def main()

in cortado/rtas/wmi_incoming_logon.py [0:0]

• 14 lines of code
• 4 McCabe index (conditional complexity)

def main():
    remote_host = None

    if not remote_host:
        log.error("A remote host is required to detonate this RTA")
        raise _common.ExecutionError("Remote host is not provided")

    _ = _common.enable_logon_audit(remote_host)

    log.info("Attempting to trigger a remote logon on {}".format(remote_host))

    commands = [
        "Invoke-WmiMethod -ComputerName {} -Class Win32_process -Name create -ArgumentList {}".format(remote_host, c)
        for c in ("ipconfig", "netstat")
    ]

    # trigger twice
    for command in commands:
        _ = _common.execute_command(["powershell", "-c", command])

    # this should not trigger an alert
    _ = _common.execute_command(["net.exe", "time", "\\\\{}".format(remote_host)])