LoFP / false positives are not expected, as this detection is based on the presence of specific uri paths and http methods that are indicative of the cve-2024-27198 vulnerability exploitation. monitor, filter and tune as needed based on organization log sources.

Techniques

• T1190

Sample rules

JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198

• source: splunk
• technicques:
  • T1190

Description

The following analytic detects attempts to exploit the CVE-2024-27198 vulnerability in JetBrains TeamCity on-premises servers, which allows attackers to bypass authentication mechanisms. It leverages Suricata HTTP traffic logs to identify suspicious POST requests to the /app/rest/users and /app/rest/users/id:1/tokens endpoints. This activity is significant because it can lead to unauthorized administrative access, enabling attackers to gain full control over the TeamCity server, including projects, builds, agents, and artifacts. If confirmed malicious, this could result in severe security breaches and compromise the integrity of the development environment.

Detection logic

`suricata` ((http.url="*?jsp=*" AND http.url="*;.jsp*") http.status=200 http_method=POST) OR (http.url IN ("*jsp=/app/rest/users;.jsp","*?jsp=/app/rest/users;.jsp","*?jsp=.*/app/rest/users/id:*/tokens;*") http.status=200 http_method=POST ) 
| stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http.http_user_agent, http.url, http.status,http_method 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198_filter`

JetBrains TeamCity Authentication Bypass CVE-2024-27198

• source: splunk
• technicques:
  • T1190

Description

The following analytic identifies attempts to exploit the JetBrains TeamCity Authentication Bypass vulnerability (CVE-2024-27198). It detects suspicious POST requests to the /app/rest/users and /app/rest/users/id:1/tokens endpoints, which are indicative of attempts to create new administrator users or generate admin access tokens without authentication. This detection leverages the Web datamodel and CIM-compliant log sources, such as Nginx or TeamCity logs. This activity is significant as it can lead to full control over the TeamCity server, including all projects, builds, agents, and artifacts. If confirmed malicious, attackers could gain unauthorized administrative access, leading to severe security breaches.

Detection logic

| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where ((Web.url="*?jsp=*" AND Web.url="*;.jsp*") Web.status=200 Web.http_method=POST) OR (Web.url IN ("*jsp=/app/rest/users;.jsp","*?jsp=/app/rest/users;.jsp","*?jsp=.*/app/rest/users/id:*/tokens;*") Web.status=200 Web.http_method=POST ) by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method, sourcetype, source 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `jetbrains_teamcity_authentication_bypass_cve_2024_27198_filter`