Full Report
Ruler at Troopers17 We are taking Ruler and the abuse of Exchange on a road trip to Germany in March. Troopers have accepted our talk, “Ruler – Pivoting through Exchange” and we are looking forward to sharing the exciting extras that we’ve been building into Ruler, along with some secrets for using Exchange in your recon, exploitation and post-exploitation phases. https://www.troopers.de/events/troopers17/779_ruler_-_pivoting_through_exchange/ Passing the Hash A while back I was asked (I think by @singe, but there were others as well) if it was possible to do Pass the Hash (PtH) with Ruler.
Analysis Summary
# Tool/Technique: Ruler (with Pass the Hash capability)
## Overview
Ruler is a tool primarily designed to abuse Microsoft Exchange service functionality for reconnaissance, exploitation, and post-exploitation activities. The article specifically highlights the addition of a "Pass the Hash" (PtH) capability to Ruler, allowing users to authenticate to services using stolen NTLM hashes instead of plaintext passwords.
## Technical Details
- Type: Tool (Security/Exploitation Framework component)
- Platform: Primarily targets Microsoft Exchange environments; relies on underlying network protocols (NTLM).
- Capabilities: Abuse of Exchange functions, NTLM Pass the Hash authentication, reconnaissance, exploitation, and post-exploitation pivoting.
- First Seen: The integration of the PtH feature was implemented around the time of this article (published January 17, 2017).
## MITRE ATT&CK Mapping
The functionality described aligns with several key stages of an attack lifecycle:
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping (Relevant if hashes are sourced from tools like Mimikatz, though Ruler’s direct use is authentication).
- **TA0007 - Discovery**
- T1580 - Abuse Cloud Information (Implied by recon via Exchange if access is gained).
- **TA0008 - Lateral Movement**
- T1021.001 - Remote Services: Remote Desktop Protocol (Contextually related to network pivoting).
- **TA0011 - Command and Control**
- T1573.002 - Encrypted Channel: Asymmetric Cryptography (NTLM involves cryptographic negotiation).
- **TA0012 - Lateral Movement (Specific to Hash Use)**
- T1110.003 - Password Guessing: Brute Force (Implicitly, PtH bypasses the need for this).
*Note: The article focuses heavily on authentication using hashes, which supports Lateral Movement and Privilege Escalation.*
## Functionality
### Core Capabilities
- **Exchange Abuse:** Using legitimate Exchange protocols for actions during recon, exploitation, and post-exploitation phases.
- **Pass the Hash (PtH):** Ability to use a provided NTLM hash (NT hash supported; LM hash not supported) to forge an NTLM Authenticate message and gain authorized access.
- **NTLM Negotiation Handling:** Implementation logic to correctly construct the NTLM response key components for both NTLMv1 and NTLMv2 authentication flows by replacing the derived password hash with the provided credential hash.
### Advanced Features
- **Exchange Admin Abuse:** When provided with credentials (or hashes) belonging to an Exchange administrator account (e.g., Domain Admin), Ruler can leverage the `--admin` flag to attack *any* mailbox within the organization.
- **Malicious Rule Creation:** Exploiting mailbox access to create "mail-icious rules" in user Outlook profiles for persistent access or code execution (e.g., targeting a CEO's mailbox).
- **HTTP-NTLM Support:** Successfully using PtH for connectionless communications relying on HTTP-NTLM authentication.
## Indicators of Compromise
Since Ruler is an offensive tool executing specific protocols, indicators are primarily behavioral and dependent on the execution flow:
- File Hashes: N/A (Tool execution hash depends on the compiled binary).
- File Names: N/A (The tool is executed via command line argument `--hash`).
- Registry Keys: N/A
- Network Indicators: Traffic attempting NTLM Negotiation and Challenge/Response sequences against Microsoft Exchange servers (often port 443 or 135 for internal pivoting).
- Behavioral Indicators:
- Execution of the Ruler tool binary.
- Use of the `--hash` global flag alongside NTLM authentication requests directed at Exchange endpoints.
- Creation of anomalous Outlook rules targeting user mailboxes.
## Associated Threat Actors
The tool is developed and publicized by SensePost, typically used by penetration testers and security researchers. No specific threat actor group is explicitly associated with this version in the text, but offensive tools like this are commonly adopted by various advanced persistent threat (APT) groups if made publicly known and effective.
## Detection Methods
- Signature-based detection: Signatures for the Ruler binary (if available).
- Behavioral detection: Monitoring for suspicious NTLM authentication attempts using stolen hashes, especially targeting Exchange services from unusual hosts. Monitoring the creation or modification of mailbox rules via Exchange Web Services (EWS) or MAPI interfaces.
- YARA rules: Not specified.
## Mitigation Strategies
- **Restrict NTLM Usage:** Minimize or disable NTLM authentication wherever possible in favor of Kerberos.
- **Enforce NTLMv2:** Ensure clients and servers are configured to exclusively use NTLMv2 (though the article implies some reliance on NTLMv1 compatibility).
- **Implement Strong Session Security:** Enforce message signing requirements (NTLMSSP\_NEGOTIATE\_SIGN) to mitigate downgrade attacks.
- **Least Privilege:** Ensure Exchange administrator accounts are highly restricted, minimizing the impact if their credentials/hashes are compromised.
- **Monitor Exchange Configuration Changes:** Audit and alert on programmatic changes to mailbox configurations, especially the creation of forwarding or rule-based actions.
## Related Tools/Techniques
- **Mimikatz:** Mentioned as a tool commonly used to obtain the NTLM hashes needed for Ruler's PtH functionality.
- **Pass the Hash (PtH):** The core technique being leveraged.
- **Exchange Web Services (EWS) Abuse:** Ruler’s overarching methodology for exploitation.