Hacktool Ruler

Severity: high
Author: Florian Roth (Nextron Systems)
Source: upstream

This events that are generated when using the hacktool Ruler by Sensepost

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059` Command and Scripting Interpreter
Defense Evasion	`T1550.002` Use Alternate Authentication Material: Pass the Hash
Discovery	`T1087` Account Discovery
Lateral Movement	`T1550.002` Use Alternate Authentication Material: Pass the Hash
Collection	`T1114` Email Collection

Event coverage

Provider	Event ID	Title
Security-Auditing	4624	An account was successfully logged on.
Security-Auditing	4625	An account failed to log on.
Security-Auditing	4776	The domain controller attempted to validate the credentials for an account.

Stages and Predicates

Stage 1: `1 of selection1`

Workstation: RULER

Stage 2: `1 of selection2`

WorkstationName: RULER

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Workstation`	eq	`RULER`
`WorkstationName`	eq	`RULER`

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Multiple Logon Failure Followed by Logon Success [elastic]
Potential Computer Account NTLM Relay Activity [elastic]
Potential Kerberos Relay Attack against a Computer Account [elastic]
Potential NTLM Relay Attack against a Computer Account [elastic]
Remote Windows Service Installed [elastic]
Suspicious Service was Installed in the System [elastic]
Service Creation via Local Kerberos Authentication [elastic]
Metasploit SMB Authentication [sigma]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Metasploit SMB Authentication [sigma]
Account Tampering - Suspicious Failed Logon Reasons [sigma]
Multiple Logon Failure Followed by Logon Success [elastic]
Potential Computer Account NTLM Relay Activity [elastic]
Potential Kerberos Relay Attack against a Computer Account [elastic]
Potential NTLM Relay Attack against a Computer Account [elastic]
Windows Identify PowerShell Web Access IIS Pool [splunk]
Windows Local Administrator Credential Stuffing [splunk]