TeamCity API Token
Service Name: TeamCity
Service Description: TeamCity is a continuous integration and deployment server developed by JetBrains. It provides a powerful and user-friendly CI/CD solution that supports various build configurations, version control systems, and automated testing frameworks.
Service Address: https://www.jetbrains.com/teamcity/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the server level through TeamCity's built-in access management settings.
Secret Access Scope: Grants programmatic access to TeamCity REST API, allowing automation of build configurations, project management, and retrieval of build results.
Secret Revokement URL: https://teamcity-instance-url/profile.html?item=accessTokens (replace teamcity-instance-url with your actual TeamCity server URL)
Secret Example: eyJ0eXAiOiAiVENWMiJ9.ZGZzZGZzZGZzZGZzZGZzZGY.ZmRmc2Rmc2Rmc2Rmc2Rmc2Rm
Suspicious Activity Investigation Instructions:
- Review TeamCity audit logs for unusual API calls or access patterns
- Check for unauthorized build configurations or modifications to existing builds
- Monitor for unexpected project creation or deletion activities
- Examine build agent usage for unauthorized or unusual build executions
- Review user access logs for suspicious login attempts using the token
Mitigation Instructions:
- Log in to your TeamCity server as an administrator
- Navigate to your user profile by clicking on your username in the top-right corner
- Select "Access Tokens" from the menu
- Find the compromised token in the list and click "Revoke"
- Generate a new token with appropriate permissions if needed
- Consider implementing more restrictive token permissions using TeamCity's role-based access control
- Update any legitimate applications or scripts that were using the revoked token
- Review TeamCity server security settings and consider implementing IP restrictions for API access