feat(SAFE-T1206): added [Credential Implant in Config]

README.md

@@ -79,7 +79,7 @@ The SAFE-MCP framework defines 14 tactics that align with the MITRE ATT&CK metho
 | ATK-TA0003 | Persistence | SAFE-T1203 | Backdoored Server Binary | Inserts cron job or reverse shell on install; persists even if MCP service is uninstalled |
 | ATK-TA0003 | Persistence | SAFE-T1204 | Context Memory Implant | Malicious agent writes itself into long-term vector store; re-loaded in every future session |
 | ATK-TA0003 | Persistence | SAFE-T1205 | Persistent Tool Redefinition | Attacker modifies server's tool metadata to keep hidden commands across restarts |
-| ATK-TA0003 | Persistence | SAFE-T1206 | Credential Implant in Config | Adds attacker's API/SSH keys to server .env, giving re-entry |
+| ATK-TA0003 | Persistence | [SAFE-T1206] (techniques/SAFE-T1206/README.md) | Credential Implant in Config | Adds attacker's API/SSH keys to server .env, giving re-entry |
 | ATK-TA0003 | Persistence | SAFE-T1207 | Hijack Update Mechanism | Man-in-the-middle an auto-update channel to re-install malicious build later on |
 | ATK-TA0003 | Persistence | [SAFE-T2106](techniques/SAFE-T2106/README.md) | Context Memory Poisoning via Vector Store Contamination | Attackers manipulate vector databases storing long-term memory for AI agents, creating persistent malicious content that contaminates knowledge across all future sessions |
 | **ATK-TA0004** | **Privilege Escalation** | [SAFE-T1301](techniques/SAFE-T1301/README.md) | Cross-Server Tool Shadowing | Malicious MCP servers override legitimate tool calls to gain elevated privileges |

