The sub-techniques beta is now live! Read the release blog post for more info.


Ruler is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of Ruler have also released a defensive tool, NotRuler, to detect its usage.[1][2]

ID: S0358
Type: TOOL
Platforms: Windows
Version: 1.0
Created: 04 February 2019
Last Modified: 22 April 2019

Techniques Used

Domain ID Name Use
Enterprise T1114 Email Collection

Ruler can be used to enumerate Exchange users and dump the GAL.[1]

Enterprise T1137 Office Application Startup

Ruler can be used to automate the abuse of Outlook Rules, Forms, and Home Pages to establish persistence.[1]

Groups That Use This Software

ID Name References
G0064 APT33 [3]