Suspicious JetBrains TeamCity Child Process

calendar Jun 26, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Initial Access Data Source: Elastic Endgame Use Case: Vulnerability Data Source: Elastic Defend Data Source: Microsoft Defender for Endpoint  ·
Share on: linkedin copy

Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to JetBrains remote code execution vulnerabilities.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/03/24"
  3integration = ["endpoint", "windows", "system", "m365_defender"]
  4maturity = "production"
  5updated_date = "2024/06/25"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to
 11JetBrains remote code execution vulnerabilities.
 12"""
 13false_positives = [
 14    """
 15    Powershell and Windows Command Shell are often observed as legit child processes of the Jetbrains TeamCity service
 16    and may require further tuning.
 17    """,
 18]
 19from = "now-9m"
 20index = [
 21    "logs-endpoint.events.process-*",
 22    "winlogbeat-*",
 23    "logs-windows.*",
 24    "endgame-*",
 25    "logs-system.security*",
 26    "logs-m365_defender.event-*"
 27]
 28language = "eql"
 29license = "Elastic License v2"
 30name = "Suspicious JetBrains TeamCity Child Process"
 31references = [
 32    "https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html",
 33]
 34risk_score = 47
 35rule_id = "730ed57d-ae0f-444f-af50-78708b57edd5"
 36severity = "medium"
 37tags = [
 38    "Domain: Endpoint",
 39    "OS: Windows",
 40    "Use Case: Threat Detection",
 41    "Tactic: Initial Access",
 42    "Data Source: Elastic Endgame",
 43    "Use Case: Vulnerability",
 44    "Data Source: Elastic Defend",
 45    "Data Source: Microsoft Defender for Endpoint"
 46]
 47timestamp_override = "event.ingested"
 48type = "eql"
 49
 50query = '''
 51process where host.os.type == "windows" and event.type == "start" and
 52  process.parent.executable :
 53                 ("?:\\TeamCity\\jre\\bin\\java.exe",
 54                  "?:\\Program Files\\TeamCity\\jre\\bin\\java.exe",
 55                  "?:\\Program Files (x86)\\TeamCity\\jre\\bin\\java.exe",
 56                  "?:\\TeamCity\\BuildAgent\\jre\\bin\\java.exe") and
 57  process.name : ("cmd.exe", "powershell.exe", "msiexec.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "curl.exe", "ssh.exe",
 58                   "rundll32.exe", "regsvr32.exe", "mshta.exe", "certreq.exe", "net.exe", "nltest.exe", "whoami.exe", "hostname.exe",
 59                   "tasklist.exe", "arp.exe", "nbtstat.exe", "netstat.exe", "reg.exe", "tasklist.exe", "Microsoft.Workflow.Compiler.exe",
 60                   "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe",
 61                   "dnx.exe", "dsget.exe", "dsquery.exe", "forfiles.exe", "fsi.exe", "ftp.exe", "gpresult.exe", "ieexec.exe", "iexpress.exe",
 62                   "installutil.exe", "ipconfig.exe","msxsl.exe", "netsh.exe", "odbcconf.exe", "ping.exe", "pwsh.exe", "qprocess.exe",
 63                   "quser.exe", "qwinsta.exe", "rcsi.exe", "regasm.exe", "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe",
 64                   "systeminfo.exe", "tracert.exe", "wmic.exe", "wscript.exe","xwizard.exe", "explorer.exe", "msdt.exe") and
 65 not (process.name : "powershell.exe" and process.args : "-ExecutionPolicy" and process.args : "?:\\TeamCity\\buildAgent\\work\\*.ps1") and
 66 not (process.name : "cmd.exe" and process.args : "dir" and process.args : "/-c")
 67'''
 68
 69
 70[[rule.threat]]
 71framework = "MITRE ATT&CK"
 72[[rule.threat.technique]]
 73id = "T1190"
 74name = "Exploit Public-Facing Application"
 75reference = "https://attack.mitre.org/techniques/T1190/"
 76
 77
 78[rule.threat.tactic]
 79id = "TA0001"
 80name = "Initial Access"
 81reference = "https://attack.mitre.org/tactics/TA0001/"
 82[[rule.threat]]
 83framework = "MITRE ATT&CK"
 84[[rule.threat.technique]]
 85id = "T1059"
 86name = "Command and Scripting Interpreter"
 87reference = "https://attack.mitre.org/techniques/T1059/"
 88[[rule.threat.technique.subtechnique]]
 89id = "T1059.001"
 90name = "PowerShell"
 91reference = "https://attack.mitre.org/techniques/T1059/001/"
 92
 93[[rule.threat.technique.subtechnique]]
 94id = "T1059.003"
 95name = "Windows Command Shell"
 96reference = "https://attack.mitre.org/techniques/T1059/003/"
 97
 98
 99
100[rule.threat.tactic]
101id = "TA0002"
102name = "Execution"
103reference = "https://attack.mitre.org/tactics/TA0002/"

References

Related rules

to-top