if teamcity is not in use, this analytic will not return results. monitor and tune for your environment.

t1190
web server
splunk

Techniques

T1190

Sample rules

JetBrains TeamCity RCE Attempt

source: splunk
technicques:
- T1190

Description

The following analytic is designed to detect attempts to exploit the CVE-2023-42793 vulnerability in TeamCity On-Premises. It focuses on identifying suspicious POST requests to /app/rest/users/id:1/tokens/RPC2, which is the initial point of exploitation. This could indicate an unauthenticated attacker trying to gain administrative access through Remote Code Execution (RCE).

Detection logic


| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/app/rest/users/id:1/tokens/RPC2*") Web.status=200 Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `jetbrains_teamcity_rce_attempt_filter`