Suspicious JetBrains TeamCity Child Process

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Initial Access Data Source: Elastic Endgame Use Case: Vulnerability Data Source: Elastic Defend Data Source: Microsoft Defender for Endpoint Data Source: System Data Source: Sysmon Data Source: SentinelOne  ·
Share on: linkedin copy

Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to JetBrains remote code execution vulnerabilities.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/03/24"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2024/10/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to
 13JetBrains remote code execution vulnerabilities.
 14"""
 15false_positives = [
 16    """
 17    Powershell and Windows Command Shell are often observed as legit child processes of the Jetbrains TeamCity service
 18    and may require further tuning.
 19    """,
 20]
 21from = "now-9m"
 22index = [
 23    "logs-endpoint.events.process-*",
 24    "winlogbeat-*",
 25    "logs-windows.forwarded*",
 26    "logs-windows.sysmon_operational-*",
 27    "endgame-*",
 28    "logs-system.security*",
 29    "logs-m365_defender.event-*",
 30    "logs-sentinel_one_cloud_funnel.*",
 31]
 32language = "eql"
 33license = "Elastic License v2"
 34name = "Suspicious JetBrains TeamCity Child Process"
 35references = [
 36    "https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html",
 37]
 38risk_score = 47
 39rule_id = "730ed57d-ae0f-444f-af50-78708b57edd5"
 40severity = "medium"
 41tags = [
 42    "Domain: Endpoint",
 43    "OS: Windows",
 44    "Use Case: Threat Detection",
 45    "Tactic: Initial Access",
 46    "Data Source: Elastic Endgame",
 47    "Use Case: Vulnerability",
 48    "Data Source: Elastic Defend",
 49    "Data Source: Microsoft Defender for Endpoint",
 50    "Data Source: System",
 51    "Data Source: Sysmon",
 52    "Data Source: SentinelOne",
 53]
 54timestamp_override = "event.ingested"
 55type = "eql"
 56
 57query = '''
 58process where host.os.type == "windows" and event.type == "start" and
 59  process.parent.executable :
 60                 ("?:\\TeamCity\\jre\\bin\\java.exe",
 61                  "?:\\Program Files\\TeamCity\\jre\\bin\\java.exe",
 62                  "?:\\Program Files (x86)\\TeamCity\\jre\\bin\\java.exe",
 63                  "?:\\TeamCity\\BuildAgent\\jre\\bin\\java.exe") and
 64  process.name : ("cmd.exe", "powershell.exe", "msiexec.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "curl.exe", "ssh.exe",
 65                   "rundll32.exe", "regsvr32.exe", "mshta.exe", "certreq.exe", "net.exe", "nltest.exe", "whoami.exe", "hostname.exe",
 66                   "tasklist.exe", "arp.exe", "nbtstat.exe", "netstat.exe", "reg.exe", "tasklist.exe", "Microsoft.Workflow.Compiler.exe",
 67                   "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe",
 68                   "dnx.exe", "dsget.exe", "dsquery.exe", "forfiles.exe", "fsi.exe", "ftp.exe", "gpresult.exe", "ieexec.exe", "iexpress.exe",
 69                   "installutil.exe", "ipconfig.exe","msxsl.exe", "netsh.exe", "odbcconf.exe", "ping.exe", "pwsh.exe", "qprocess.exe",
 70                   "quser.exe", "qwinsta.exe", "rcsi.exe", "regasm.exe", "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe",
 71                   "systeminfo.exe", "tracert.exe", "wmic.exe", "wscript.exe","xwizard.exe", "explorer.exe", "msdt.exe") and
 72 not (process.name : "powershell.exe" and process.args : "-ExecutionPolicy" and process.args : "?:\\TeamCity\\buildAgent\\work\\*.ps1") and
 73 not (process.name : "cmd.exe" and process.args : "dir" and process.args : "/-c")
 74'''
 75
 76
 77[[rule.threat]]
 78framework = "MITRE ATT&CK"
 79[[rule.threat.technique]]
 80id = "T1190"
 81name = "Exploit Public-Facing Application"
 82reference = "https://attack.mitre.org/techniques/T1190/"
 83
 84
 85[rule.threat.tactic]
 86id = "TA0001"
 87name = "Initial Access"
 88reference = "https://attack.mitre.org/tactics/TA0001/"
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91[[rule.threat.technique]]
 92id = "T1059"
 93name = "Command and Scripting Interpreter"
 94reference = "https://attack.mitre.org/techniques/T1059/"
 95[[rule.threat.technique.subtechnique]]
 96id = "T1059.001"
 97name = "PowerShell"
 98reference = "https://attack.mitre.org/techniques/T1059/001/"
 99
100[[rule.threat.technique.subtechnique]]
101id = "T1059.003"
102name = "Windows Command Shell"
103reference = "https://attack.mitre.org/techniques/T1059/003/"
104
105
106
107[rule.threat.tactic]
108id = "TA0002"
109name = "Execution"
110reference = "https://attack.mitre.org/tactics/TA0002/"

References

Related rules

to-top