Better precision in SystemTime using evtxdump

[Pinpwn]

@qjerome While using evtxdump to parse an .evtx file, the JSON of an event looks like:

{
 "Event": {
   "EventData": {
     "Hashes": "SHA1=F04EE61F0C6766590492CD3D9E26ECB0D4F501D8,MD5=68D9577E9E9E3A3DF0348AB3B86242B1,SHA256=7AE581DB760BCEEE4D18D6DE7BB98F46584656A65D9435B4E0C4223798F416D2,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5",
     "Image": "C:\\Windows\\splwow64.exe",
     "ImageLoaded": "C:\\Windows\\System32\\dwmapi.dll",
     "ProcessGuid": "B2796A13-E44F-5880-0000-001006E40F00",
     "ProcessId": "4952",
     "Signature": "Microsoft Windows",
     "Signed": "true",
     "UtcTime": "2017-01-19 16:07:45.279"
   },
   "System": {
     "Channel": "Microsoft-Windows-Sysmon/Operational",
     "Computer": "DESKTOP-5SUA567",
     "Correlation": {},
     "EventID": "7",
     "EventRecordID": "116913",
     "Execution": {
       "ProcessID": "1760",
       "ThreadID": "1952"
     },
     "Keywords": "0x8000000000000000",
     "Level": "4",
     "Opcode": "0",
     "Provider": {
       "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
       "Name": "Microsoft-Windows-Sysmon"
     },
     "Security": {
       "UserID": "S-1-5-18"
     },
     "Task": "7",
     "TimeCreated": {
       "SystemTime": "2017-01-19T16:07:45Z"
     },
     "Version": "3"
   }
 }
}

The TimeCreated.SystemTime("2017-01-19T16:07:45Z") field has precision till seconds whereas the original events have a much better precision("2017-01-19T16:07:45.152350300Z").

I don't have much experience in golang and was hoping to get some pointers on how to get the same precision in the JSON as well.

Any help is highly appreciated.

Thanks.

[steve-offutt]

I am also having this issue.

[qjerome]

Hi guys,

Thank you guys for reporting this issue. @Pinpwn sorry I failed to answer you in a decent delay. I found where the issue is, I will come with a fix soon.

Cheers,

[steve-offutt]

I am confused on the solution here and think that this still needs more attention. I am parsing via evtxdump.exe the event log located here.

The command I run is: evtxdump.exe security.evtx. To test the new functionality out I chose Event.System.EventRecordID == 2261. In Windows Event Viewer the timestamp for this record is: 2017-04-14T01:21:10.906949900Z. However, from evtxdump stdout I can see that the record is being parsed as:

{"Event":{"EventData":{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\r\n\t\t\tSeTcbPrivilege\r\n\t\t\tSeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\tSeAuditPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeImpersonatePrivilege","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x000003e7","SubjectUserName":"SYSTEM","SubjectUserSid":"S-1-5-18"},"System":{"Channel":"Security","Computer":"WIN-03DLIIOFRRA","Correlation":{},"EventID":"4672","EventRecordID":"2261","Execution":{"ProcessID":"536","ThreadID":"624"},"Keywords":"0x8020000000000000","Level":"0","Opcode":"0","Provider":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"},"Security":{},"Task":"12548","TimeCreated":{"SystemTime":"2017-10-03T14:01:17.380369499Z"},"Version":"0"}}}

As we can see the Event.System.TimeCreated.SystemTime is reporting 2017-10-03T14:01:17.380369499Z as a timestamp. There is a difference in the timestamps. Shouldn't they report the same timestamps?