Full Report
History In December 2015 Silent Break Security wrote about “Malicious Outlook Rules” and using these to get a remote shell. This was great, we could now use those credentials found through brute-forcing OWA instances or a phishing page. The only issue I had with this was the fact that you needed to setup a local instance of the mailbox, which at times could be time consuming and also felt like overkill.
Analysis Summary
# Tool/Technique: Ruler
## Overview
`ruler` is a custom tool developed by SensePost designed to remotely interact with Microsoft Exchange mailboxes via the MAPI over HTTP (MAPI/HTTP) protocol. Its primary purpose is to automate the creation and deployment of malicious Outlook mail rules to gain a remote shell on target workstations, bypassing the need for a local mailbox instance required by older methods.
## Technical Details
- Type: Tool
- Platform: Windows/Exchange environments interacting over MAPI/HTTP
- Capabilities: Remotely list, create, update, and delete Outlook mail rules; brute-force domain accounts via the Autodiscover service.
- First Seen: Reference to related technique from December 2015; tool developed and published in 2016.
## MITRE ATT&CK Mapping
- **TA0006 - Credential Access**
- T1110 - Brute Force
- T1110.001 - Password Guessing: Network Service
- **TA0008 - Lateral Movement**
- T1550 - Use Alternate Authentication Material
- T1550.005 - Impersonation: Exchange Credentials (Implied, as valid credentials are required)
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer (If the triggered script is downloaded)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell
- T1037 - Boot or Logon Autostart Execution (Rule execution upon email arrival triggers payload)
## Functionality
### Core Capabilities
- **Remote Mail Rule Manipulation**: Allows attackers to programmatically create, display, and delete Outlook mail rules on a remote mailbox using MAPI/HTTP requests.
- **Reverse Shell Establishment**: Utilizes created mail rules to execute commands or scripts (e.g., a batch file hosted on a WebDAV server) upon receiving a specific email, resulting in a remote shell.
- **Credential Acquisition (Brute Force)**: Includes a feature to brute-force domain accounts by querying the Autodiscover service, attempting numerous username/password combinations with built-in delays to avoid locking accounts.
### Advanced Features
- **MAPI/HTTP Protocol Implementation**: The tool handles the complexities of constructing and serializing MAPI requests, including dealing with RPC structures, compression, and XOR magic flags within the MAPI/HTTP communication stream over port 443.
- **Opsec Configuration**: Mail rules created by default are configured to permanently delete the triggering email to maintain stealth.
## Indicators of Compromise
- File Hashes: N/A (Tool itself, not malware)
- File Names: `./ruler`
- Registry Keys: N/A
- Network Indicators:
- Communication over **TCP port 443** utilizing HTTPS encapsulation directed at the Exchange server endpoint.
- HTTP POST requests containing serialized MAPI structures.
- Potential network traffic to **WebDAV servers** hosting the payload script (`\\x.x.x.x\webdav\evilscript.bat`).
- Behavioral Indicators:
- Successful execution of Outlook mail rule logic without opening the Outlook client.
- Autodiscover service enumerating invalid usernames/passwords when brute-forcing is active.
## Associated Threat Actors
- SensePost (Developer/Publicized Use)
- Unspecified actors using techniques referenced by Silent Break Security (December 2015 context) who utilize Malicious Outlook Rules.
## Detection Methods
- **Signature-based detection**: Signatures for known MAPI/HTTP request structures or known payload delivery mechanisms triggered by mail rules.
- **Behavioral detection**: Monitoring for anomalous MAPI/HTTP traffic not originating from standard MAPI clients (like Outlook), or monitoring the Exchange server for the creation or modification of mail rules originating from non-standard PowerShell or custom HTTP clients.
- **YARA rules if available**: Not provided in the context.
## Mitigation Strategies
- **Disable or restrict MAPI over HTTP**: While difficult in modern Exchange environments, monitoring usage patterns is key.
- **Strong Credential Policies**: Implement robust password policies and multi-factor authentication (MFA) to thwart brute-forcing attempts against OWA/Autodiscover.
- **Throttling/Lockout Policies**: Ensure aggressive account lockout policies are in place for Autodiscover attempts, although the tool attempts to mitigate this with delays.
- **Restrict Incoming Email Triggers**: Limit the use of complex rule actions that allow arbitrary external execution upon receipt of an email.
## Related Tools/Techniques
- Malicious Outlook Rules (The underlying technique publicized by Silent Break Security, 2015).
- Tools that leverage Outlook Anywhere or MAPI/HTTP to remotely manage Exchange features.