Sneed-Reactivity/yara-Neo23x0/expl_teamcity_2023_42793.yar

35 lines
1.3 KiB
Text
Raw Permalink Normal View History

rule LOG_EXPL_SUSP_TeamCity_CVE_2023_42793_Oct23_1 {
meta:
description = "Detects log entries that could indicate a successful exploitation of CVE-2023-42793 on TeamCity servers"
author = "Florian Roth"
reference = "https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis"
date = "2023-10-02"
score = 70
id = "81c04863-72aa-5515-889e-3ef718360cac"
strings:
$sa1 = "File edited: "
$sa2 = "\\TeamCity\\config\\internal.properties by user with id="
$sb1 = "s.buildServer.ACTIVITIES.AUDIT - server_file_change: File "
$sb2 = "\\TeamCity\\config\\internal.properties was modified by \"user with id"
condition:
all of ($sa*) or all of ($sb*)
}
rule LOG_EXPL_SUSP_TeamCity_Oct23_1 {
meta:
description = "Detects log entries that could indicate a successful exploitation of TeamCity servers"
author = "Florian Roth"
reference = "https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis"
date = "2023-10-02"
score = 70
id = "4845b40a-cf77-53ae-b2fa-d1ed861153f2"
strings:
$a1 = "tbrains.buildServer.ACTIVITIES"
$s1 = "External process is launched by user user with id"
$s2 = ". Command line: cmd.exe \"/c whoami"
condition:
all of them
}