Suspicious JetBrains TeamCity Child Process

Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to JetBrains remote code execution vulnerabilities.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/03/24"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2024/10/10"
  6min_stack_version = "8.13.0"
  7min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to
 13JetBrains remote code execution vulnerabilities.
 14"""
 15false_positives = [
 16    """
 17    Powershell and Windows Command Shell are often observed as legit child processes of the Jetbrains TeamCity service
 18    and may require further tuning.
 19    """,
 20]
 21from = "now-9m"
 22index = [
 23    "logs-endpoint.events.process-*",
 24    "winlogbeat-*",
 25    "logs-windows.forwarded*",
 26    "logs-windows.sysmon_operational-*",
 27    "endgame-*",
 28    "logs-system.security*",
 29    "logs-m365_defender.event-*",
 30    "logs-sentinel_one_cloud_funnel.*",
 31]
 32language = "eql"
 33license = "Elastic License v2"
 34name = "Suspicious JetBrains TeamCity Child Process"
 35references = [
 36    "https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html",
 37]
 38risk_score = 47
 39rule_id = "730ed57d-ae0f-444f-af50-78708b57edd5"
 40severity = "medium"
 41tags = [
 42    "Domain: Endpoint",
 43    "OS: Windows",
 44    "Use Case: Threat Detection",
 45    "Tactic: Initial Access",
 46    "Data Source: Elastic Endgame",
 47    "Use Case: Vulnerability",
 48    "Data Source: Elastic Defend",
 49    "Data Source: Microsoft Defender for Endpoint",
 50    "Data Source: System",
 51    "Data Source: Sysmon",
 52    "Data Source: SentinelOne",
 53]
 54timestamp_override = "event.ingested"
 55type = "eql"
 56
 57query = '''
 58process where host.os.type == "windows" and event.type == "start" and
 59  process.parent.executable :
 60                 ("?:\\TeamCity\\jre\\bin\\java.exe",
 61                  "?:\\Program Files\\TeamCity\\jre\\bin\\java.exe",
 62                  "?:\\Program Files (x86)\\TeamCity\\jre\\bin\\java.exe",
 63                  "?:\\TeamCity\\BuildAgent\\jre\\bin\\java.exe") and
 64  process.name : ("cmd.exe", "powershell.exe", "msiexec.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "curl.exe", "ssh.exe",
 65                   "rundll32.exe", "regsvr32.exe", "mshta.exe", "certreq.exe", "net.exe", "nltest.exe", "whoami.exe", "hostname.exe",
 66                   "tasklist.exe", "arp.exe", "nbtstat.exe", "netstat.exe", "reg.exe", "tasklist.exe", "Microsoft.Workflow.Compiler.exe",
 67                   "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe",
 68                   "dnx.exe", "dsget.exe", "dsquery.exe", "forfiles.exe", "fsi.exe", "ftp.exe", "gpresult.exe", "ieexec.exe", "iexpress.exe",
 69                   "installutil.exe", "ipconfig.exe","msxsl.exe", "netsh.exe", "odbcconf.exe", "ping.exe", "pwsh.exe", "qprocess.exe",
 70                   "quser.exe", "qwinsta.exe", "rcsi.exe", "regasm.exe", "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe",
 71                   "systeminfo.exe", "tracert.exe", "wmic.exe", "wscript.exe","xwizard.exe", "explorer.exe", "msdt.exe") and
 72 not (process.name : "powershell.exe" and process.args : "-ExecutionPolicy" and process.args : "?:\\TeamCity\\buildAgent\\work\\*.ps1") and
 73 not (process.name : "cmd.exe" and process.args : "dir" and process.args : "/-c")
 74'''
 75
 76
 77[[rule.threat]]
 78framework = "MITRE ATT&CK"
 79[[rule.threat.technique]]
 80id = "T1190"
 81name = "Exploit Public-Facing Application"
 82reference = "https://attack.mitre.org/techniques/T1190/"
 83
 84
 85[rule.threat.tactic]
 86id = "TA0001"
 87name = "Initial Access"
 88reference = "https://attack.mitre.org/tactics/TA0001/"
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91[[rule.threat.technique]]
 92id = "T1059"
 93name = "Command and Scripting Interpreter"
 94reference = "https://attack.mitre.org/techniques/T1059/"
 95[[rule.threat.technique.subtechnique]]
 96id = "T1059.001"
 97name = "PowerShell"
 98reference = "https://attack.mitre.org/techniques/T1059/001/"
 99
100[[rule.threat.technique.subtechnique]]
101id = "T1059.003"
102name = "Windows Command Shell"
103reference = "https://attack.mitre.org/techniques/T1059/003/"
104
105
106
107[rule.threat.tactic]
108id = "TA0002"
109name = "Execution"
110reference = "https://attack.mitre.org/tactics/TA0002/"

References

Related rules

to-top