Yara Rule - TeamCity 서버의 성공적인 악용을 나타낼 수있는 로그 항목 감지
Yara 정의.
Yara Rule - Detects log entries that could indicate a successful exploitation of TeamCity servers
Yara definition.
Author: Florian Roth
https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis
date = "2023-10-02"
score = 70
$sa1 = "File edited: "
$sa2 = "\\TeamCity\\config\\internal.properties by user with id="
$sb1 = "s.buildServer.ACTIVITIES.AUDIT - server_file_change: File "
$sb2 = "\\TeamCity\\config\\internal.properties was modified by \"user with id"
date = "2023-10-02"
score = 70
$a1 = "tbrains.buildServer.ACTIVITIES"
$s1 = "External process is launched by user user with id"
$s2 = ". Command line: cmd.exe \"/c whoami"```
[https://github.com/Neo23x0/signature-base/commit/c1df66c6b682100bf0b518422a3f81a23e53b8f6](https://github.com/Neo23x0/signature-base/commit/c1df66c6b682100bf0b518422a3f81a23e53b8f6)