNKNOWN")
| eval target_path=coalesce('params.path', 'params.directory', 'params.file')
| eval search_pattern=coalesce('params.pattern', 'params.query', 'params.search')
| stats count min(_time) as firstTime max(_time) as lastTime values(detection_type) as detection_types values(target_path) as targeted_paths values(search_pattern) as search_patterns values(method) as methods_used by dest, source
| eval time_span_seconds=lastTime-firstTime
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table dest firstTime lastTime count source detection_types methods_used targeted_paths search_patterns time_span_seconds
| `mcp_sensitive_system_file_search_filter`
Windows Unusual FileZilla XML Config Access
The following analytic identifies processes accessing FileZilla XML config files such as recentservers.xml and sitemanager.xml. It leverages Windows Security Event logs, specifically monitoring EventCode 4663, which tracks object access events. This activity is significant because it can indicate unauthorized access or manipulation of sensitive configuration files used by FileZilla, a popular FTP client. If confirmed malicious, this could lead to data exfiltration, credential theft, or further compromise of the system.
Show query
`wineventlog_security` EventCode=4663 NOT (ProcessName IN("C:\\Program Files\\FileZilla FTP Client\\filezilla.exe", "C:\Program Files (x86)\\FileZilla FTP Client\\filezilla.exe", "C:\\Program Files\\Microsoft OneDrive\\OneDrive.exe", "C:\\Program Files (x86)\\Microsoft OneDrive\\OneDrive.exe")) file_path IN ("*FileZilla\\recentservers.xml*", "*FileZilla\\sitemanager.xml*") | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask process_id EventCode Computer Caller_User_Name | rename Computer as dest Caller_User_Name as user ProcessName as process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unusual_filezilla_xml_config_access_filter`Windows Unusual Intelliform Storage Registry Access
The following analytic identifies processes accessing Intelliform Storage Registry keys used by Internet Explorer. It leverages Windows Security Event logs, specifically monitoring EventCode 4663, which tracks object access events. This activity is significant because it can indicate unauthorized access or manipulation of sensitive registry keys used for storing form data in Internet Explorer. If confirmed malicious, this could lead to data exfiltration, credential theft, or further compromise of the system.
Show query
`wineventlog_security` EventCode=4663 NOT (ProcessName IN("C:\\Program Files\\Internet Explorer\\iexplore.exe", "C:\\Windows\\System32\\dllhost.exe", "C:\\Windows\\SysWow64\\dllhost.exe")) ObjectName IN ("*Software\\microsoft\\Internet Explorer\\Intelliforms\\storage2*") | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask process_id EventCode Computer Caller_User_Name | rename Computer as dest Caller_User_Name as user ProcessName as process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unusual_intelliform_storage_registry_access_filter`Showing 1-4 of 4