Hacktool Ruler
This events that are generated when using the hacktool Ruler by Sensepost
Sigma rule (View on GitHub)
1title: Hacktool Ruler
2id: 24549159-ac1b-479c-8175-d42aea947cae
3status: test
4description: This events that are generated when using the hacktool Ruler by Sensepost
5references:
6 - https://github.com/sensepost/ruler
7 - https://github.com/sensepost/ruler/issues/47
8 - https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427
9 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776
10 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624
11author: Florian Roth (Nextron Systems)
12date: 2017-05-31
13modified: 2022-10-09
14tags:
15 - attack.discovery
16 - attack.execution
17 - attack.collection
18 - attack.lateral-movement
19 - attack.t1087
20 - attack.t1114
21 - attack.t1059
22 - attack.t1550.002
23logsource:
24 product: windows
25 service: security
26detection:
27 selection1:
28 EventID: 4776
29 Workstation: 'RULER'
30 selection2:
31 EventID:
32 - 4624
33 - 4625
34 WorkstationName: 'RULER'
35 condition: (1 of selection*)
36falsepositives:
37 - Go utilities that use staaldraad awesome NTLM library
38level: high
References
-
A tool to abuse Exchange services. Contribute to sensepost/ruler development by creating an account on GitHub.
Read More -
I was just checking the logs to look for defenses, and I realized that the hostname is always "RULER," even when I change the user agent, which is also "ruler." From an attacker perspective, this o...
Read More -
-
Describes security event 4776(S, F) The computer attempted to validate the credentials for an account.
Read More -
Related rules
- Turla Group Lateral Movement
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Commandlets - ProcessCreation
- Malicious PowerShell Commandlets - ScriptBlock
- Exchange PowerShell Snap-Ins Usage