def main()

in cortado/rtas/exec_persistence_from_iso.py [0:0]

• 14 lines of code
• 9 McCabe index (conditional complexity)

def main():
    # ps script to mount, execute a file and unmount ISO device
    ps_script = _common.get_resource_path("bin/ExecFromISOFile.ps1")
    iso_file = _common.get_resource_path("bin/cmd_from_iso.iso")

    if iso_file.is_file() and ps_script.is_file():
        log.info(f"ISO File {iso_file} will be mounted and executed via powershell")

        # commands to trigger two unique rules looking for persistence from a mounted ISO file
        for arg in [
            "'/c reg.exe add hkcu\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v FromISO /d test.exe /f'",
            "'/c SCHTASKS.exe /Create /TN FromISO /TR test.exe /sc hourly /F'",
        ]:
            # import ExecFromISO function that takes two args -ISOFIle pointing to ISO file path and -procname pointing to the filename to execute and -cmdline for arguments
            command = f"powershell.exe -ExecutionPol Bypass -c import-module {ps_script}; ExecFromISO -ISOFile {iso_file} -procname {PROC_EXE} -cmdline {arg};"
            _ = _common.execute_command(command, shell=True)
        # cleanup
        rem_cmd = "reg.exe delete 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' /v FromISO"
        _ = _common.execute_command(["cmd.exe", "/c", rem_cmd], timeout_secs=10)
        _ = _common.execute_command(["SCHTASKS.exe", "/delete", "/TN", "FromISO", "/F"])