Ruler - S0358 (90ac9266-68ce-46f2-b24f-5eb3b2a8ea38)

Ruler is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of Ruler have also released a defensive tool, NotRuler, to detect its usage.(Citation: SensePost Ruler GitHub)(Citation: SensePost NotRuler)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Ruler - S0358 (90ac9266-68ce-46f2-b24f-5eb3b2a8ea38)	mitre-tool	Email Account - T1087.003 (4bc31b94-045b-4752-8920-aebaebdb6470)	Attack Pattern	1
Ruler - S0358 (90ac9266-68ce-46f2-b24f-5eb3b2a8ea38)	mitre-tool	Outlook Rules - T1137.005 (3d1b9d7e-3921-4d25-845a-7d9f15c0da44)	Attack Pattern	1
Ruler - S0358 (90ac9266-68ce-46f2-b24f-5eb3b2a8ea38)	mitre-tool	Outlook Home Page - T1137.004 (bf147104-abf9-4221-95d1-e81585859441)	Attack Pattern	1
Ruler - S0358 (90ac9266-68ce-46f2-b24f-5eb3b2a8ea38)	mitre-tool	Outlook Forms - T1137.003 (a9e2cea0-c805-4bf8-9e31-f5f0513a3634)	Attack Pattern	1
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	Email Account - T1087.003 (4bc31b94-045b-4752-8920-aebaebdb6470)	Attack Pattern	2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	Outlook Rules - T1137.005 (3d1b9d7e-3921-4d25-845a-7d9f15c0da44)	Attack Pattern	2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	Outlook Home Page - T1137.004 (bf147104-abf9-4221-95d1-e81585859441)	Attack Pattern	2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	Outlook Forms - T1137.003 (a9e2cea0-c805-4bf8-9e31-f5f0513a3634)	Attack Pattern	2