# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.

# Name: Network Traffic from InstallUtil
# RTA: installutil_network.py
# ATT&CK: T1118
# Elastic detection: InstallUtil Process Making Network Connections
# Elastic detection: Unusual Network Activity from a Windows System Binary
# Description: Uses mock .NET malware and InstallUtil to create network activity from InstallUtil.

import os
import sys

from . import common
from . import RtaMetadata


metadata = RtaMetadata(
    uuid="6dfa88c9-9fb2-4fb0-8bea-0bc45222b498",
    platforms=["windows"],
    endpoint=[],
    siem=[
        {
            "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf",
            "rule_name": "InstallUtil Process Making Network Connections",
        },
        {
            "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a",
            "rule_name": "Unusual Network Activity from a Windows System Binary",
        },
    ],
    techniques=["T1127", "T1218"],
)


MY_DOT_NET = common.get_path("bin", "mydotnet.exe")


@common.requires_os(metadata.platforms)
@common.dependencies(MY_DOT_NET)
def main():
    server, ip, port = common.serve_web()
    common.clear_web_cache()

    target_app = "mydotnet.exe"
    common.patch_file(
        MY_DOT_NET,
        common.wchar(":8000"),
        common.wchar(":%d" % port),
        target_file=target_app,
    )

    install_util64 = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe"
    install_util86 = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"
    fallback = False

    if os.path.exists(install_util64):
        install_util = install_util64
    elif os.path.exists(install_util86):
        install_util = install_util86
    else:
        install_util = None
        fallback = True

    if not fallback:
        common.clear_web_cache()
        common.execute([install_util, "/logfile=", "/LogToConsole=False", "/U", target_app])

    else:
        common.log("Unable to find InstallUtil, creating temp file")
        install_util = os.path.abspath("InstallUtil.exe")
        common.copy_file(sys.executable, install_util)
        common.execute(
            [
                install_util,
                "-c",
                "import urllib; urllib.urlopen('http://%s:%d')" % (common.get_ip(), port),
            ]
        )
        common.remove_file(install_util)

    common.remove_file(target_app)
    server.shutdown()


if __name__ == "__main__":
    exit(main())