Suspicious JetBrains TeamCity Child Process

Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to JetBrains remote code execution vulnerabilities.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/03/24"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to
 13JetBrains remote code execution vulnerabilities.
 14"""
 15false_positives = [
 16    """
 17    Powershell and Windows Command Shell are often observed as legit child processes of the Jetbrains TeamCity service
 18    and may require further tuning.
 19    """,
 20]
 21from = "now-9m"
 22index = [
 23    "logs-endpoint.events.process-*",
 24    "winlogbeat-*",
 25    "logs-windows.forwarded*",
 26    "logs-windows.sysmon_operational-*",
 27    "endgame-*",
 28    "logs-system.security*",
 29    "logs-m365_defender.event-*",
 30    "logs-sentinel_one_cloud_funnel.*",
 31]
 32language = "eql"
 33license = "Elastic License v2"
 34name = "Suspicious JetBrains TeamCity Child Process"
 35references = [
 36    "https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html",
 37]
 38risk_score = 47
 39rule_id = "730ed57d-ae0f-444f-af50-78708b57edd5"
 40severity = "medium"
 41tags = [
 42    "Domain: Endpoint",
 43    "OS: Windows",
 44    "Use Case: Threat Detection",
 45    "Tactic: Initial Access",
 46    "Data Source: Elastic Endgame",
 47    "Use Case: Vulnerability",
 48    "Data Source: Elastic Defend",
 49    "Data Source: Microsoft Defender for Endpoint",
 50    "Data Source: System",
 51    "Data Source: Sysmon",
 52    "Data Source: SentinelOne",
 53    "Resources: Investigation Guide",
 54]
 55timestamp_override = "event.ingested"
 56type = "eql"
 57
 58query = '''
 59process where host.os.type == "windows" and event.type == "start" and
 60  process.parent.executable :
 61                 ("?:\\TeamCity\\jre\\bin\\java.exe",
 62                  "?:\\Program Files\\TeamCity\\jre\\bin\\java.exe",
 63                  "?:\\Program Files (x86)\\TeamCity\\jre\\bin\\java.exe",
 64                  "?:\\TeamCity\\BuildAgent\\jre\\bin\\java.exe") and
 65  process.name : ("cmd.exe", "powershell.exe", "msiexec.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "curl.exe", "ssh.exe",
 66                   "rundll32.exe", "regsvr32.exe", "mshta.exe", "certreq.exe", "net.exe", "nltest.exe", "whoami.exe", "hostname.exe",
 67                   "tasklist.exe", "arp.exe", "nbtstat.exe", "netstat.exe", "reg.exe", "tasklist.exe", "Microsoft.Workflow.Compiler.exe",
 68                   "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe",
 69                   "dnx.exe", "dsget.exe", "dsquery.exe", "forfiles.exe", "fsi.exe", "ftp.exe", "gpresult.exe", "ieexec.exe", "iexpress.exe",
 70                   "installutil.exe", "ipconfig.exe","msxsl.exe", "netsh.exe", "odbcconf.exe", "ping.exe", "pwsh.exe", "qprocess.exe",
 71                   "quser.exe", "qwinsta.exe", "rcsi.exe", "regasm.exe", "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe",
 72                   "systeminfo.exe", "tracert.exe", "wmic.exe", "wscript.exe","xwizard.exe", "explorer.exe", "msdt.exe") and
 73 not (process.name : "powershell.exe" and process.args : "-ExecutionPolicy" and process.args : "?:\\TeamCity\\buildAgent\\work\\*.ps1") and
 74 not (process.name : "cmd.exe" and process.args : "dir" and process.args : "/-c")
 75'''
 76note = """## Triage and analysis
 77
 78> **Disclaimer**:
 79> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 80
 81### Investigating Suspicious JetBrains TeamCity Child Process
 82
 83JetBrains TeamCity is a continuous integration and deployment server used to automate software development processes. Adversaries may exploit vulnerabilities in TeamCity to execute unauthorized code, potentially spawning malicious child processes. The detection rule identifies unusual child processes initiated by TeamCity's Java executable, flagging potential exploitation attempts by monitoring for known suspicious executables, while excluding legitimate operations.
 84
 85### Possible investigation steps
 86
 87- Review the process tree to identify the parent and child processes associated with the suspicious activity, focusing on the parent executable paths like "?:\\TeamCity\\jre\\bin\\java.exe".
 88- Examine the command-line arguments of the suspicious child processes, especially those involving "cmd.exe" or "powershell.exe", to understand the actions being executed.
 89- Check for any recent vulnerabilities or patches related to JetBrains TeamCity that might explain the suspicious behavior.
 90- Investigate the user account under which the suspicious processes were executed to determine if it aligns with expected usage patterns or if it indicates potential compromise.
 91- Correlate the alert with other security events or logs from data sources like Sysmon or Microsoft Defender for Endpoint to identify any related malicious activity or indicators of compromise.
 92- Assess network activity from the host to detect any unusual outbound connections that might suggest data exfiltration or communication with a command and control server.
 93
 94### False positive analysis
 95
 96- Legitimate build scripts may invoke command-line utilities like cmd.exe or powershell.exe. To handle these, create exceptions for specific scripts by matching known safe arguments or paths.
 97- Automated tasks or maintenance scripts might use network utilities such as ping.exe or netstat.exe. Exclude these by identifying and allowing specific scheduled tasks or maintenance windows.
 98- System monitoring tools could trigger processes like tasklist.exe or systeminfo.exe. Whitelist these tools by verifying their source and ensuring they are part of authorized monitoring solutions.
 99- Development or testing environments may frequently use utilities like explorer.exe or control.exe. Establish exceptions for these environments by defining specific hostnames or IP ranges where such activity is expected.
100- Custom scripts or applications might use msiexec.exe for legitimate software installations. Allow these by confirming the source and purpose of the installations, and excluding them based on known safe paths or signatures.
101
102### Response and remediation
103
104- Immediately isolate the affected TeamCity server from the network to prevent further unauthorized access or lateral movement.
105- Terminate any suspicious child processes identified by the detection rule, such as cmd.exe or powershell.exe, to halt potential malicious activities.
106- Conduct a thorough review of recent changes and deployments in TeamCity to identify any unauthorized modifications or suspicious activities.
107- Apply the latest security patches and updates to TeamCity and its underlying Java runtime environment to mitigate known vulnerabilities.
108- Restore the affected system from a clean backup taken before the suspicious activity was detected, ensuring no remnants of the exploit remain.
109- Monitor network traffic and system logs for any signs of continued or related suspicious activity, focusing on the indicators identified in the detection rule.
110- Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for additional security measures."""
111
112
113[[rule.threat]]
114framework = "MITRE ATT&CK"
115[[rule.threat.technique]]
116id = "T1190"
117name = "Exploit Public-Facing Application"
118reference = "https://attack.mitre.org/techniques/T1190/"
119
120
121[rule.threat.tactic]
122id = "TA0001"
123name = "Initial Access"
124reference = "https://attack.mitre.org/tactics/TA0001/"
125[[rule.threat]]
126framework = "MITRE ATT&CK"
127[[rule.threat.technique]]
128id = "T1059"
129name = "Command and Scripting Interpreter"
130reference = "https://attack.mitre.org/techniques/T1059/"
131[[rule.threat.technique.subtechnique]]
132id = "T1059.001"
133name = "PowerShell"
134reference = "https://attack.mitre.org/techniques/T1059/001/"
135
136[[rule.threat.technique.subtechnique]]
137id = "T1059.003"
138name = "Windows Command Shell"
139reference = "https://attack.mitre.org/techniques/T1059/003/"
140
141
142
143[rule.threat.tactic]
144id = "TA0002"
145name = "Execution"
146reference = "https://attack.mitre.org/tactics/TA0002/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

