highexperimentalLinuxOCINetworkT1071.001

Linux Agent Connecting To Unapproved MCP Or Tool Endpoints

Detects AI agent processes connecting to MCP server ports or tool endpoint addresses that are not in the approved configuration, which may indicate tool hijacking or connection to a rogue MCP server.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-aisupply-chainmcptool-endpointlinuxociowasp-asi04

Problem Statement

MCP servers define the tools available to an AI agent. Connecting to a rogue MCP server allows an attacker to inject malicious tool definitions, override tool behaviors, or exfiltrate tool call results containing sensitive data.

Sample Logs

{"timestamp":"2025-01-10T11:55:30Z","computer_name":"oci-worker-18","user":"agent_svc","image":"/usr/bin/python3","destination_hostname":"rogue-mcp.attacker.com","destination_ip":"203.0.113.5","destination_port":8765,"initiated":true}

Required Fields

image

destination_hostname

destination_ip

destination_port

user

computer_name

False Positives

·Legitimate MCP servers running on non-standard ports that are approved but not yet in the allowlist
·Development environments with local MCP servers accessible from test workers

Tuning Guidance

Maintain an explicit allowlist of approved MCP server IPs and hostnames. Alert on any connection to MCP-typical ports that resolves to a hostname not in the allowlist.