Suspicious JetBrains TeamCity Child Process
Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to JetBrains remote code execution vulnerabilities.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/24"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to
13JetBrains remote code execution vulnerabilities.
14"""
15false_positives = [
16 """
17 Powershell and Windows Command Shell are often observed as legit child processes of the Jetbrains TeamCity service
18 and may require further tuning.
19 """,
20]
21from = "now-9m"
22index = [
23 "logs-endpoint.events.process-*",
24 "winlogbeat-*",
25 "logs-windows.forwarded*",
26 "logs-windows.sysmon_operational-*",
27 "endgame-*",
28 "logs-system.security*",
29 "logs-m365_defender.event-*",
30 "logs-sentinel_one_cloud_funnel.*",
31]
32language = "eql"
33license = "Elastic License v2"
34name = "Suspicious JetBrains TeamCity Child Process"
35references = [
36 "https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html",
37]
38risk_score = 47
39rule_id = "730ed57d-ae0f-444f-af50-78708b57edd5"
40severity = "medium"
41tags = [
42 "Domain: Endpoint",
43 "OS: Windows",
44 "Use Case: Threat Detection",
45 "Tactic: Initial Access",
46 "Data Source: Elastic Endgame",
47 "Use Case: Vulnerability",
48 "Data Source: Elastic Defend",
49 "Data Source: Microsoft Defender for Endpoint",
50 "Data Source: System",
51 "Data Source: Sysmon",
52 "Data Source: SentinelOne",
53 "Resources: Investigation Guide",
54]
55timestamp_override = "event.ingested"
56type = "eql"
57
58query = '''
59process where host.os.type == "windows" and event.type == "start" and
60 process.parent.executable :
61 ("?:\\TeamCity\\jre\\bin\\java.exe",
62 "?:\\Program Files\\TeamCity\\jre\\bin\\java.exe",
63 "?:\\Program Files (x86)\\TeamCity\\jre\\bin\\java.exe",
64 "?:\\TeamCity\\BuildAgent\\jre\\bin\\java.exe") and
65 process.name : ("cmd.exe", "powershell.exe", "msiexec.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "curl.exe", "ssh.exe",
66 "rundll32.exe", "regsvr32.exe", "mshta.exe", "certreq.exe", "net.exe", "nltest.exe", "whoami.exe", "hostname.exe",
67 "tasklist.exe", "arp.exe", "nbtstat.exe", "netstat.exe", "reg.exe", "tasklist.exe", "Microsoft.Workflow.Compiler.exe",
68 "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe",
69 "dnx.exe", "dsget.exe", "dsquery.exe", "forfiles.exe", "fsi.exe", "ftp.exe", "gpresult.exe", "ieexec.exe", "iexpress.exe",
70 "installutil.exe", "ipconfig.exe","msxsl.exe", "netsh.exe", "odbcconf.exe", "ping.exe", "pwsh.exe", "qprocess.exe",
71 "quser.exe", "qwinsta.exe", "rcsi.exe", "regasm.exe", "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe",
72 "systeminfo.exe", "tracert.exe", "wmic.exe", "wscript.exe","xwizard.exe", "explorer.exe", "msdt.exe") and
73 not (process.name : "powershell.exe" and process.args : "-ExecutionPolicy" and process.args : "?:\\TeamCity\\buildAgent\\work\\*.ps1") and
74 not (process.name : "cmd.exe" and process.args : "dir" and process.args : "/-c")
75'''
76note = """## Triage and analysis
77
78> **Disclaimer**:
79> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
80
81### Investigating Suspicious JetBrains TeamCity Child Process
82
83JetBrains TeamCity is a continuous integration and deployment server used to automate software development processes. Adversaries may exploit vulnerabilities in TeamCity to execute unauthorized code, potentially spawning malicious child processes. The detection rule identifies unusual child processes initiated by TeamCity's Java executable, flagging potential exploitation attempts by monitoring for known suspicious executables, while excluding legitimate operations.
84
85### Possible investigation steps
86
87- Review the process tree to identify the parent and child processes associated with the suspicious activity, focusing on the parent executable paths like "?:\\TeamCity\\jre\\bin\\java.exe".
88- Examine the command-line arguments of the suspicious child processes, especially those involving "cmd.exe" or "powershell.exe", to understand the actions being executed.
89- Check for any recent vulnerabilities or patches related to JetBrains TeamCity that might explain the suspicious behavior.
90- Investigate the user account under which the suspicious processes were executed to determine if it aligns with expected usage patterns or if it indicates potential compromise.
91- Correlate the alert with other security events or logs from data sources like Sysmon or Microsoft Defender for Endpoint to identify any related malicious activity or indicators of compromise.
92- Assess network activity from the host to detect any unusual outbound connections that might suggest data exfiltration or communication with a command and control server.
93
94### False positive analysis
95
96- Legitimate build scripts may invoke command-line utilities like cmd.exe or powershell.exe. To handle these, create exceptions for specific scripts by matching known safe arguments or paths.
97- Automated tasks or maintenance scripts might use network utilities such as ping.exe or netstat.exe. Exclude these by identifying and allowing specific scheduled tasks or maintenance windows.
98- System monitoring tools could trigger processes like tasklist.exe or systeminfo.exe. Whitelist these tools by verifying their source and ensuring they are part of authorized monitoring solutions.
