Suspicious JetBrains TeamCity Child Process
Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to JetBrains remote code execution vulnerabilities.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/24"
3integration = ["endpoint", "windows", "system"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to
13JetBrains remote code execution vulnerabilities.
14"""
15false_positives = [
16 """
17 Powershell and Windows Command Shell are often observed as legit child processes of the Jetbrains TeamCity service
18 and may require further tuning.
19 """,
20]
21from = "now-9m"
22index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
23language = "eql"
24license = "Elastic License v2"
25name = "Suspicious JetBrains TeamCity Child Process"
26references = [
27 "https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html"
28]
29risk_score = 47
30rule_id = "730ed57d-ae0f-444f-af50-78708b57edd5"
31severity = "medium"
32tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37process where host.os.type == "windows" and event.type == "start" and
38 process.parent.executable :
39 ("?:\\TeamCity\\jre\\bin\\java.exe",
40 "?:\\Program Files\\TeamCity\\jre\\bin\\java.exe",
41 "?:\\Program Files (x86)\\TeamCity\\jre\\bin\\java.exe",
42 "?:\\TeamCity\\BuildAgent\\jre\\bin\\java.exe") and
43 process.name : ("cmd.exe", "powershell.exe", "msiexec.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "curl.exe", "ssh.exe",
44 "rundll32.exe", "regsvr32.exe", "mshta.exe", "certreq.exe", "net.exe", "nltest.exe", "whoami.exe", "hostname.exe",
45 "tasklist.exe", "arp.exe", "nbtstat.exe", "netstat.exe", "reg.exe", "tasklist.exe", "Microsoft.Workflow.Compiler.exe",
46 "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe",
47 "dnx.exe", "dsget.exe", "dsquery.exe", "forfiles.exe", "fsi.exe", "ftp.exe", "gpresult.exe", "ieexec.exe", "iexpress.exe",
48 "installutil.exe", "ipconfig.exe","msxsl.exe", "netsh.exe", "odbcconf.exe", "ping.exe", "pwsh.exe", "qprocess.exe",
49 "quser.exe", "qwinsta.exe", "rcsi.exe", "regasm.exe", "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe",
50 "systeminfo.exe", "tracert.exe", "wmic.exe", "wscript.exe","xwizard.exe", "explorer.exe", "msdt.exe") and
51 not (process.name : "powershell.exe" and process.args : "-ExecutionPolicy" and process.args : "?:\\TeamCity\\buildAgent\\work\\*.ps1") and
52 not (process.name : "cmd.exe" and process.args : "dir" and process.args : "/-c")
53'''
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1190"
60name = "Exploit Public-Facing Application"
61reference = "https://attack.mitre.org/techniques/T1190/"
62
63
64[rule.threat.tactic]
65id = "TA0001"
66name = "Initial Access"
67reference = "https://attack.mitre.org/tactics/TA0001/"
68
69
70[[rule.threat]]
71framework = "MITRE ATT&CK"
72[[rule.threat.technique]]
73id = "T1059"
74name = "Command and Scripting Interpreter"
75reference = "https://attack.mitre.org/techniques/T1059/"
76[[rule.threat.technique.subtechnique]]
77id = "T1059.001"
78name = "PowerShell"
79reference = "https://attack.mitre.org/techniques/T1059/001/"
80[[rule.threat.technique.subtechnique]]
81id = "T1059.003"
82name = "Windows Command Shell"
83reference = "https://attack.mitre.org/techniques/T1059/003/"
84
85
86[rule.threat.tactic]
87id = "TA0002"
88name = "Execution"
89reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Microsoft Exchange Server UM Writing Suspicious Files
- Command Execution via SolarWinds Process
- First Time Seen Removable Device
- Microsoft Exchange Worker Spawning Suspicious Processes