Detect JetBrains TeamCity Relative Path Traversal (CVE-2024-27199) in Microsoft Sentinel
Detects exploitation of CVE-2024-27199, a relative path traversal vulnerability in JetBrains TeamCity on-premises. Unauthenticated attackers can traverse directory paths in the TeamCity web server to access restricted endpoints and files outside the intended web root, potentially leading to information disclosure or authentication bypass chained with CVE-2024-27198.
MITRE ATT&CK
KQL Detection Query
union isfuzzy=true
(
AzureDiagnostics
| where Category == "ApplicationGatewayAccessLog"
| where requestUri_s matches regex @"(?i)/res/[^?]*(?:%2e%2e|\.\.)[^?]*/(?:admin|config|WEB-INF)"
| project TimeGenerated, requestUri_s, clientIP_s, httpStatus_d, host_s, userAgent_s
),
(
W3CIISLog
| where csUriStem matches regex @"(?i)(?:/res/|/update/|/icons/)(?:[^/]*(?:%2e%2e|\.\.)[^/]*/)+"
| project TimeGenerated, csUriStem, cIP, scStatus, csHost, csUserAgent
),
(
CommonSecurityLog
| where DeviceVendor in ("F5", "Palo Alto Networks", "Fortinet", "Cisco")
| where RequestURL matches regex @"(?i)(?:/res/|/update/).*(?:%2e%2e|%252e%252e|\.\.).*(?:/admin|/config|WEB-INF|server\.xml)"
| project TimeGenerated, RequestURL, SourceIP, EventOutcome, DestinationHostName, RequestClientApplication
)
| where TimeGenerated > ago(24h)
| extend DecodedPath = replace_string(replace_string(coalesce(requestUri_s, csUriStem, RequestURL), "%2e", "."), "%252e", ".")
| where DecodedPath matches regex @"(?i)(?:\.\./){1,}(?:admin|WEB-INF|conf|config|internal)"
| summarize RequestCount=count(), UniqueEndpoints=dcount(coalesce(requestUri_s, csUriStem, RequestURL)) by SourceIP=coalesce(clientIP_s, cIP, SourceIP), bin(TimeGenerated, 5m)
| where RequestCount >= 3
| extend RiskScore = case(RequestCount >= 20, "Critical", RequestCount >= 10, "High", "Medium")
| project TimeGenerated, SourceIP, RequestCount, UniqueEndpoints, RiskScoreDetects HTTP requests to JetBrains TeamCity containing path traversal sequences targeting restricted paths. Monitors IIS logs, WAF logs, and Azure Application Gateway logs for encoded and double-encoded dot-dot sequences in TeamCity URL patterns.
Data Sources
Required Tables
False Positives & Tuning
- Security scanners (Qualys, Nessus, Rapid7 InsightVM) performing authenticated web application scans
- Penetration testers performing authorized assessments against TeamCity instances
- Broken link crawlers or SEO tools that may follow malformed URLs
- Misconfigured reverse proxies that rewrite or corrupt path segments before forwarding
Other platforms for CVE-2024-27199
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1TeamCity Path Traversal to WEB-INF via Encoded Dots
Expected signal: HTTP GET request to /res/..%2f..%2f..%2fWEB-INF/web.xml logged in web server access logs with the attacker's IP. Response code 200 if vulnerable, 400/404 if patched or blocked.
- Test 2TeamCity Path Traversal via Double-Encoded Sequences
Expected signal: HTTP request containing %252f in URL path to TeamCity /update/ endpoint visible in web access logs.
- Test 3Automated Traversal Scan Simulation (Multiple Paths)
Expected signal: Five HTTP GET requests from the same source IP to /res/ URL paths containing %2f traversal sequences within a 10-second window, visible in web server access logs.
- Test 4Chain CVE-2024-27199 with Admin Configuration Read
Expected signal: HTTP GET to /icons/ endpoint with traversal sequence targeting conf/database.properties. HTTP 200 response body containing JDBC connection string indicates successful exploitation.
Unlock Pro Content
Get the full detection package for CVE-2024-27199 including response playbook, investigation guide, and atomic red team tests.