Detect JetBrains TeamCity Relative Path Traversal (CVE-2024-27199) in IBM QRadar
Detects exploitation of CVE-2024-27199, a relative path traversal vulnerability in JetBrains TeamCity on-premises. Unauthenticated attackers can traverse directory paths in the TeamCity web server to access restricted endpoints and files outside the intended web root, potentially leading to information disclosure or authentication bypass chained with CVE-2024-27198.
MITRE ATT&CK
QRadar Detection Query
SELECT
sourceip,
destinationip,
URL,
"HTTP Response Code" AS http_status,
"User Agent" AS user_agent,
COUNT(*) AS request_count,
MIN(starttime) AS first_seen,
MAX(starttime) AS last_seen
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('IBM Security Network IPS (GV)', 'Apache HTTP Server', 'Microsoft IIS', 'Nginx')
AND (
LOWER(URL) MATCHES '.*(?:/res/|/update/|/icons/).*(?:%2e%2e|%252e%252e|\\.\\./).*'
OR LOWER(URL) MATCHES '.*(web-inf|server\\.xml|web\\.xml|/admin/|/config/).*'
)
AND (
LOWER(URL) MATCHES '.*(%2e%2e|%252e).*'
OR LOWER(URL) MATCHES '.*(\\.\\./){1,}.*'
)
AND LOGSOURCENAME(logsourceid) ILIKE '%teamcity%'
AND starttime > NOW() - 86400000
GROUP BY sourceip, destinationip, URL, http_status, user_agent
HAVING COUNT(*) >= 3
ORDER BY request_count DESC
LAST 24 HOURSQRadar AQL query identifying path traversal patterns in HTTP logs from TeamCity servers. Groups by source IP and URL to surface repeated exploitation attempts and unusual response codes indicating successful traversal.
Data Sources
Required Tables
False Positives & Tuning
- Network vulnerability scanners (Qualys, Rapid7) performing scheduled web scans
- Penetration testing engagements with scoped coverage of TeamCity web interface
- Misconfigured upstream HTTP proxies that alter URL encoding before logging
- Custom TeamCity plugins that construct API URLs with relative path components
Other platforms for CVE-2024-27199
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1TeamCity Path Traversal to WEB-INF via Encoded Dots
Expected signal: HTTP GET request to /res/..%2f..%2f..%2fWEB-INF/web.xml logged in web server access logs with the attacker's IP. Response code 200 if vulnerable, 400/404 if patched or blocked.
- Test 2TeamCity Path Traversal via Double-Encoded Sequences
Expected signal: HTTP request containing %252f in URL path to TeamCity /update/ endpoint visible in web access logs.
- Test 3Automated Traversal Scan Simulation (Multiple Paths)
Expected signal: Five HTTP GET requests from the same source IP to /res/ URL paths containing %2f traversal sequences within a 10-second window, visible in web server access logs.
- Test 4Chain CVE-2024-27199 with Admin Configuration Read
Expected signal: HTTP GET to /icons/ endpoint with traversal sequence targeting conf/database.properties. HTTP 200 response body containing JDBC connection string indicates successful exploitation.
Unlock Pro Content
Get the full detection package for CVE-2024-27199 including response playbook, investigation guide, and atomic red team tests.