Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better precision in SystemTime using evtxdump #16

Closed
Pinpwn opened this issue Aug 13, 2019 · 3 comments
Closed

Better precision in SystemTime using evtxdump #16

Pinpwn opened this issue Aug 13, 2019 · 3 comments

Comments

@Pinpwn
Copy link

Pinpwn commented Aug 13, 2019
edited
Loading

@qjerome While using evtxdump to parse an .evtx file, the JSON of an event looks like:

{
 "Event": {
   "EventData": {
     "Hashes": "SHA1=F04EE61F0C6766590492CD3D9E26ECB0D4F501D8,MD5=68D9577E9E9E3A3DF0348AB3B86242B1,SHA256=7AE581DB760BCEEE4D18D6DE7BB98F46584656A65D9435B4E0C4223798F416D2,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5",
     "Image": "C:\\Windows\\splwow64.exe",
     "ImageLoaded": "C:\\Windows\\System32\\dwmapi.dll",
     "ProcessGuid": "B2796A13-E44F-5880-0000-001006E40F00",
     "ProcessId": "4952",
     "Signature": "Microsoft Windows",
     "Signed": "true",
     "UtcTime": "2017-01-19 16:07:45.279"
   },
   "System": {
     "Channel": "Microsoft-Windows-Sysmon/Operational",
     "Computer": "DESKTOP-5SUA567",
     "Correlation": {},
     "EventID": "7",
     "EventRecordID": "116913",
     "Execution": {
       "ProcessID": "1760",
       "ThreadID": "1952"
     },
     "Keywords": "0x8000000000000000",
     "Level": "4",
     "Opcode": "0",
     "Provider": {
       "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
       "Name": "Microsoft-Windows-Sysmon"
     },
     "Security": {
       "UserID": "S-1-5-18"
     },
     "Task": "7",
     "TimeCreated": {
       "SystemTime": "2017-01-19T16:07:45Z"
     },
     "Version": "3"
   }
 }
}

The TimeCreated.SystemTime("2017-01-19T16:07:45Z") field has precision till seconds whereas the original events have a much better precision("2017-01-19T16:07:45.152350300Z").

I don't have much experience in golang and was hoping to get some pointers on how to get the same precision in the JSON as well.

Any help is highly appreciated.

Thanks.
@steve-offutt
Copy link

I am also having this issue.

@qjerome
Copy link
Contributor

qjerome commented Sep 26, 2019

Hi guys,

Thank you guys for reporting this issue.
@Pinpwn sorry I failed to answer you in a decent delay.
I found where the issue is, I will come with a fix soon.

Cheers,

qjerome added a commit that referenced this issue Sep 26, 2019
@qjerome
Fixed issue #16
54d3cc2
@qjerome qjerome closed this as completed Sep 26, 2019
@steve-offutt
Copy link

steve-offutt commented Sep 27, 2019
edited
Loading

I am confused on the solution here and think that this still needs more attention. I am parsing via evtxdump.exe the event log located here.

The command I run is: evtxdump.exe security.evtx. To test the new functionality out I chose Event.System.EventRecordID == 2261. In Windows Event Viewer the timestamp for this record is: 2017-04-14T01:21:10.906949900Z. However, from evtxdump stdout I can see that the record is being parsed as:

{"Event":{"EventData":{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\r\n\t\t\tSeTcbPrivilege\r\n\t\t\tSeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\tSeAuditPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeImpersonatePrivilege","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x000003e7","SubjectUserName":"SYSTEM","SubjectUserSid":"S-1-5-18"},"System":{"Channel":"Security","Computer":"WIN-03DLIIOFRRA","Correlation":{},"EventID":"4672","EventRecordID":"2261","Execution":{"ProcessID":"536","ThreadID":"624"},"Keywords":"0x8020000000000000","Level":"0","Opcode":"0","Provider":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"},"Security":{},"Task":"12548","TimeCreated":{"SystemTime":"2017-10-03T14:01:17.380369499Z"},"Version":"0"}}}

As we can see the Event.System.TimeCreated.SystemTime is reporting 2017-10-03T14:01:17.380369499Z as a timestamp. There is a difference in the timestamps. Shouldn't they report the same timestamps?

@steve-offutt steve-offutt mentioned this issue Sep 27, 2019
Closed
qjerome added a commit that referenced this issue Apr 25, 2020
@qjerome
Corrected wrong fix of issue #16, then also fix issue #17
15c1970
mireaulf added a commit to refractionPOINT/golang-evtx that referenced this issue Feb 16, 2021
@mireaulf @codekoala @qjerome
Remove panics bubble up errors + update (#1)
5b1b873 
* fixes 0xrawsec#12 - only unmarshal UTF16String when the size is greater than zero

* Update evtx.File to support generic interfaces

* Docs

* Fix issue 0xrawsec#12

* Changed version in makefile

* Fixed issue 0xrawsec#16

* Corrected wrong fix of issue 0xrawsec#16, then also fix issue 0xrawsec#17

* Fixed issues: 0xrawsec#15 and 0xrawsec#21

* Version upgrade

* Version bump for evtxdump and evtxmon

* Fixed issue 0xrawsec#23

* Addressed issue 0xrawsec#25

* Fixed issue 0xrawsec#25

* Fixed issue 0xrawsec#27

* Standardized GoEvtxMap.Del API

* Fixed bug in GoEvtxMap.Del

* Return error from TemplateInstance.ElementToGoEvtx

* Bubble up error from NodeToGoEvtx

* Bubble up error from ElementToGoEvtx

* Bubble up errors from GoEvtxMap

* Update tests

* Panic on error in tests

Co-authored-by: Josh VanderLinden <[email protected]>
Co-authored-by: Quentin JEROME <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@qjerome @Pinpwn @steve-offutt