techniques/SAFE-T1206/README.md

@@ -0,0 +1,108 @@
+# SAFE-T1206: Credential Implant in Config
+
+## Tactic
+
+Defense Evasion / Credential Access (ATK-TA0005 / ATK-TA0006)
+
+## Description
+
+Credential Implant in Config is a technique where an attacker inserts, replaces, or modifies authentication secrets inside configuration files, provider manifests, or runtime deployment artifacts. This allows unauthorized access to Model Context Protocol (MCP) providers or systems that rely on those configurations. It matters because MCP implementations often depend on trusted configuration files to validate provider endpoints, keys, and permissions.
+
+## How It Works
+
+1. **Access acquisition** – Attacker gains access to a system, CI pipeline, or workstation capable of modifying MCP config files.
+2. **Malicious modification** – Sensitive keys, tokens, provider endpoints, or permissions are implanted into configuration or manifest files.
+3. **Bypass of validation** – Attacker attempts to evade signature verification, code reviews, or CI policies.
+4. **Execution** – Modified config is deployed or loaded by MCP runtime, granting the attacker unauthorized access or elevated capabilities.
+
+### Technical Details
+
+* Direct config edits to `mcp_config.json` or `providers.yml`.
+* CI commits swapping legitimate endpoints with attacker-controlled hosts.
+* Runtime secret injection without approval tickets.
+* Manifest permission escalation enabling read-write or exfiltration capabilities.
+
+### Prerequisites
+
+* Access to configuration repository, build system, or runtime automation.
+* Ability to modify files or bypass CI controls.
+* In some cases, weak or missing signature validation.
+
+### Expected Outcome
+
+* Attacker gains access to privileged MCP providers.
+* Unauthorized endpoints or credentials are trusted by the system.
+* Potential data leakage or impersonation of legitimate MCP providers.
+
+## Examples
+
+"An attacker modifies `mcp_config.json` to implant a plaintext API key and swap a trusted provider endpoint with `https://proxy-evil.example.com`. During the next deployment, the MCP service loads the config without detecting the tampering, granting the attacker operational access to internal data sources."
+
+## Impact
+
+* **Confidentiality:** High – Stolen or implanted secrets can expose sensitive provider data.
+* **Integrity:** High – Malicious configuration changes can compromise decision-making and service trust.
+* **Availability:** Medium – Misconfigurations may break provider communication or cause denial of service.
+
+### Potential Consequences
+
+* Credential theft and impersonation
+* Unauthorized access to internal knowledge sources
+* Data exfiltration via manipulated endpoints
+* Pipeline compromise and persistent backdoors
+
+## Detection
+
+Defenders can identify this attack by monitoring:
+
+* Unauthorized `file_write` events on `mcp_config.json` or `/etc/mcp/config.yml`.
+* CI commits that bypass code review, signature validation, or branch protections.
+* Runtime updates provisioning secrets without associated approval tickets.
+* Manifest changes indicating permission escalation.
+* Failed hash or signature checks during `config_load`.
+
+### Behavioral Indicators
+
+* Unverified commit authors modifying sensitive fields.
+* Endpoint changes introducing non-whitelisted or suspicious domains.
+* Secret-related fields added or modified unexpectedly.
+
+### Monitoring Strategies
+
+* Enable integrity-based monitoring on critical config files.
+* Enforce commit signing and CI policy checks.
+* Centralize logs for MCP runtime, Git events, and secret management.
+
+## Mitigation
+
+1. **Configuration Hardening**
+
+   * Enforce signature validation for all MCP config loads.
+   * Use immutability controls for production configuration artifacts.
+
+2. **Access Controls**
+
+   * Restrict write access to configuration repositories.
+   * Require strong authentication and role separation for CI pipelines.
+
+3. **Input Validation**
+
+   * Validate provider endpoints against an allowlist.
+   * Reject configs containing unapproved secret fields.
+
+4. **Monitoring Requirements**
+
+   * Implement anomaly detection for secret provisioning events.
+   * Audit all manifest updates and permission changes.
+
+## References
+
+* MITRE ATT&CK Technique: Credential Access (T1552 – Unsecured Credentials)
+* Supply Chain Security Guidelines
+* Configuration Security Best Practices
+* MCP Provider and Runtime Documentation
+
+## MITRE ATT&CK Mapping
+
+**ATT&CK Technique:** T1552 – Unsecured Credentials
+**ATT&CK Tactic:** Credential Access / Defense Evasion

