Detect JetBrains TeamCity Relative Path Traversal (CVE-2024-27199) in Google Chronicle
Detects exploitation of CVE-2024-27199, a relative path traversal vulnerability in JetBrains TeamCity on-premises. Unauthenticated attackers can traverse directory paths in the TeamCity web server to access restricted endpoints and files outside the intended web root, potentially leading to information disclosure or authentication bypass chained with CVE-2024-27198.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2024_27199_teamcity_path_traversal {
meta:
author = "df00tech"
description = "Detects CVE-2024-27199 JetBrains TeamCity relative path traversal exploitation"
severity = "HIGH"
priority = "HIGH"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2024-27199"
events:
$e.metadata.event_type = "NETWORK_HTTP"
$e.network.http.method = /GET|POST/
$e.network.http.request_url = /(?i)\/(?:res|update|icons|plugins)\//
(
$e.network.http.request_url = /(?i)%2e%2e/ or
$e.network.http.request_url = /(?i)%252e%252e/ or
$e.network.http.request_url = /\.\.\//
)
(
$e.network.http.request_url = /(?i)WEB-INF/ or
$e.network.http.request_url = /(?i)server\.xml/ or
$e.network.http.request_url = /(?i)\/admin\// or
$e.network.http.request_url = /(?i)\/config\//
)
$ip = $e.principal.ip
match:
$ip over 5m
condition:
#e >= 3
}Chronicle YARA-L rule detecting repeated CVE-2024-27199 path traversal attempts against JetBrains TeamCity. Triggers when the same source IP makes 3 or more requests containing traversal patterns to TeamCity-specific URL paths within 5 minutes.
Data Sources
Required Tables
False Positives & Tuning
- Authorized penetration testing with scoped targets including TeamCity web server
- Automated vulnerability assessment platforms running web application checks
- Misconfigured reverse proxies that rewrite or encode URL path segments
- TeamCity health check endpoints that inadvertently match traversal patterns
Other platforms for CVE-2024-27199
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1TeamCity Path Traversal to WEB-INF via Encoded Dots
Expected signal: HTTP GET request to /res/..%2f..%2f..%2fWEB-INF/web.xml logged in web server access logs with the attacker's IP. Response code 200 if vulnerable, 400/404 if patched or blocked.
- Test 2TeamCity Path Traversal via Double-Encoded Sequences
Expected signal: HTTP request containing %252f in URL path to TeamCity /update/ endpoint visible in web access logs.
- Test 3Automated Traversal Scan Simulation (Multiple Paths)
Expected signal: Five HTTP GET requests from the same source IP to /res/ URL paths containing %2f traversal sequences within a 10-second window, visible in web server access logs.
- Test 4Chain CVE-2024-27199 with Admin Configuration Read
Expected signal: HTTP GET to /icons/ endpoint with traversal sequence targeting conf/database.properties. HTTP 200 response body containing JDBC connection string indicates successful exploitation.
Unlock Pro Content
Get the full detection package for CVE-2024-27199 including response playbook, investigation guide, and atomic red team tests.