JetBrains TeamCity is a continuous integration and deployment server used to automate software development processes. Adversaries may exploit vulnerabilities in TeamCity to execute unauthorized code, potentially spawning malicious child processes. The detection rule identifies unusual child processes initiated by TeamCity's Java executable, flagging potential exploitation attempts by monitoring for known suspicious executables, while excluding legitimate operations.

  • Review the process tree to identify the parent and child processes associated with the suspicious activity, focusing on the parent executable paths like "?:\TeamCity\jre\bin\java.exe".
  • Examine the command-line arguments of the suspicious child processes, especially those involving "cmd.exe" or "powershell.exe", to understand the actions being executed.
  • Check for any recent vulnerabilities or patches related to JetBrains TeamCity that might explain the suspicious behavior.
  • Investigate the user account under which the suspicious processes were executed to determine if it aligns with expected usage patterns or if it indicates potential compromise.
  • Correlate the alert with other security events or logs from data sources like Sysmon or Microsoft Defender for Endpoint to identify any related malicious activity or indicators of compromise.
  • Assess network activity from the host to detect any unusual outbound connections that might suggest data exfiltration or communication with a command and control server.
  • Legitimate build scripts may invoke command-line utilities like cmd.exe or powershell.exe. To handle these, create exceptions for specific scripts by matching known safe arguments or paths.
  • Automated tasks or maintenance scripts might use network utilities such as ping.exe or netstat.exe. Exclude these by identifying and allowing specific scheduled tasks or maintenance windows.
  • System monitoring tools could trigger processes like tasklist.exe or systeminfo.exe. Whitelist these tools by verifying their source and ensuring they are part of authorized monitoring solutions.
  • Development or testing environments may frequently use utilities like explorer.exe or control.exe. Establish exceptions for these environments by defining specific hostnames or IP ranges where such activity is expected.
  • Custom scripts or applications might use msiexec.exe for legitimate software installations. Allow these by confirming the source and purpose of the installations, and excluding them based on known safe paths or signatures.
  • Immediately isolate the affected TeamCity server from the network to prevent further unauthorized access or lateral movement.
  • Terminate any suspicious child processes identified by the detection rule, such as cmd.exe or powershell.exe, to halt potential malicious activities.
  • Conduct a thorough review of recent changes and deployments in TeamCity to identify any unauthorized modifications or suspicious activities.
  • Apply the latest security patches and updates to TeamCity and its underlying Java runtime environment to mitigate known vulnerabilities.
  • Restore the affected system from a clean backup taken before the suspicious activity was detected, ensuring no remnants of the exploit remain.
  • Monitor network traffic and system logs for any signs of continued or related suspicious activity, focusing on the indicators identified in the detection rule.
  • Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for additional security measures.

References

Related rules

to-top