search

0xrawsec / golang-evtx

GNU General Public License v3.0
157 stars 26 forks source link

Clarification on datetime #17

Closed steve-offutt closed 4 years ago

steve-offutt commented 4 years ago

I am confused on the solution here and think that this still needs more attention. I am parsing via evtxdump.exe the event log located here.

The command I run is: evtxdump.exe security.evtx. To test the new functionality out I chose Event.System.EventRecordID == 2261. In Windows Event Viewer the timestamp for this record is: 2017-04-14T01:21:10.906949900Z. However, from evtxdump stdout I can see that the record is being parsed as:

{"Event":{"EventData":{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\r\n\t\t\tSeTcbPrivilege\r\n\t\t\tSeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\tSeAuditPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeImpersonatePrivilege","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x000003e7","SubjectUserName":"SYSTEM","SubjectUserSid":"S-1-5-18"},"System":{"Channel":"Security","Computer":"WIN-03DLIIOFRRA","Correlation":{},"EventID":"4672","EventRecordID":"2261","Execution":{"ProcessID":"536","ThreadID":"624"},"Keywords":"0x8020000000000000","Level":"0","Opcode":"0","Provider":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"},"Security":{},"Task":"12548","TimeCreated":{"SystemTime":"2017-10-03T14:01:17.380369499Z"},"Version":"0"}}}

As we can see the Event.System.TimeCreated.SystemTime is reporting 2017-10-03T14:01:17.380369499Z as a timestamp. There is a difference in the timestamps. Shouldn't they report the same timestamps?

qjerome commented 4 years ago

Hi @steve-offutt,

Thank you for your issue, I missed that out because I did the fix quite quickly. I thought (wrongly) that FileTime was time expressed in nanoseconds. I somehow missed the concept of 100-nanosecond as mentioned in MS documentation speaking about FileTime structure "Contains a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).".

I fixed that out and everything should be fine in the next release.

Cheers,

steve-offutt commented 4 years ago

Thank you for making these changes so quickly!

One more question, the release v1.2.3 does not appear to be pulled down correctly with the go get -u -v github.com/0xrawsec/golang-evtx/evtx command. It checks out the master branch but I must manually go into $GOTPATH/src/github.com/0xrawsec/golang-evtx/evtx and checkout the tagged commit. Is this the intended behavior for this version?

qjerome commented 4 years ago

Maybe it is because I deleted the tag v1.2.2 since I didn't want a tagged version to contains such an important bug (issue #17). So the tags should jump straight from v1.2.1 to v1.2.3 on the remote branch. Maybe what happened is that your local branch still contained v1.2.2 and this created a conflict when go get tries to pull.