From 53d54747ecc35e86a6507ab18d30a3bc9736243a Mon Sep 17 00:00:00 2001
From: Rich5 <Rich5@users.noreply.github.com>
Date: Wed, 27 Apr 2022 21:21:55 -0400
Subject: [PATCH] Added Password Change on Directory Service Restore Mode
 (DSRM) Account (#1899)

* Added Password Change on Directory Service Restore Mode (DSRM) Account

* remove guid so unique one can be auto-assigned

Co-authored-by: Richard Kelley <richard.kelley@qomplx.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1098/T1098.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/atomics/T1098/T1098.yaml b/atomics/T1098/T1098.yaml
index 37c597a7..bf3be5d7 100644
--- a/atomics/T1098/T1098.yaml
+++ b/atomics/T1098/T1098.yaml
@@ -515,3 +515,19 @@ atomic_tests:
       
     name: powershell
     elevation_required: false
+- name: Password Change on Directory Service Restore Mode (DSRM) Account
+
+  description: |
+    Change the password on the Directory Service Restore Mode (DSRM) account using ntdsutil by syncing to existing account
+  supported_platforms:
+    - windows
+  input_arguments:
+    sync_account:
+      description: Account to sync password from
+      type: String
+      default: '%username%'
+  executor:
+    name: command_prompt
+    elevation_required: true
+    command: |
+      ntdsutil "set dsrm password" "sync from domain account #{sync_account}" "q" "q"