legitimate plugin installations by authorized administrators can trigger this detection. verify with change management records before investigating further.

Techniques

Sample rules

Windows TeamCity Plugin Installed

source: splunk
technicques:
- T1505.003
- T1059
- T1190

Description

Detects the creation of a plugin zip file under the TeamCity data structure. This indicates a new plugin has been installed and can potentially indicate attempts to gain code execution on the TeamCity server if the plugin installation was unexpected.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Filesystem where

Filesystem.file_path="*:\\ProgramData\\JetBrains\\TeamCity\\plugins\\*"
Filesystem.file_name="*.zip"
Filesystem.action="created"

by Filesystem.dest Filesystem.action Filesystem.file_name Filesystem.user
   Filesystem.vendor_product Filesystem.file_create_time Filesystem.process_path
   Filesystem.process_guid Filesystem.process_id Filesystem.file_path


| `drop_dm_object_name(Filesystem)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_teamcity_plugin_installed_filter`