Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details

All Projects → sensepost → Notruler

sensepost / Notruler

Licence: cc0-1.0

The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange.

Programming Languages

31211 projects - #10 most used programming language

Labels

security-tools security-audit

Projects that are alternatives of or similar to Notruler

A static analysis security vulnerability scanner for Ruby on Rails applications

Stars: ✭ 6,281 (+8623.61%)

Mutual labels: security-tools, security-audit

All-in-one tool for managing vulnerability reports from AppSec pipelines

Stars: ✭ 72 (+0%)

Mutual labels: security-tools, security-audit

grep rough audit - source code auditing tool

Stars: ✭ 747 (+937.5%)

Mutual labels: security-tools, security-audit

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.

Stars: ✭ 9,137 (+12590.28%)

Mutual labels: security-tools, security-audit

Simple Golang HTTPS/TLS Examples

Stars: ✭ 857 (+1090.28%)

Mutual labels: security-tools, security-audit

InQL - A Burp Extension for GraphQL Security Testing

Stars: ✭ 715 (+893.06%)

Mutual labels: security-tools, security-audit

本程序旨在为安全应急响应人员对Linux主机排查时提供便利，实现主机侧Checklist的自动全面化检测，根据检测结果自动数据聚合，进行黑客攻击路径溯源。

Stars: ✭ 1,177 (+1534.72%)

Mutual labels: security-tools, security-audit

kube-scan: Octarine k8s cluster risk assessment tool

Stars: ✭ 566 (+686.11%)

Mutual labels: security-tools, security-audit

System Optimizer and Monitoring, Security Auditing, Vulnerability scanner for Linux, macOS, and UNIX-based systems

Stars: ✭ 16 (-77.78%)

Mutual labels: security-tools, security-audit

Cloud Security Suite - One stop tool for auditing the security posture of AWS/GCP/Azure infrastructure.

Stars: ✭ 815 (+1031.94%)

Mutual labels: security-tools, security-audit

Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices

Stars: ✭ 8,844 (+12183.33%)

Mutual labels: security-tools, security-audit

Scripts to gather system configuration information for offline/remote auditing

Stars: ✭ 55 (-23.61%)

Mutual labels: security-tools, security-audit

Jok3r v3 BETA 2 - Network and Web Pentest Automation Framework

Stars: ✭ 645 (+795.83%)

Mutual labels: security-tools, security-audit

LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x (x86/x86_64 and ARM64)

Stars: ✭ 725 (+906.94%)

Mutual labels: security-tools, security-audit

Hacking Toolkit

Stars: ✭ 635 (+781.94%)

Mutual labels: security-tools, security-audit

A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, work around wildcards, aliases and dynamic default pages.

Stars: ✭ 767 (+965.28%)

Mutual labels: security-tools, security-audit

a unique framework for cybersecurity simulation and red teaming operations, windows auditing for newer vulnerabilities, misconfigurations and privilege escalations attacks, replicate the tactics and techniques of an advanced adversary in a network.

Stars: ✭ 419 (+481.94%)

Mutual labels: security-tools, security-audit

🎖safely* install packages with npm or yarn by auditing them as part of your install process

Stars: ✭ 513 (+612.5%)

Mutual labels: security-tools, security-audit

Open-Source Security Architecture | 开源安全架构

Stars: ✭ 796 (+1005.56%)

Mutual labels: security-tools, security-audit

Linux命令转发记录

Stars: ✭ 51 (-29.17%)

Mutual labels: security-tools, security-audit

View All Similar Projects ➔

Introduction

NotRuler is the opposite of Ruler. The tool aims to make life a little easier for Exchange Admins by allowing for the detection of both client-side rules and VBScript enabled forms. At a miminum this should allow for the detection of all attacks created through Ruler.

NotRuler allows you to interact with Exchange servers remotely, through either the MAPI/HTTP or RPC/HTTP protocol.

What does it do?

NotRuler can query one or more Exchange mailboxes and detects client-side Outlook rules and VBScript enabled forms.

Allows Exchange Admins to check for compromise
Check your own account for compromise
Extract stager address for Malicious rules
Extract VBScript used in forms
Check for 'homepage' and extract URL

Getting Started

Compiled binaries for Linux, OSX and Windows are available. Find these in Releases information about setting up Ruler from source is found in the [getting-started guide].

Usage

NotRuler has two modes of operation:

Rules -- check for client-side rules
Forms -- check for VBScript enabled forms
Homepage -- check for a custom homepage

Rules

The current version of NotRuler can check either a single or multiple mailboxes. These are supplied in the program arguments.

To check multiple mailboxes, create a file with one account per line:

[email protected]
[email protected]
[email protected]
[email protected]

Using the Exchange Admin account, you should be able to log into any mailbox on the Exchange server:

./notruler --username exchangeadmin --mailboxes /path/to/mailbox.list rules

You can also check your own account by using --self

./notruler --username [email protected] --mailbox [email protected] --self rules

Sample output:

[+] Checking [[email protected]]
[+] Found 5 rules
[WARNING] Found client-side rule: [01000000d97851c4:pewpew3] Application: [\\myhost.somewhere.darkside.com\dav\morebad.bat]
[WARNING] Found client-side rule: [01000000d97851b9:pewpew] Application: [\\myhost.somewhere.darkside.com\dav\bad.bat]
[+] Checking [[email protected]]
[+] No Rules Found
[+] Checking [[email protected]]
[+] No Rules Found
[+] Checking [[email protected]]
[+] No Rules Found

Forms

Same as with Rules, you need to either have a list of mailboxes or a single mailbox to check. Simply swap "rules" for "forms":

Using the Exchange Admin account, you should be able to log into any mailbox on the Exchange server:

./notruler --username exchangeadmin --mailboxes /path/to/mailbox.list forms

You can also check your own account by using --self

./notruler --username [email protected] --mailbox [email protected] --self forms

Sample output:

[+] Checking [[email protected]]
[WARNING] Found form with VBScript! [IPM.Note.badform]
    Function P()
CreateObject("Wscript.Shell").Run "powershell.exe -NoP -sta -NonI -W Hidden -Enc WwBTAFkAUwB0AEUAbQAuAE4AZQBUAC4AUwBFAHIAdgBJAGMAZQBQAG8ASQBOAFQATQBBAG4AYQBHAEUAcgBdADoAOgBFAHgAcABlAGMAVAAxADAAMABDAG8ATgB0AGkATgBVAEUAIA=="

[+] Checking [[email protected]]
[+] Checking [[email protected]]
[+] Checking [[email protected]]

Homepage

And the same again, you need to either have a list of mailboxes or a single mailbox to check.

Using the Exchange Admin account, you should be able to log into any mailbox on the Exchange server:

./notruler --username exchangeadmin --mailboxes /path/to/mailbox.list homepage

You can also check your own account by using --self

./notruler --username [email protected] --mailbox [email protected] --self homepage

Sample output:

[+] Checking [[email protected]]
[WARNING] Found endpoint: http://attack.attackpew.com/rce.html
[+] Webview is set as ENABLED
[+] Checking [[email protected]]
[+] Checking [[email protected]]
[+] Checking [[email protected]]

IOCs

I've added a list of IOC's here: iocs.md

Feel free to submit Issues/PRs with further IOCs!

License

NotRuler is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (http://creativecommons.org/licenses/by-nc-sa/4.0/) Permissions beyond the scope of this license may be available at http://sensepost.com/contact/.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Stars: ✭ 72

Visit Git Page 🔗Visit User Page 🔗Visit Issues Page (1) 🔗