Triggers
- The Ruler attack tool has been observed.
Possible Root Causes
- An adversary has used compromised account credentials in conjunction with the Ruler attack tool to enable malicious code or command execution.
- As this is a known attacker tool, there are no non-malicious use cases.
Business Impact
- Use of this tool may allow an adversary to install malware or execute commands on the endpoint running the exchange client associated with this compromised account. Malware or arbitrary command execution may be used for a variety of malicious activities, such as additional credential compromise, data collection and exfiltration, or to further attack progression.
Steps to Verify
- Investigate the compromised account for additional malicious actions and respond according to findings.