← Back to Explore
splunk_escuTTP
JetBrains TeamCity Authentication Bypass CVE-2024-27198
The following analytic identifies attempts to exploit the JetBrains TeamCity Authentication Bypass vulnerability (CVE-2024-27198). It detects suspicious POST requests to the `/app/rest/users` and `/app/rest/users/id:1/tokens` endpoints, which are indicative of attempts to create new administrator users or generate admin access tokens without authentication. This detection leverages the Web datamodel and CIM-compliant log sources, such as Nginx or TeamCity logs. This activity is significant as it can lead to full control over the TeamCity server, including all projects, builds, agents, and artifacts. If confirmed malicious, attackers could gain unauthorized administrative access, leading to severe security breaches.
Detection Query
| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE (
(Web.url="*?jsp=*"
AND
Web.url="*;.jsp*") Web.status=200 Web.http_method=POST
)
OR (Web.url IN ("*jsp=/app/rest/users;.jsp","*?jsp=/app/rest/users;.jsp","*?jsp=.*/app/rest/users/id:*/tokens;*") Web.status=200 Web.http_method=POST )
BY Web.src, Web.dest, Web.http_user_agent,
Web.url, Web.status, Web.http_method,
sourcetype, source
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `jetbrains_teamcity_authentication_bypass_cve_2024_27198_filter`Author
Michael Haag, Splunk
Data Sources
Suricata
References
- https://github.com/projectdiscovery/nuclei-templates/pull/9279/files
- https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/
- https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/
- https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/
- https://github.com/yoryio/CVE-2024-27198/blob/main/CVE-2024-27198.py
Raw Content
name: JetBrains TeamCity Authentication Bypass CVE-2024-27198
id: fbcc04c7-8a79-453c-b3a9-c232c423bdd4
version: 9
creation_date: '2024-03-06'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic identifies attempts to exploit the JetBrains TeamCity Authentication Bypass vulnerability (CVE-2024-27198). It detects suspicious POST requests to the `/app/rest/users` and `/app/rest/users/id:1/tokens` endpoints, which are indicative of attempts to create new administrator users or generate admin access tokens without authentication. This detection leverages the Web datamodel and CIM-compliant log sources, such as Nginx or TeamCity logs. This activity is significant as it can lead to full control over the TeamCity server, including all projects, builds, agents, and artifacts. If confirmed malicious, attackers could gain unauthorized administrative access, leading to severe security breaches.
data_source:
- Suricata
search: |-
| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE (
(Web.url="*?jsp=*"
AND
Web.url="*;.jsp*") Web.status=200 Web.http_method=POST
)
OR (Web.url IN ("*jsp=/app/rest/users;.jsp","*?jsp=/app/rest/users;.jsp","*?jsp=.*/app/rest/users/id:*/tokens;*") Web.status=200 Web.http_method=POST )
BY Web.src, Web.dest, Web.http_user_agent,
Web.url, Web.status, Web.http_method,
sourcetype, source
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `jetbrains_teamcity_authentication_bypass_cve_2024_27198_filter`
how_to_implement: The detection relies on the Web datamodel and a CIM compliant log source, that may include Nginx, TeamCity logs, or other web server logs.
known_false_positives: False positives are not expected, as this detection is based on the presence of specific URI paths and HTTP methods that are indicative of the CVE-2024-27198 vulnerability exploitation. Monitor, filter and tune as needed based on organization log sources.
references:
- https://github.com/projectdiscovery/nuclei-templates/pull/9279/files
- https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/
- https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/
- https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/
- https://github.com/yoryio/CVE-2024-27198/blob/main/CVE-2024-27198.py
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
finding:
title: Possible JetBrains TeamCity Authentication Bypass CVE-2024-27198 Attempt against $dest$ from $src$.
entity:
field: dest
type: system
score: 50
threat_objects:
- field: src
type: ip_address
analytic_story:
- JetBrains TeamCity Vulnerabilities
asset_type: Web Server
cve:
- CVE-2024-27198
mitre_attack_id:
- T1190
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: web
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jetbrains/teamcity_cve_2024_27198.log
sourcetype: suricata
source: not_applicable
test_type: unit