Microsoft Exchange Service Abuse: Ruler

ID N0WHERE:117482
Type n0where
Reporter N0where
Modified 2017-05-05T04:18:36


Microsoft Exchange Service Abuse

Ruler is a tool that allows you to interact with Exchange servers through the MAPI/HTTP protocol. The main aim is abuse the client-side Outlook mail rules.

_ “ Silentbreak did a great job with this attack and it has served us well. The only downside has been that it takes time to get setup. Cloning a mailbox into a new instance of Outlook can be time consuming. And then there is all the clicking it takes to get a mailrule created. Wouldn’t the command line version of this attack be great? And that is how Ruler was born.” _

What does it do?

Ruler has multiple functions and more are planned. These include

  • Enumerate valid users
  • View currently configured mail rules
  • Create new malicious mail rules
  • Delete mail rules
  • Dump the Global Address List (GAL)
  • VBScript execution through forms

Ruler attempts to be semi-smart when it comes to interacting with Exchange and uses the Autodiscover service (just as your Outlook client would) to discover the relevant information.

Getting the Code

Ruler is written in Go so you’ll need to have Go setup to run/build the project from source. The easiest way to get up and running from source is through go get .

Get it through Go:

go get

You can now run the app through go run in the GOPATH/src/ directory:

go run ruler.go -h

Microsoft Exchange Service Abuse: Ruler Documentation

Interacting with Exchange

Ruler works with both RPC/HTTP and MAPI/HTTP. Ruler favours MAPI/HTTP as this is the default in Exchange 2016 and Office365 deployments. If MAPI/HTTP fails, an attempt will be made to use RPC/HTTP. You can also force RPC/HTTP by supplying the --rpc flag.

As mentioned before there are multiple functions to Ruler. In most cases you’ll want to first find a set of valid credentials. Do this however you wish, Phishing, Wifi+Mana or brute-force.

Ruler has 8 basic commands, these are:

  • display — list all the current rules
  • add — add a rule
  • delete — delete a rule
  • brute — brute force credentials
  • send — send an email to trigger the shell
  • abk — interact with the GAL (MAPI/HTTP only)
  • form — script execution through custom forms
  • help — show the help screen

There are a few global flags that should be used with most commands, while each command has sub-flags. For details on these, use the help command.

   ruler - A tool to abuse Exchange Services

   ruler-linux64 [global options] command [command options] [arguments...]


 _ __ _   _| | ___ _ __
| '__| | | | |/ _ \ '__|
| |  | |_| | |  __/ |
|_|   \__,_|_|\___|_|

A tool by @_staaldraad from @sensepost to abuse Exchange Services.

   Etienne Stalmans <>, @_staaldraad

Microsoft Exchange Service Abuse: Ruler Download