diff --git a/atomics/T1087/T1087.md b/atomics/T1087/T1087.md
index 59c860da..eb6b877a 100644
--- a/atomics/T1087/T1087.md
+++ b/atomics/T1087/T1087.md
@@ -24,19 +24,21 @@ Also, groups can be enumerated through the groups and id
@@ -78,7 +80,7 @@ cat /etc/sudoers > #{output_file}
## Atomic Test #3 - View accounts with UID 0
-List opened files by user
+View accounts wtih UID 0
**Supported Platforms:** Linux, macOS
@@ -88,6 +90,19 @@ List opened files by user
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
+#### Run it with `sh`!
+```
+grep 'x:0:' /etc/passwd > #{output_file} - name: List opened files by user
+```
+
+
+
+## Atomic Test #4 - List opened files by user
+List opened files by user
+
+**Supported Platforms:** Linux, macOS
+
+
#### Run it with `sh`!
```
username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
@@ -95,7 +110,7 @@ username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
-## Atomic Test #4 - Show if a user account has ever logger in remotely
+## Atomic Test #5 - Show if a user account has ever logger in remotely
Show if a user account has ever logger in remotely
**Supported Platforms:** Linux, macOS
@@ -113,7 +128,7 @@ lastlog > #{output_file}
-## Atomic Test #5 - Enumerate users and groups
+## Atomic Test #6 - Enumerate users and groups
Utilize groups and id to enumerate users and groups
**Supported Platforms:** Linux, macOS
@@ -127,7 +142,7 @@ id
-## Atomic Test #6 - Enumerate users and groups
+## Atomic Test #7 - Enumerate users and groups
Utilize local utilities to enumerate users and groups
**Supported Platforms:** macOS
@@ -144,7 +159,7 @@ dscacheutil -q user
-## Atomic Test #7 - Enumerate all accounts
+## Atomic Test #8 - Enumerate all accounts
Enumerate all accounts
**Supported Platforms:** Windows
@@ -162,7 +177,7 @@ net localgroup
-## Atomic Test #8 - Enumerate all accounts via PowerShell
+## Atomic Test #9 - Enumerate all accounts via PowerShell
Enumerate all accounts via PowerShell
**Supported Platforms:** Windows
@@ -185,7 +200,7 @@ net localgroup
-## Atomic Test #9 - Enumerate logged on users
+## Atomic Test #10 - Enumerate logged on users
Enumerate logged on users
**Supported Platforms:** Windows
@@ -198,7 +213,7 @@ query user
-## Atomic Test #10 - Enumerate logged on users via PowerShell
+## Atomic Test #11 - Enumerate logged on users via PowerShell
Enumerate logged on users via PowerShell
**Supported Platforms:** Windows
diff --git a/atomics/index.md b/atomics/index.md
index 0a303b78..e4c752cf 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -413,13 +413,14 @@
- Atomic Test #1: Enumerate all accounts [linux, macos]
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- - Atomic Test #4: Show if a user account has ever logger in remotely [linux, macos]
- - Atomic Test #5: Enumerate users and groups [linux, macos]
- - Atomic Test #6: Enumerate users and groups [macos]
- - Atomic Test #7: Enumerate all accounts [windows]
- - Atomic Test #8: Enumerate all accounts via PowerShell [windows]
- - Atomic Test #9: Enumerate logged on users [windows]
- - Atomic Test #10: Enumerate logged on users via PowerShell [windows]
+ - Atomic Test #4: List opened files by user [linux, macos]
+ - Atomic Test #5: Show if a user account has ever logger in remotely [linux, macos]
+ - Atomic Test #6: Enumerate users and groups [linux, macos]
+ - Atomic Test #7: Enumerate users and groups [macos]
+ - Atomic Test #8: Enumerate all accounts [windows]
+ - Atomic Test #9: Enumerate all accounts via PowerShell [windows]
+ - Atomic Test #10: Enumerate logged on users [windows]
