CVE-2024-27199 CrowdStrike LogScale · LogScale

Detect JetBrains TeamCity Relative Path Traversal (CVE-2024-27199) in CrowdStrike LogScale

Detects exploitation of CVE-2024-27199, a relative path traversal vulnerability in JetBrains TeamCity on-premises. Unauthenticated attackers can traverse directory paths in the TeamCity web server to access restricted endpoints and files outside the intended web root, potentially leading to information disclosure or authentication bypass chained with CVE-2024-27198.

MITRE ATT&CK

Tactic
Initial Access Defense Evasion Credential Access

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=NetworkReceiveAccepted OR #event_simpleName=HttpRequest
| LocalPort = 8111 OR LocalPort = 443 OR LocalPort = 80
| HttpPath = /(?i)\/(?:res|update|icons|plugins)\//
| HttpPath = /(?i)(?:%2e%2e|%252e%252e|\.\.\/)/
| HttpPath = /(?i)(?:WEB-INF|web\.xml|server\.xml|\/admin\/|\/config\/)/
| stats count() as request_count by RemoteAddressIP4, HttpPath, bin(timestamp, 5min)
| where request_count >= 3
| sort request_count desc
| rename RemoteAddressIP4 as attacker_ip, HttpPath as traversal_path
high severity medium confidence

CrowdStrike Falcon LogScale query detecting CVE-2024-27199 exploitation via network events on TeamCity default ports. Identifies repeated path traversal requests containing encoded dot-dot sequences targeting sensitive server paths.

Data Sources

CrowdStrike Falcon network telemetryFalcon sensor HTTP events

Required Tables

NetworkReceiveAcceptedHttpRequest

False Positives & Tuning

  • CrowdStrike-protected hosts running authorized vulnerability scans against TeamCity
  • Red team operations with approved scope on TeamCity server endpoints
  • Misconfigured applications making API calls with relative path segments to TeamCity
  • Load balancer health probes that traverse URL paths during endpoint validation

Other platforms for CVE-2024-27199

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1TeamCity Path Traversal to WEB-INF via Encoded Dots

    Expected signal: HTTP GET request to /res/..%2f..%2f..%2fWEB-INF/web.xml logged in web server access logs with the attacker's IP. Response code 200 if vulnerable, 400/404 if patched or blocked.

  2. Test 2TeamCity Path Traversal via Double-Encoded Sequences

    Expected signal: HTTP request containing %252f in URL path to TeamCity /update/ endpoint visible in web access logs.

  3. Test 3Automated Traversal Scan Simulation (Multiple Paths)

    Expected signal: Five HTTP GET requests from the same source IP to /res/ URL paths containing %2f traversal sequences within a 10-second window, visible in web server access logs.

  4. Test 4Chain CVE-2024-27199 with Admin Configuration Read

    Expected signal: HTTP GET to /icons/ endpoint with traversal sequence targeting conf/database.properties. HTTP 200 response body containing JDBC connection string indicates successful exploitation.

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2024-27199 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0005Defense EvasionTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1552.001Credentials In FilesT1078Valid Accounts

Same Tactic: Initial Access

Popular Detections