Analytics Story: JetBrains TeamCity Vulnerabilities

Date: 2024-03-04 ID: 3cd841e8-2f64-45e8-b148-7767255db111 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

This story provides a high-level overview of JetBrains TeamCity vulnerabilities and how to detect and respond to them using Splunk.

Why it matters

JetBrains TeamCity is a continuous integration and deployment server that allows developers to automate the process of building, testing, and deploying code. It is a popular tool used by many organizations to streamline their development and deployment processes. However, like any software, JetBrains TeamCity is not immune to vulnerabilities.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Windows TeamCity Payload Execution from Temp Directory	Exploit Public-Facing Application, Web Shell, Command and Scripting Interpreter	TTP
Windows TeamCity Plugin Installed	Web Shell, Command and Scripting Interpreter, Exploit Public-Facing Application	Anomaly
JetBrains TeamCity Authentication Bypass CVE-2024-27198	Exploit Public-Facing Application	TTP
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198	Exploit Public-Facing Application	TTP
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199	Exploit Public-Facing Application	TTP
JetBrains TeamCity RCE Attempt	Exploit Public-Facing Application	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Suricata	Other	`suricata`	`not_applicable`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`

References

Source: GitHub | Version: 1