+ - Atomic Test #11: Enumerate logged on users via PowerShell [windows]
- [T1010 Application Window Discovery](./T1010/T1010.md)
- Atomic Test #1: List Process Main Windows - C# .NET [windows]
- [T1217 Browser Bookmark Discovery](./T1217/T1217.md)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index e227ccf8..8227e8ea 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -11984,7 +11984,7 @@ discovery:
'
- name: View accounts with UID 0
- description: 'List opened files by user
+ description: 'View accounts wtih UID 0
'
supported_platforms:
@@ -11995,6 +11995,19 @@ discovery:
description: Path where captured results will be placed
type: Path
default: "~/loot.txt"
+ executor:
+ name: sh
+ command: 'grep ''x:0:'' /etc/passwd > #{output_file} - name: List opened files
+ by user
+
+'
+ - name: List opened files by user
+ description: 'List opened files by user
+
+'
+ supported_platforms:
+ - linux
+ - macos
executor:
name: sh
command: 'username=$(echo $HOME | awk -F''/'' ''{print $3}'') && lsof -u $username
diff --git a/atomics/linux-index.md b/atomics/linux-index.md
index 4531e1ba..6b0465a9 100644
--- a/atomics/linux-index.md
+++ b/atomics/linux-index.md
@@ -40,8 +40,9 @@
- Atomic Test #1: Enumerate all accounts [linux, macos]
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- - Atomic Test #4: Show if a user account has ever logger in remotely [linux, macos]
- - Atomic Test #5: Enumerate users and groups [linux, macos]
+ - Atomic Test #4: List opened files by user [linux, macos]
+ - Atomic Test #5: Show if a user account has ever logger in remotely [linux, macos]
+ - Atomic Test #6: Enumerate users and groups [linux, macos]
- [T1217 Browser Bookmark Discovery](./T1217/T1217.md)
- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux]
- [T1083 File and Directory Discovery](./T1083/T1083.md)
diff --git a/atomics/macos-index.md b/atomics/macos-index.md
index dd3b780c..db571b86 100644
--- a/atomics/macos-index.md
+++ b/atomics/macos-index.md
@@ -60,9 +60,10 @@
- Atomic Test #1: Enumerate all accounts [linux, macos]
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- - Atomic Test #4: Show if a user account has ever logger in remotely [linux, macos]
- - Atomic Test #5: Enumerate users and groups [linux, macos]
- - Atomic Test #6: Enumerate users and groups [macos]
+ - Atomic Test #4: List opened files by user [linux, macos]
+ - Atomic Test #5: Show if a user account has ever logger in remotely [linux, macos]
+ - Atomic Test #6: Enumerate users and groups [linux, macos]
+ - Atomic Test #7: Enumerate users and groups [macos]
- [T1010 Application Window Discovery](./T1010/T1010.md)
- [T1217 Browser Bookmark Discovery](./T1217/T1217.md)
- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index aa3c3cc3..5dfcff89 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -277,10 +277,10 @@
# discovery
- [T1087 Account Discovery](./T1087/T1087.md)
- - Atomic Test #7: Enumerate all accounts [windows]
- - Atomic Test #8: Enumerate all accounts via PowerShell [windows]
- - Atomic Test #9: Enumerate logged on users [windows]
- - Atomic Test #10: Enumerate logged on users via PowerShell [windows]
+ - Atomic Test #8: Enumerate all accounts [windows]
+ - Atomic Test #9: Enumerate all accounts via PowerShell [windows]
+ - Atomic Test #10: Enumerate logged on users [windows]
+ - Atomic Test #11: Enumerate logged on users via PowerShell [windows]
- [T1010 Application Window Discovery](./T1010/T1010.md)
- Atomic Test #1: List Process Main Windows - C# .NET [windows]
- [T1217 Browser Bookmark Discovery](./T1217/T1217.md)