techniques/SAFE-T1206/detection-rule.yml

@@ -0,0 +1,169 @@
+title: Credential Implant in Config Detection
+id: b4f2c3d1-9f6a-4e8b-9c2d-0a1b2c3d4e5f
+status: experimental
+description: |
+Detects suspicious modifications, insertions, or provisioning of credentials
+within
+MCP configuration artifacts, provider manifests, and environment configuration
+that
+could indicate a credential-implant supply-chain attack. Focus areas include
+unauthorized provider registrations, new or modified API keys in config,
+endpoint
+substitutions to non-whitelisted hosts, CI/CD commits that alter configuration
+without proper review, and failures of configuration integrity checks
+(signatures,
+hashes).
+Author: Victor Oluwatimileyin AJAO <victoroluwatimileyin3@gmail.com>
+date: 2025-11-20
+modified: 2025-11-20
+references:
+- https://attack.mitre.org/techniques/T1195/ 
+- https://github.com/safe-mcp/techniques/SAFE-T1202
+- https://www.cisa.gov/news-events/alerts/2020/12/17 
+- https://www.hashicorp.com/blog/securing-secrets-in-devops 
+management
+- https://www.owasp.org/index.php/Top_10-2017_A3_2017-Sensitive_Data_Exposure
+logsource:
+product: config_management
+service: mcp
+category: configuration
+# Detection selections focusing on events that indicate config credential
+1
+implantation
+detection:
+# Direct modification of MCP configuration files in production or protected
+paths
+selection_config_write:
+event_type: 'file_write'
+file_path:
+- '/etc/mcp/config.yml'
+- '/opt/mcp/providers/*.yaml'
+- 'mcp_config.json'
+actor_type: 'user'
+actor_trust_level: 'unapproved'
+change_type:
+- 'added'
+- 'modified'
+# New provider or tool registration in MCP manifests
+selection_new_provider:
+event_type: 'manifest_update'
+update_type: 'provider_registration'
+provider_status: 'new'
+provider_origin: 'external'
+provider_signed: false
+# Inserted or modified credentials in configuration or environment
+selection_credential_insertion:
+event_type:
+- 'env_update'
+- 'config_change'
+sensitive_key_patterns:
+- 'api_key'
+- 'secret'
+- 'private_key'
+- 'token'
+value_source: 'plaintext'
+actor_trust_level: 'unapproved'
+# Config signature/hash verification failures at load time
+selection_signature_failure:
+event_type: 'config_load'
+signature_validation: 'failed'
+previous_signature: '!=current_signature'
+# Provider endpoint changed to an unapproved/unwhitelisted domain
+selection_endpoint_swap:
+event_type: 'config_change'
+field_changed: 'provider.endpoint'
+2
+new_host_whitelisted: false
+# Escalation of provider permissions in configuration (e.g., read -> write,
+filesystem access added)
+selection_permission_escalation:
+event_type: 'config_change'
+field_changed: 'provider.permissions'
+permission_change: 'escalation'
+# CI/CD: direct commit to protected branch or bypass of review/gating
+selection_ci_bypass:
+event_type: 'git_commit'
+branch: 'main'
+commit_author_verified: false
+pr_review_count: 0
+pipeline_policy_passed: false
+# Environment variable provisioning in runtime (e.g., container or k8s secret
+mount) outside review window
+selection_runtime_secret_mount:
+event_type: 'runtime_update'
+runtime_target:
+- 'kubernetes'
+- 'container'
+secret_provisioned: true
+provisioned_by: 'automation'
+approval_ticket: null
+condition: any of (
+selection_config_write,
+selection_new_provider,
+selection_credential_insertion,
+selection_signature_failure,
+selection_endpoint_swap,
+selection_permission_escalation,
+selection_ci_bypass,
+selection_runtime_secret_mount
+)
+falsepositives:
+- Legitimate emergency configuration changes by on-call operators
+- Automated onboarding scripts that register approved providers
+- Platform upgrades that rotate keys via approved CI/CD pipelines
+- Secrets temporarily staged in ephemeral environments for deployment testing
+- Configuration drift remediation performed by authorized configuration
+management tools
+level: high
+3
+tags:
+- attack.supply_chain
+- attack.persistence
+- attack.credential_access
+- safe.t1202
+- mcp
+- configuration_tamper
+fields:
+- event_type
+- actor
+- actor_type
+- actor_trust_level
+- file_path
+- file_hash
+- provider_name
+- provider_endpoint
+- change_type
+- sensitive_key_patterns
+- signature_validation
+- branch
+- commit_id
+- approval_ticket
+- timestamp
+additional_rules:
+# Detect sudden/configuration reloads with mismatching hashing
+config_reload_with_mismatch:
+event_type: 'config_reload'
+loaded_from: 'production'
+file_hash_match: false
+# Detect provisioning of plaintext secrets into code repositories
+plaintext_secret_in_repo:
+event_type: 'git_commit'
+file_diff_contains:
+- 'api_key'
+- 'secret'
+- 'PRIVATE_KEY'
+commit_author_verified: false
+# Detect attempts to disable signature checks in config validation runtimes
+disable_signature_check:
+event_type: 'config_change'
+field_changed: 'config_validation.signature_check'
+new_value: false
+4
+tests:
+guidance: |
+- Ensure configuration auditing is enabled and logs are ingested into your
+detection platform.
+- Correlate file-system events, Git/CI events, and runtime provisioning logs to
+reduce false positives.
+- Tune file paths and runtime targets to fit your MCP deployment
+architecture.