Skip to content

Hide Navigation Hide TOC

Ruler - S0358 (90ac9266-68ce-46f2-b24f-5eb3b2a8ea38)

Ruler is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of Ruler have also released a defensive tool, NotRuler, to detect its usage.(Citation: SensePost Ruler GitHub)(Citation: SensePost NotRuler)

Cluster A Galaxy A Cluster B Galaxy B Level
Email Account - T1087.003 (4bc31b94-045b-4752-8920-aebaebdb6470) Attack Pattern Ruler - S0358 (90ac9266-68ce-46f2-b24f-5eb3b2a8ea38) mitre-tool 1
Outlook Rules - T1137.005 (3d1b9d7e-3921-4d25-845a-7d9f15c0da44) Attack Pattern Ruler - S0358 (90ac9266-68ce-46f2-b24f-5eb3b2a8ea38) mitre-tool 1
Outlook Home Page - T1137.004 (bf147104-abf9-4221-95d1-e81585859441) Attack Pattern Ruler - S0358 (90ac9266-68ce-46f2-b24f-5eb3b2a8ea38) mitre-tool 1
Outlook Forms - T1137.003 (a9e2cea0-c805-4bf8-9e31-f5f0513a3634) Attack Pattern Ruler - S0358 (90ac9266-68ce-46f2-b24f-5eb3b2a8ea38) mitre-tool 1
Email Account - T1087.003 (4bc31b94-045b-4752-8920-aebaebdb6470) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 2
Outlook Rules - T1137.005 (3d1b9d7e-3921-4d25-845a-7d9f15c0da44) Attack Pattern Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2
Outlook Home Page - T1137.004 (bf147104-abf9-4221-95d1-e81585859441) Attack Pattern Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2
Outlook Forms - T1137.003 (a9e2cea0-c805-4bf8-9e31-f5f0513a3634) Attack Pattern Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2