99- Development or testing environments may frequently use utilities like explorer.exe or control.exe. Establish exceptions for these environments by defining specific hostnames or IP ranges where such activity is expected.
100- Custom scripts or applications might use msiexec.exe for legitimate software installations. Allow these by confirming the source and purpose of the installations, and excluding them based on known safe paths or signatures.
101
102### Response and remediation
103
104- Immediately isolate the affected TeamCity server from the network to prevent further unauthorized access or lateral movement.
105- Terminate any suspicious child processes identified by the detection rule, such as cmd.exe or powershell.exe, to halt potential malicious activities.
106- Conduct a thorough review of recent changes and deployments in TeamCity to identify any unauthorized modifications or suspicious activities.
107- Apply the latest security patches and updates to TeamCity and its underlying Java runtime environment to mitigate known vulnerabilities.
108- Restore the affected system from a clean backup taken before the suspicious activity was detected, ensuring no remnants of the exploit remain.
109- Monitor network traffic and system logs for any signs of continued or related suspicious activity, focusing on the indicators identified in the detection rule.
110- Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for additional security measures."""
111
112
113[[rule.threat]]
114framework = "MITRE ATT&CK"
115[[rule.threat.technique]]
116id = "T1190"
117name = "Exploit Public-Facing Application"
118reference = "https://attack.mitre.org/techniques/T1190/"
119
120
121[rule.threat.tactic]
122id = "TA0001"
123name = "Initial Access"
124reference = "https://attack.mitre.org/tactics/TA0001/"
125[[rule.threat]]
126framework = "MITRE ATT&CK"
127[[rule.threat.technique]]
128id = "T1059"
129name = "Command and Scripting Interpreter"
130reference = "https://attack.mitre.org/techniques/T1059/"
131[[rule.threat.technique.subtechnique]]
132id = "T1059.001"
133name = "PowerShell"
134reference = "https://attack.mitre.org/techniques/T1059/001/"
135
136[[rule.threat.technique.subtechnique]]
137id = "T1059.003"
138name = "Windows Command Shell"
139reference = "https://attack.mitre.org/techniques/T1059/003/"
140
141
142
143[rule.threat.tactic]
144id = "TA0002"
145name = "Execution"
146reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Suspicious JetBrains TeamCity Child Process
JetBrains TeamCity is a continuous integration and deployment server used to automate software development processes. Adversaries may exploit vulnerabilities in TeamCity to execute unauthorized code, potentially spawning malicious child processes. The detection rule identifies unusual child processes initiated by TeamCity's Java executable, flagging potential exploitation attempts by monitoring for known suspicious executables, while excluding legitimate operations.
Possible investigation steps
- Review the process tree to identify the parent and child processes associated with the suspicious activity, focusing on the parent executable paths like "?:\TeamCity\jre\bin\java.exe".
- Examine the command-line arguments of the suspicious child processes, especially those involving "cmd.exe" or "powershell.exe", to understand the actions being executed.
- Check for any recent vulnerabilities or patches related to JetBrains TeamCity that might explain the suspicious behavior.
- Investigate the user account under which the suspicious processes were executed to determine if it aligns with expected usage patterns or if it indicates potential compromise.
- Correlate the alert with other security events or logs from data sources like Sysmon or Microsoft Defender for Endpoint to identify any related malicious activity or indicators of compromise.
- Assess network activity from the host to detect any unusual outbound connections that might suggest data exfiltration or communication with a command and control server.
False positive analysis
- Legitimate build scripts may invoke command-line utilities like cmd.exe or powershell.exe. To handle these, create exceptions for specific scripts by matching known safe arguments or paths.
- Automated tasks or maintenance scripts might use network utilities such as ping.exe or netstat.exe. Exclude these by identifying and allowing specific scheduled tasks or maintenance windows.
- System monitoring tools could trigger processes like tasklist.exe or systeminfo.exe. Whitelist these tools by verifying their source and ensuring they are part of authorized monitoring solutions.
- Development or testing environments may frequently use utilities like explorer.exe or control.exe. Establish exceptions for these environments by defining specific hostnames or IP ranges where such activity is expected.
- Custom scripts or applications might use msiexec.exe for legitimate software installations. Allow these by confirming the source and purpose of the installations, and excluding them based on known safe paths or signatures.
Response and remediation
- Immediately isolate the affected TeamCity server from the network to prevent further unauthorized access or lateral movement.
- Terminate any suspicious child processes identified by the detection rule, such as cmd.exe or powershell.exe, to halt potential malicious activities.
- Conduct a thorough review of recent changes and deployments in TeamCity to identify any unauthorized modifications or suspicious activities.
- Apply the latest security patches and updates to TeamCity and its underlying Java runtime environment to mitigate known vulnerabilities.
- Restore the affected system from a clean backup taken before the suspicious activity was detected, ensuring no remnants of the exploit remain.
- Monitor network traffic and system logs for any signs of continued or related suspicious activity, focusing on the indicators identified in the detection rule.
- Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for additional security measures.
References
Related rules
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Command Execution via SolarWinds Process
- Microsoft Exchange Server UM Writing Suspicious Files
- Mounting Hidden or WebDav Remote Shares
- Potential Foxmail Exploitation