Splunk

MCP Filesystem Server Suspicious Extension Write

Last updated 2 days ago on 2026-07-17

About

This detection identifies attempts to create executable or script files through MCP filesystem server connections. Threat actors leveraging LLM-based tools may attempt to write malicious executables, scripts, or batch files to disk for persistence or code execution. The detection prioritizes files written to system directories or startup locations which indicate higher likelihood of malicious intent.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://splunkbase.splunk.com/app/8377(external, opens in a new tab or window)https://cymulate.com/blog/cve-2025-53109-53110-escaperoute-anthropic/(external, opens in a new tab or window)https://www.splunk.com/en_us/blog/security/securing-ai-agents-model-context-protocol.html(external, opens in a new tab or window)
False Positives
Legitimate developers using LLM assistants to generate scripts or automation tools, DevOps engineers creating deployment scripts, and system administrators generating batch files for maintenance tasks.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`mcp_server` method IN ("write_file", "create_file") direction=inbound | spath output=file_path path=params.path | spath output=file_content path=params.content | eval dest=host | eval file_extension=lower(mvindex(split(file_path, "."), -1)) | where file_extension IN ( "exe", "dll", "ps1", "bat", "cmd", "vbs", "js", "scr", "msi", "hta", "wsf", "wsh", "pif", "com", "cpl", "sh", "bash", "zsh", "ksh", "csh", "tcsh", "fish", "py", "pl", "rb", "php", "lua", "awk", "so", "dylib", "bin", "elf", "run", "AppImage", "deb", "rpm", "pkg", "dmg", "plist", "service", "timer", "socket", "conf" ) | eval file_path_lower=lower(file_path), is_system_path = if(match(file_path_lower, "(windows|system32|syswow64|program files|/usr|/bin|/sbin|/lib|/lib64|/etc|/opt)"), 1, 0), is_startup_path = if(match(file_path_lower, "(startup|autorun|cron\.d|crontab|launchd|launchagents|launchdaemons|systemd|init\.d|rc\.d|rc\.local|profile\.d|bashrc|zshrc|bash_profile)"), 1, 0), is_hidden_unix = if(match(file_path, "/\.[^/]+$"), 1, 0), content_length=len(file_content) | stats count min(_time) as firstTime max(_time) as lastTime values(file_path) as file_paths values(file_extension) as extensions max(is_system_path) as targets_system_path max(is_startup_path) as targets_startup_path max(is_hidden_unix) as targets_hidden_file avg(content_length) as avg_content_size by dest, method | eval targets_system_path=if(isnull(targets_system_path), 0, targets_system_path), targets_startup_path=if(isnull(targets_startup_path), 0, targets_startup_path), targets_hidden_file=if(isnull(targets_hidden_file), 0, targets_hidden_file) | sort - targets_startup_path, - targets_system_path, - targets_hidden_file, - count | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table dest firstTime lastTime count method extensions file_paths targets_system_path targets_startup_path targets_hidden_file avg_content_size | `mcp_filesystem_server_suspicious_extension_write_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).