35 lines
1.3 KiB
Text
35 lines
1.3 KiB
Text
|
|
||
|
rule LOG_EXPL_SUSP_TeamCity_CVE_2023_42793_Oct23_1 {
|
||
|
meta:
|
||
|
description = "Detects log entries that could indicate a successful exploitation of CVE-2023-42793 on TeamCity servers"
|
||
|
author = "Florian Roth"
|
||
|
reference = "https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis"
|
||
|
date = "2023-10-02"
|
||
|
score = 70
|
||
|
id = "81c04863-72aa-5515-889e-3ef718360cac"
|
||
|
strings:
|
||
|
$sa1 = "File edited: "
|
||
|
$sa2 = "\\TeamCity\\config\\internal.properties by user with id="
|
||
|
|
||
|
$sb1 = "s.buildServer.ACTIVITIES.AUDIT - server_file_change: File "
|
||
|
$sb2 = "\\TeamCity\\config\\internal.properties was modified by \"user with id"
|
||
|
condition:
|
||
|
all of ($sa*) or all of ($sb*)
|
||
|
}
|
||
|
|
||
|
rule LOG_EXPL_SUSP_TeamCity_Oct23_1 {
|
||
|
meta:
|
||
|
description = "Detects log entries that could indicate a successful exploitation of TeamCity servers"
|
||
|
author = "Florian Roth"
|
||
|
reference = "https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis"
|
||
|
date = "2023-10-02"
|
||
|
score = 70
|
||
|
id = "4845b40a-cf77-53ae-b2fa-d1ed861153f2"
|
||
|
strings:
|
||
|
$a1 = "tbrains.buildServer.ACTIVITIES"
|
||
|
$s1 = "External process is launched by user user with id"
|
||
|
$s2 = ". Command line: cmd.exe \"/c whoami"
|
||
|
condition:
|
||
|
all of them
|
||
|
}
|