Full Report
We’ve spent a lot of time creating Ruler and turning it into, what we think, is a useful attack tool. The goal behind the project was to highlight the command execution potential around weak credentials when combined with Exchange and Microsoft Outlook. That goal has largely been met, with the ability to now demonstrate that compromising user credentials can be much more than “just” reading email. Microsoft has also been great in their response to the issue, with both client-side rules and forms having been effectively mitigated through patches to Outlook.
Analysis Summary
# Tool/Technique: Ruler (and NotRuler for defense)
## Overview
Ruler is an attack tool designed to exploit command execution potential through weak credentials combined with Microsoft Exchange and Outlook vulnerabilities, specifically targeting client-side rules and forms. The goal was to demonstrate that compromised user credentials can lead to persistence mechanisms beyond simple email reading. NotRuler was developed as a defensive counterpart to detect Ruler usage.
## Technical Details
- Type: Tool (Attack and Defense)
- Platform: Exchange, Microsoft Outlook (Windows client-side)
- Capabilities: Manipulating client-side rules, custom forms, and potentially exploiting synchronization functionality for persistence. NotRuler allows for the interrogation of mailboxes for these modifications.
- First Seen: Not explicitly stated, but the article references development and public release context around October 2017.
## MITRE ATT&CK Mapping
The primary focus of Ruler revolves around persistence and execution via legitimate client features.
- **TA0003 - Persistence**
- **T1547.001** - Registry Run Keys / Startup Folder (Implicitly, if forms/scripts lead to persistent execution upon logon/mail client start)
- **T1547.003** - Windows Service (If backdoors establish services, though not explicitly detailed as a Ruler feature, it aligns with persistence goals)
- **TA0005 - Defense Evasion** (Using legitimate client features to hide malicious actions)
- **TA0002 - Execution** (Via client-side rules/forms execution)
*Note: Specific technique numbers for rule/form manipulation exploitation often fall under broader execution or persistence categories, as Microsoft has patched specific client-side rule actions.*
## Functionality
### Core Capabilities (Ruler)
- **Exploiting Weak Credentials:** Leverages compromised Exchange credentials.
- **Client-Side Rule Manipulation:** Creates, reads, or modifies client-side rules within a mailbox.
- **Custom Form Manipulation:** Interacts with custom user forms in mailboxes.
- **Impersonation:** With administrative credentials (`--admin` flag), Ruler can log into any mailbox and impersonate that user.
### Advanced Features (Ruler IOCs/Persistence)
- **Canary Indicators:** Hardcoded strings used to identify Ruler traffic or actions:
- **User-Agent:** Hardcoded to "**Ruler**".
- **NTLM Workstation:** Hardcoded to "**Ruler**" during NTLM authentication requests.
- **Persistence Mechanisms:** Backdoors created via rules remain active due to Exchange synchronization, even if hosts are reimaged.
- **File Dropping (Associated Behavior):**
- WebDav payload delivery associated with "rules" attacks writes to: `%systemdrive%\windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore`.
### Defensive Capabilities (NotRuler)
- **Mailbox Auditing:** Allows administrators to supply a list of mailboxes and interrogate them for Ruler-implanted backdoors (rules, forms, homepages).
- **Form Extraction:** Finds custom forms and extracts embedded VBScript.
- **Rule Parsing:** Parses client-side rule binary blobs and flags application actions.
- **Self-Check:** Allows a user to verify if their own account has been backdoored.
- **Library Reuse:** Uses the same underlying Ruler library, facilitating rapid detection updates.
## Indicators of Compromise (Ruler)
- File Hashes: Not provided in the text.
- File Names: Not explicitly detailed for the initial payload, but related to client items.
- Registry Keys: Not explicitly detailed for the initial payload.
- Network Indicators:
- User-Agent String: `Ruler`
- NTLM Workstation Value: `Ruler`
- Behavioral Indicators:
- Exchange/Domain Controller Events: Look for authentication events 4776 (DC) and 4624 (Exchange) containing the hardcoded NTLM Workstation name "Ruler".
- Client-Side Form Cache: Data written to `%localappdata%\Microsoft\Forms` containing VBScript copies of the forms.
- WebDav Artifacts location: `%systemdrive%\windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore`
## Associated Threat Actors
The article does not explicitly link Ruler to a specific named threat actor, but references the tactic's potential application in major breaches (e.g., the Deloitte breach scenario).
## Detection Methods
- **Log Parsing (Powershell Scripts Mentioned):** Parsing Exchange/Domain Controller event logs for the presence of the "Ruler" User-Agent or NTLM Workstation value.
- **Rule/Form Scanning:** Using `NotRuler` to actively scan mailboxes for manipulated client-side rules and embedded VBScript in custom forms.
- **File System Monitoring:** Monitoring the WebDav payload delivery directory (`%systemdrive%\windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore`).
## Mitigation Strategies
- **Patching:** Microsoft has patched Outlook to mitigate the execution potential of client-side rules and forms.
- **MFA/2FA Adoption:** Heavily encouraged to prevent credential compromise necessary to execute Ruler attacks.
- **Administrator Credential Protection:** Limiting the scope of Exchange/Domain Admin rights, as Ruler requires such privileges for true domain-wide mailbox access via the `--admin` flag.
- **Monitoring:** Implementing the detection methods described above using tools like NotRuler.
## Related Tools/Techniques
- **NotRuler:** The defensive tool created to specifically detect Ruler and similar mailbox backdooring techniques.