From de1bd5a20fb70b60a336c49bb3ef9ff76ee56612 Mon Sep 17 00:00:00 2001
From: Tyler Fisher <tylerfisher@tylerfisher.ca>
Date: Thu, 19 Nov 2020 11:18:53 -0500
Subject: [PATCH] Allow root user to run 'T1087.001: Account Discovery: Local
 Account - List opened files by user' by updating how current username is
 determined

---
 atomics/T1087.001/T1087.001.md   | 2 +-
 atomics/T1087.001/T1087.001.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/atomics/T1087.001/T1087.001.md b/atomics/T1087.001/T1087.001.md
index 7bf13c1d..90865c99 100644
--- a/atomics/T1087.001/T1087.001.md
+++ b/atomics/T1087.001/T1087.001.md
@@ -146,7 +146,7 @@ List opened files by user
 
 
 ```sh
-username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
+username=$(id -u -n) && lsof -u $username
 ```
 
 
diff --git a/atomics/T1087.001/T1087.001.yaml b/atomics/T1087.001/T1087.001.yaml
index 47c21646..ed6c67e3 100644
--- a/atomics/T1087.001/T1087.001.yaml
+++ b/atomics/T1087.001/T1087.001.yaml
@@ -68,7 +68,7 @@ atomic_tests:
   - macos
   executor:
     command: |
-      username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
+      username=$(id -u -n) && lsof -u $username
     name: sh
 - name: Show if a user account has ever logged in remotely
   auto_generated_guid: 0f0b6a29-08c3-44ad-a30b-47fd996b2110