Yara Rule - TeamCity 서버의 성공적인 악용을 나타낼 수있는 로그 항목 감지
Yara 정의.
Yara Rule - Detects log entries that could indicate a successful exploitation of TeamCity servers
Yara definition.
Author: Florian Roth
https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis
date = "2023-09-28"
modified = "2023-10-01"
score = 70
https://x.com/TH3C0DEX/status/1707503935596925048?s=20
https://x.com/theluemmel/status/1707653715627311360?s=20 (plus private chat)
$xr1 = /GET [a-z\.\/_]{0,40}\/web\/(siteusers|currentuser) - (80|443) .{10,200} (python-requests\/[0-9\.]{3,8}|-) [^ ]{1,160} [^4]0[0-9] /
date = "2023-10-01"
modified = "2023-10-01"
score = 80
$x1 = "encoded_payload = base64.urlsafe_b64encode(json.dumps(payload).encode()).rstrip(b'=')"
date = "2023-10-01"
score = 80
$x1 = "{f22d2de0-606b-4d16-98d5-421f3f1ba8bc}" ascii wide
$x2 = "{F22D2DE0-606B-4D16-98D5-421F3F1BA8BC}" ascii wide
$s1 = "Bearer"
$s2 = "hashedprooftoken"
$s3 = "/_api/web/"
$s4 = "X-PROOF_TOKEN"
$s5 = "00000003-0000-0ff1-ce00-000000000000"
$s6 = "IsSiteAdmin"
uint16(0) == 0x5a4d
date = "2023-10-02"
score = 70
$sa1 = "File edited: "
$sa2 = "\\TeamCity\\config\\internal.properties by user with id="
$sb1 = "s.buildServer.ACTIVITIES.AUDIT - server_file_change: File "
$sb2 = "\\TeamCity\\config\\internal.properties was modified by \"user with id"
date = "2023-10-02"
score = 70
$a1 = "tbrains.buildServer.ACTIVITIES"
$s1 = "External process is launched by user user with id"
$s2 = ". Command line: cmd.exe \"/c whoami"```
[https://github.com/Neo23x0/signature-base/commit/2e756517384a9ad090643897ccfd9450f6688822](https://github.com/Neo23x0/signature-base/commit/2e756517384a9ad090643897ccfd9450f6688822)