def main()

in cortado/rtas/suspicious_office_descendant_fp.py [0:0]

• 26 lines of code
• 3 McCabe index (conditional complexity)

def main():
    log.info("MS Office unusual child process emulation")
    suspicious_apps = [
        "msiexec.exe /i blah /quiet",
        "powershell.exe exit",
        "wscript.exe //b",
    ]
    cmd_path = "c:\\windows\\system32\\cmd.exe"
    browser_path = Path("firefox.exe").resolve()
    _common.copy_file(cmd_path, browser_path)

    for office_app in ["winword.exe", "excel.exe"]:
        log.info("Emulating %s" % office_app)
        office_path = Path(office_app).resolve()
        _common.copy_file(cmd_path, office_path)

        for command in suspicious_apps:
            _ = _common.execute_command(
                ["%s /c %s /c %s" % (office_path, browser_path, command)],
                timeout_secs=5,
                shell=True,
            )

        log.info("Cleanup %s" % office_path)
        _common.remove_file(office_path)

    log.info("Sleep 5 to allow processes to finish")
    time.sleep(5)
    log.info("Cleanup %s" % browser_path)
    _common.remove_file(browser_path)