[New] Suspicious JetBrains TeamCity Child Process (#3532)

Samirbous · github-actions[bot] · commit 869f562401d9 · 2024-03-25T16:36:04.000Z
* [New] Suspicious JetBrains TeamCity Child Process * Update initial_access_exploit_jetbrains_teamcity.toml * Update initial_access_exploit_jetbrains_teamcity.toml * Update initial_access_exploit_jetbrains_teamcity.toml * Update initial_access_exploit_jetbrains_teamcity.toml (cherry picked from commit fc76a8b)
diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml
@@ -0,0 +1,89 @@
+[metadata]
+creation_date = "2024/03/24"
+integration = ["endpoint", "windows", "system"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2024/03/24"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to
+JetBrains remote code execution vulnerabilities.
+"""
+false_positives = [
+    """
+    Powershell and Windows Command Shell are often observed as legit child processes of the Jetbrains TeamCity service
+    and may require further tuning.
+    """,
+]
+from = "now-9m"
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Suspicious JetBrains TeamCity Child Process"
+references = [
+   "https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html"
+]
+risk_score = 47
+rule_id = "730ed57d-ae0f-444f-af50-78708b57edd5"
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+  process.parent.executable :
+                 ("?:\\TeamCity\\jre\\bin\\java.exe",
+                  "?:\\Program Files\\TeamCity\\jre\\bin\\java.exe",
+                  "?:\\Program Files (x86)\\TeamCity\\jre\\bin\\java.exe",
+                  "?:\\TeamCity\\BuildAgent\\jre\\bin\\java.exe") and
+  process.name : ("cmd.exe", "powershell.exe", "msiexec.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "curl.exe", "ssh.exe",
+                   "rundll32.exe", "regsvr32.exe", "mshta.exe", "certreq.exe", "net.exe", "nltest.exe", "whoami.exe", "hostname.exe",
+                   "tasklist.exe", "arp.exe", "nbtstat.exe", "netstat.exe", "reg.exe", "tasklist.exe", "Microsoft.Workflow.Compiler.exe",
+                   "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe",
+                   "dnx.exe", "dsget.exe", "dsquery.exe", "forfiles.exe", "fsi.exe", "ftp.exe", "gpresult.exe", "ieexec.exe", "iexpress.exe",
+                   "installutil.exe", "ipconfig.exe","msxsl.exe", "netsh.exe", "odbcconf.exe", "ping.exe", "pwsh.exe", "qprocess.exe",
+                   "quser.exe", "qwinsta.exe", "rcsi.exe", "regasm.exe", "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe",
+                   "systeminfo.exe", "tracert.exe", "wmic.exe", "wscript.exe","xwizard.exe", "explorer.exe", "msdt.exe") and
+ not (process.name : "powershell.exe" and process.args : "-ExecutionPolicy" and process.args : "?:\\TeamCity\\buildAgent\\work\\*.ps1") and
+ not (process.name : "cmd.exe" and process.args : "dir" and process.args : "/-c")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1190"
+name = "Exploit Public-Facing Application"
+reference = "https://attack.mitre.org/techniques/T1190/"
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.001"
+name = "PowerShell"
+reference = "https://attack.mitre.org/techniques/T1059/001/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.003"
+name = "Windows Command Shell"
+reference = "https://attack.mitre.org/techniques/T1059/003/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
