Skip to content
Threat Feed
medium advisory

Suspicious JetBrains TeamCity Child Process Activity

Detection of suspicious processes spawned by JetBrains TeamCity indicates potential exploitation of remote code execution vulnerabilities.

This threat brief addresses the potential exploitation of JetBrains TeamCity servers through the spawning of suspicious child processes. TeamCity, a continuous integration and deployment server, is a valuable target for attackers seeking to gain unauthorized access to software development pipelines. The observed behavior involves the execution of unusual processes by the TeamCity Java executable (java.exe). The exploitation of TeamCity vulnerabilities allows attackers to execute arbitrary code on the server, potentially leading to data breaches, supply chain compromise, or ransomware deployment. The activity has been observed starting in late March 2024, with ongoing campaigns leveraging various tools and techniques. Defenders should be vigilant for unexpected child processes initiated by TeamCity's Java process, especially those involving command-line interpreters or system administration tools.

Attack Chain

  1. Initial Access: Attackers exploit a vulnerability in the TeamCity server software (e.g., CVE-2023-42793) to gain initial access.
  2. Code Execution: The exploitation allows attackers to execute arbitrary code within the context of the TeamCity server.
  3. Process Spawning: The attacker leverages the compromised TeamCity server to spawn a command shell (cmd.exe) or PowerShell process (powershell.exe).
  4. Discovery: The attacker uses the spawned shell to perform system discovery, gathering information about the environment using tools like whoami.exe, hostname.exe, net.exe, nltest.exe, tasklist.exe, arp.exe, nbtstat.exe, netstat.exe, reg.exe, and systeminfo.exe.
  5. Lateral Movement: Based on the discovered information, the attacker attempts to move laterally within the network, potentially using credentials or other access obtained from the TeamCity server.
  6. Persistence: The attacker establishes persistence on the compromised system, potentially through scheduled tasks or registry modifications.
  7. Privilege Escalation: The attacker attempts to escalate privileges on the compromised system.
  8. Objective Completion: The attacker achieves their final objective, which could include data exfiltration, deployment of ransomware, or disruption of software development processes.

Impact

Successful exploitation of JetBrains TeamCity can lead to significant damage, including supply chain compromise, data breaches, and disruption of software development pipelines. Victims could experience financial losses, reputational damage, and legal liabilities. Given TeamCity's central role in software development, a successful attack can have cascading effects on downstream customers and partners.

Recommendation

  • Deploy the Sigma rule "Suspicious JetBrains TeamCity Child Process" to your SIEM and tune it for your environment to detect suspicious child processes spawned by the TeamCity Java executable.
  • Review and patch any known vulnerabilities in JetBrains TeamCity, focusing on CVE-2023-42793, using the vendor's official guidance.
  • Monitor process creation events on TeamCity servers, specifically looking for the execution of command-line interpreters (cmd.exe, powershell.exe) and system administration tools by the TeamCity Java process, leveraging Windows Security Event Logs or Sysmon logs.
  • Implement network segmentation to limit the potential impact of a successful TeamCity compromise, referencing technique T1021.001 for lateral movement.

Detection coverage 2

Suspicious JetBrains TeamCity Child Process

medium

Detects suspicious processes spawned by the JetBrains TeamCity process, indicating potential exploitation.

sigma tactics: defense_evasion, discovery, execution, initial_access techniques: T1059.001, T1059.003, T1082, T1190, T1218 sources: process_creation, windows

TeamCity Java Process Spawning Certutil

medium

Detects certutil being spawned by TeamCity Java process

sigma tactics: defense_evasion sources: process_creation, windows

Detection queries are available on the platform. Get full rules →