Suspicious JetBrains TeamCity Child Process
Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to JetBrains remote code execution vulnerabilities.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/24"
3integration = ["endpoint", "windows", "system", "m365_defender"]
4maturity = "production"
5updated_date = "2024/06/25"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to
11JetBrains remote code execution vulnerabilities.
12"""
13false_positives = [
14 """
15 Powershell and Windows Command Shell are often observed as legit child processes of the Jetbrains TeamCity service
16 and may require further tuning.
17 """,
18]
19from = "now-9m"
20index = [
21 "logs-endpoint.events.process-*",
22 "winlogbeat-*",
23 "logs-windows.*",
24 "endgame-*",
25 "logs-system.security*",
26 "logs-m365_defender.event-*"
27]
28language = "eql"
29license = "Elastic License v2"
30name = "Suspicious JetBrains TeamCity Child Process"
31references = [
32 "https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html",
33]
34risk_score = 47
35rule_id = "730ed57d-ae0f-444f-af50-78708b57edd5"
36severity = "medium"
37tags = [
38 "Domain: Endpoint",
39 "OS: Windows",
40 "Use Case: Threat Detection",
41 "Tactic: Initial Access",
42 "Data Source: Elastic Endgame",
43 "Use Case: Vulnerability",
44 "Data Source: Elastic Defend",
45 "Data Source: Microsoft Defender for Endpoint"
46]
47timestamp_override = "event.ingested"
48type = "eql"
49
50query = '''
51process where host.os.type == "windows" and event.type == "start" and
52 process.parent.executable :
53 ("?:\\TeamCity\\jre\\bin\\java.exe",
54 "?:\\Program Files\\TeamCity\\jre\\bin\\java.exe",
55 "?:\\Program Files (x86)\\TeamCity\\jre\\bin\\java.exe",
56 "?:\\TeamCity\\BuildAgent\\jre\\bin\\java.exe") and
57 process.name : ("cmd.exe", "powershell.exe", "msiexec.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "curl.exe", "ssh.exe",
58 "rundll32.exe", "regsvr32.exe", "mshta.exe", "certreq.exe", "net.exe", "nltest.exe", "whoami.exe", "hostname.exe",
59 "tasklist.exe", "arp.exe", "nbtstat.exe", "netstat.exe", "reg.exe", "tasklist.exe", "Microsoft.Workflow.Compiler.exe",
60 "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe",
61 "dnx.exe", "dsget.exe", "dsquery.exe", "forfiles.exe", "fsi.exe", "ftp.exe", "gpresult.exe", "ieexec.exe", "iexpress.exe",
62 "installutil.exe", "ipconfig.exe","msxsl.exe", "netsh.exe", "odbcconf.exe", "ping.exe", "pwsh.exe", "qprocess.exe",
63 "quser.exe", "qwinsta.exe", "rcsi.exe", "regasm.exe", "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe",
64 "systeminfo.exe", "tracert.exe", "wmic.exe", "wscript.exe","xwizard.exe", "explorer.exe", "msdt.exe") and
65 not (process.name : "powershell.exe" and process.args : "-ExecutionPolicy" and process.args : "?:\\TeamCity\\buildAgent\\work\\*.ps1") and
66 not (process.name : "cmd.exe" and process.args : "dir" and process.args : "/-c")
67'''
68
69
70[[rule.threat]]
71framework = "MITRE ATT&CK"
72[[rule.threat.technique]]
73id = "T1190"
74name = "Exploit Public-Facing Application"
75reference = "https://attack.mitre.org/techniques/T1190/"
76
77
78[rule.threat.tactic]
79id = "TA0001"
80name = "Initial Access"
81reference = "https://attack.mitre.org/tactics/TA0001/"
82[[rule.threat]]
83framework = "MITRE ATT&CK"
84[[rule.threat.technique]]
85id = "T1059"
86name = "Command and Scripting Interpreter"
87reference = "https://attack.mitre.org/techniques/T1059/"
88[[rule.threat.technique.subtechnique]]
89id = "T1059.001"
90name = "PowerShell"
91reference = "https://attack.mitre.org/techniques/T1059/001/"
92
93[[rule.threat.technique.subtechnique]]
94id = "T1059.003"
95name = "Windows Command Shell"
96reference = "https://attack.mitre.org/techniques/T1059/003/"
97
98
99
100[rule.threat.tactic]
101id = "TA0002"
102name = "Execution"
103reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Suspicious MS Outlook Child Process
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Microsoft Exchange Server UM Writing Suspicious Files
- Adobe Hijack Persistence
- Bypass UAC via Event Viewer