j-dahl7/mcp-attack-detection-sentinel

# MCP 攻击检测 — Sentinel 实验室 用于 **MCP (Model Context Protocol)** 攻击链的 Sentinel 检测实验室：SSRF token 窃取 ([CVE-2026-26118](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26118))、tool poisoning（工具投毒）、跨服务器数据泄露以及身份后渗透。检测映射到 [OWASP Top 10 for Agentic Applications (2026)](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/)。 **博客文章：** [使用 Microsoft Sentinel 检测 MCP 攻击链](https://nineliveszerotrust.com/blog/mcp-attack-detection-sentinel/) ## 部署内容 | 资源 | 类型 | OWASP Agentic | |----------|------|---------------| | LAB - MCP Server SSRF Token Theft (CVE-2026-26118) | Analytics Rule (High) | ASI03 | | LAB - MCP Tool Definition Mutation (Rug Pull Detection) | Analytics Rule (High) | ASI01, ASI04 | | LAB - MCP Cross-Server Data Exfiltration Pattern | Analytics Rule (Medium) | ASI02, ASI03 | | LAB - Anomalous MCP Tool Invocation Spike | Analytics Rule (Medium) | ASI02 | | LAB - MCP Identity Post-Exploitation Chain | Analytics Rule (High) | ASI03 | | MCP Attack Detection — Security Posture | Workbook | All | | 7 hunting queries | KQL (manual) | ASI01–ASI07 | ## MITRE ATT&CK 覆盖范围 | 技术 | ID | 规则 / 查询 | |---|---|---| | Application Access Token | T1550.001 | SSRF Token Theft | | Adversary-in-the-Middle | T1557 | SSRF Token Theft, Inter-Agent Comms | | Supply Chain Compromise | T1195.002 | Tool Definition Mutation, Supply Chain | | Data from Cloud Storage | T1530 | Cross-Server Exfiltration | | Unsecured Credentials | T1552 | Cross-Server Exfiltration, Post-Exploitation | | Cloud API | T1059.009 | Invocation Spike, Code Execution | | Valid Accounts: Cloud | T1078.004 | Post-Exploitation Chain | | Serverless Execution | T1648 | Code Execution | | Stored Data Manipulation | T1565.001 | Memory & Context Poisoning | ## 快速开始 ``` # 部署 analytics rules + hunting queries + workbook ./scripts/Deploy-Lab.ps1 \ -ResourceGroup "rg-sentinel-lab" \ -WorkspaceName "law-sentinel-lab" # 验证部署 ./scripts/Test-MCPDetections.ps1 \ -ResourceGroup "rg-sentinel-lab" \ -WorkspaceName "law-sentinel-lab" ``` ## 前置条件 - 已启用 Microsoft Sentinel 的 Azure 订阅 - Entra ID 诊断设置：`AuditLogs`、`ServicePrincipalSignInLogs`、`ManagedIdentitySignInLogs` - Sentinel 中已启用 Azure Activity Log 连接器 - PowerShell 7.0+ 及 Azure CLI - 角色：Microsoft Sentinel Contributor, Security Reader ## 数据源 | 表 | 用途 | |-------|---------| | `AADManagedIdentitySignInLogs` | 检测 MCP 托管身份 token 获取 (CVE-2026-26118) | | `AADServicePrincipalSignInLogs` | 监控 MCP 服务主体身份验证模式 | | `AzureActivity` | 追踪 MCP 资源操作、部署、配置变更 | ## 清理 ``` ./scripts/Deploy-Lab.ps1 \ -ResourceGroup "rg-sentinel-lab" \ -WorkspaceName "law-sentinel-lab" \ -Destroy ``` ## 参考资料 - [CVE-2026-26118 — Azure MCP Server SSRF (Tenable)](https://www.tenable.com/blog/microsofts-march-2026-patch-tuesday-addresses-83-cves-cve-2026-21262-cve-2026-26127) - [CVE-2026-26118 — Cisco Talos Analysis](https://blog.talosintelligence.com/microsoft-patch-tuesday-march-2026/) - [OWASP Top 10 for Agentic Applications 2026](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/) - [MCP Tool Poisoning — Invariant Labs](https://invariantlabs.ai/blog/mcp-security-notification-tool-poisoning-attacks) - [MCP vs A2A Attack Surface — SnailSploit](https://snailsploit.com/ai-security/mcp-vs-a2a-attack-surface/) - [MCP Security Guide — Real CVEs](https://www.heyuan110.com/posts/ai/2026-02-23-mcp-security-guide/) - [Tool Poisoning Detection — Snyk Labs](https://labs.snyk.io/resources/detect-tool-poisoning-mcp-server-security/) - [MCP Tools: Attack Vectors — Elastic Security Labs](https://www.elastic.co/security-labs/mcp-tools-attack-defense-recommendations) ## 许可证 MIT

标签：AI合规, AI安全, Chat Copilot, CVE-2026-26118, JSONLines, KQL, Libemu, MCP, Microsoft Sentinel, Model Context Protocol, OWASP Agentic Top 10, SSRF, StruQ, 代理安全, 令牌窃取, 供应链攻击, 工具投毒, 攻防实验室, 数据渗出, 检测规则, 网络资产发现, 足迹探测, 身份攻击, 零信任