# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.

# Name: Emulate MS Office Dropping an executable file to disk
# RTA: ms_office_drop_exe.py
# ATT&CK: T1064
# Description: MS Office writes executable file and it is run.

import logging
import os
import time
from pathlib import Path

from . import OSType, RuleMetadata, _common, register_code_rta

log = logging.getLogger(__name__)


@register_code_rta(
    id="ce85674f-fb6c-44d5-b880-4ce9062e1028",
    name="ms_office_drop_exe",
    platforms=[OSType.WINDOWS],
    endpoint_rules=[],
    siem_rules=[
        RuleMetadata(
            id="0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", name="Execution of File Written or Modified by Microsoft Office"
        )
    ],
    techniques=["T1566"],
)
def main():
    cmd_path = "c:\\windows\\system32\\cmd.exe"

    for office_app in ["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe"]:
        log.info("Emulating office application %s" % office_app)
        office_path = Path(office_app).resolve()
        _common.copy_file(cmd_path, office_path)

        bad_path = Path("bad-{}-{}.exe".format(hash(office_app), os.getpid())).resolve()
        _ = _common.execute_command([office_path, "/c", "copy", cmd_path, bad_path])

        time.sleep(1)
        _ = _common.execute_command([bad_path, "/c", "whoami"])

        # cleanup
        time.sleep(1)
        _common.remove_files([office_app, bad_path])
        print("")