S0358 Ruler
Ruler is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of Ruler have also released a defensive tool, NotRuler, to detect its usage.12
| Item | Value |
|---|---|
| ID | S0358 |
| Associated Names | |
| Type | TOOL |
| Version | 1.1 |
| Created | 04 February 2019 |
| Last Modified | 22 June 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.003 | Email Account | Ruler can be used to enumerate Exchange users and dump the GAL.1 |
| enterprise | T1137 | Office Application Startup | - |
| enterprise | T1137.003 | Outlook Forms | Ruler can be used to automate the abuse of Outlook Forms to establish persistence.1 |
| enterprise | T1137.004 | Outlook Home Page | Ruler can be used to automate the abuse of Outlook Home Pages to establish persistence.1 |
| enterprise | T1137.005 | Outlook Rules | Ruler can be used to automate the abuse of Outlook Rules to establish persistence.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0064 | APT33 | 34 |
References
-
SensePost. (2016, August 18). Ruler: A tool to abuse Exchange services. Retrieved February 4, 2019. ↩↩↩↩↩
-
SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019. ↩
-
Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. ↩
-
Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020. ↩