Suspicious JetBrains TeamCity Child Process
Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to JetBrains remote code execution vulnerabilities.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/24"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/10"
6min_stack_version = "8.13.0"
7min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to
13JetBrains remote code execution vulnerabilities.
14"""
15false_positives = [
16 """
17 Powershell and Windows Command Shell are often observed as legit child processes of the Jetbrains TeamCity service
18 and may require further tuning.
19 """,
20]
21from = "now-9m"
22index = [
23 "logs-endpoint.events.process-*",
24 "winlogbeat-*",
25 "logs-windows.forwarded*",
26 "logs-windows.sysmon_operational-*",
27 "endgame-*",
28 "logs-system.security*",
29 "logs-m365_defender.event-*",
30 "logs-sentinel_one_cloud_funnel.*",
31]
32language = "eql"
33license = "Elastic License v2"
34name = "Suspicious JetBrains TeamCity Child Process"
35references = [
36 "https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html",
37]
38risk_score = 47
39rule_id = "730ed57d-ae0f-444f-af50-78708b57edd5"
40severity = "medium"
41tags = [
42 "Domain: Endpoint",
43 "OS: Windows",
44 "Use Case: Threat Detection",
45 "Tactic: Initial Access",
46 "Data Source: Elastic Endgame",
47 "Use Case: Vulnerability",
48 "Data Source: Elastic Defend",
49 "Data Source: Microsoft Defender for Endpoint",
50 "Data Source: System",
51 "Data Source: Sysmon",
52 "Data Source: SentinelOne",
53]
54timestamp_override = "event.ingested"
55type = "eql"
56
57query = '''
58process where host.os.type == "windows" and event.type == "start" and
59 process.parent.executable :
60 ("?:\\TeamCity\\jre\\bin\\java.exe",
61 "?:\\Program Files\\TeamCity\\jre\\bin\\java.exe",
62 "?:\\Program Files (x86)\\TeamCity\\jre\\bin\\java.exe",
63 "?:\\TeamCity\\BuildAgent\\jre\\bin\\java.exe") and
64 process.name : ("cmd.exe", "powershell.exe", "msiexec.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "curl.exe", "ssh.exe",
65 "rundll32.exe", "regsvr32.exe", "mshta.exe", "certreq.exe", "net.exe", "nltest.exe", "whoami.exe", "hostname.exe",
66 "tasklist.exe", "arp.exe", "nbtstat.exe", "netstat.exe", "reg.exe", "tasklist.exe", "Microsoft.Workflow.Compiler.exe",
67 "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe",
68 "dnx.exe", "dsget.exe", "dsquery.exe", "forfiles.exe", "fsi.exe", "ftp.exe", "gpresult.exe", "ieexec.exe", "iexpress.exe",
69 "installutil.exe", "ipconfig.exe","msxsl.exe", "netsh.exe", "odbcconf.exe", "ping.exe", "pwsh.exe", "qprocess.exe",
70 "quser.exe", "qwinsta.exe", "rcsi.exe", "regasm.exe", "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe",
71 "systeminfo.exe", "tracert.exe", "wmic.exe", "wscript.exe","xwizard.exe", "explorer.exe", "msdt.exe") and
72 not (process.name : "powershell.exe" and process.args : "-ExecutionPolicy" and process.args : "?:\\TeamCity\\buildAgent\\work\\*.ps1") and
73 not (process.name : "cmd.exe" and process.args : "dir" and process.args : "/-c")
74'''
75
76
77[[rule.threat]]
78framework = "MITRE ATT&CK"
79[[rule.threat.technique]]
80id = "T1190"
81name = "Exploit Public-Facing Application"
82reference = "https://attack.mitre.org/techniques/T1190/"
83
84
85[rule.threat.tactic]
86id = "TA0001"
87name = "Initial Access"
88reference = "https://attack.mitre.org/tactics/TA0001/"
89[[rule.threat]]
90framework = "MITRE ATT&CK"
91[[rule.threat.technique]]
92id = "T1059"
93name = "Command and Scripting Interpreter"
94reference = "https://attack.mitre.org/techniques/T1059/"
95[[rule.threat.technique.subtechnique]]
96id = "T1059.001"
97name = "PowerShell"
98reference = "https://attack.mitre.org/techniques/T1059/001/"
99
100[[rule.threat.technique.subtechnique]]
101id = "T1059.003"
102name = "Windows Command Shell"
103reference = "https://attack.mitre.org/techniques/T1059/003/"
104
105
106
107[rule.threat.tactic]
108id = "TA0002"
109name = "Execution"
110reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Microsoft Exchange Server UM Writing Suspicious Files
- Suspicious Execution from INET Cache
- Suspicious PDF Reader Child Process
- Command Execution via SolarWinds Process
- Potential Foxmail Exploitation