Refactor glob to return time.Time instead of utils.TimeVal (Velocidex…

…#979)

artifacts/definitions/Generic/Applications/Office/Keywords.yaml

@@ -41,7 +41,7 @@ parameters:
 sources:
   - query: |
         LET office_docs = SELECT FullPath AS OfficePath,
-             timestamp(epoch=Mtime.Sec) as OfficeMtime,
+             Mtime as OfficeMtime,
              Size as OfficeSize
         FROM glob(globs=searchGlob + documentGlobs)
 

artifacts/definitions/Generic/Client/Info.yaml

@@ -32,8 +32,7 @@ sources:
   - name: Users
     precondition: SELECT OS From info() where OS = 'windows'
     queries:
-      - SELECT Name, Description,
-               if(condition=Mtime, then=timestamp(epoch=Mtime)) AS LastLogin
+      - SELECT Name, Description, Mtime AS LastLogin
         FROM Artifact.Windows.Sys.Users()
 
 reports:

artifacts/definitions/Generic/Forensic/Timeline.yaml

@@ -20,7 +20,7 @@ sources:
         SELECT 0 AS Md5, FullPath,
                Sys.mft as Inode,
                Mode.String AS Mode, 0 as Uid, 0 as Gid, Size,
-               Atime.Sec AS Atime, Mtime.Sec AS Mtime, Ctime.Sec AS Ctime
+               Atime, Mtime, Ctime
         FROM glob(globs=timelineGlob, accessor=timelineAccessor)
 
   # For linux we can get the Inode from Sys.Ino
@@ -31,5 +31,5 @@ sources:
         SELECT 0 AS Md5, FullPath,
                Sys.Ino as Inode,
                Mode.String AS Mode, Sys.Uid AS Uid, Sys.Gid AS Gid, Size,
-               Atime.Sec AS Atime, Mtime.Sec AS Mtime, Ctime.Sec AS Ctime
+               Atime, Mtime, Ctime
         FROM glob(globs=timelineGlob, accessor=timelineAccessor)

artifacts/definitions/Linux/Search/FileFinder.yaml

@@ -64,10 +64,10 @@ sources:
     - LET file_search = SELECT FullPath,
                Sys.mft as Inode,
                Mode.String AS Mode, Size,
-               Mtime.Sec AS Modified,
-               timestamp(epoch=Atime.Sec) AS ATime,
-               timestamp(epoch=Mtime.Sec) AS MTime,
-               timestamp(epoch=Ctime.Sec) AS CTime,
+               Mtime AS Modified,
+               Atime AS ATime,
+               Mtime AS MTime,
+               Ctime AS CTime,
                IsDir, Mode
         FROM glob(globs=SearchFilesGlob,
                   accessor="file")

artifacts/definitions/Linux/Ssh/AuthorizedKeys.yaml

@@ -22,8 +22,7 @@ sources:
       - SELECT * from foreach(
           row=authorized_keys,
           query={
-            SELECT Uid, User, FullPath, Key, Comment,
-                   timestamp(epoch=Mtime.sec) AS Mtime
+            SELECT Uid, User, FullPath, Key, Comment, Mtime
             FROM split_records(
                filenames=FullPath, regex=" +", columns=["Type", "Key", "Comment"])
                WHERE Type =~ "ssh"

artifacts/definitions/Linux/Ssh/PrivateKeys.yaml

@@ -19,7 +19,7 @@ parameters:
 sources:
   - queries:
       - SELECT FullPath,
-               timestamp(epoch=Mtime.Sec) AS Mtime,
+               Mtime,
                if(condition={
                      SELECT * from yara(rules="wide ascii:ENCRYPTED", files=FullPath)
                   }, then="Yes", else="No") AS Encrypted

artifacts/definitions/Linux/Sys/SUID.yaml

@@ -32,7 +32,7 @@ sources:
   - queries:
       - SELECT Mode.String AS Mode,
                FullPath, Size,
-               timestamp(epoch=Mtime.Sec) AS Mtime,
+               Mtime,
                Sys.Uid AS OwnerID,
                Sys.Gid AS GroupID
         FROM glob(globs=GlobExpression) WHERE Mode =~ '^u'

artifacts/definitions/MacOS/Applications/Chrome/History.yaml

@@ -25,7 +25,7 @@ sources:
       SELECT * FROM foreach(row=history_files,
         query={
            SELECT User, FullPath,
-              timestamp(epoch=Mtime.Sec) as Mtime,
+              Mtime,
               visited_url,
               title, visit_count, typed_count,
               timestamp(winfiletime=last_visit_time * 10) as last_visit_time

artifacts/definitions/MacOS/Detection/Autoruns.yaml

@@ -47,7 +47,7 @@ sources:
 - name: Sandboxed Loginitems
   queries:
   - SELECT FullPath,
-           timestamp(epoch=Mtime.Sec) AS Mtime,
+           Mtime,
            plist(file=FullPath) AS Disabled,
            upload(file=FullPath) AS Upload
     FROM glob(globs=sandboxed_loginitems)
@@ -56,8 +56,7 @@ sources:
   queries:
       - LET raw = SELECT * FROM foreach(
           row={
-            SELECT FullPath, Name,
-                   timestamp(epoch=Mtime.Sec) AS Mtime,
+            SELECT FullPath, Name, Mtime,
                    upload(file=FullPath) AS Upload
             FROM glob(globs=split(string=cronTabGlob, sep=","))
           },
@@ -98,8 +97,7 @@ sources:
 
 - name: LaunchAgentsDaemons
   queries:
-  - LET launchd_config = SELECT FullPath,
-           timestamp(epoch=Mtime.Sec) AS Mtime,
+  - LET launchd_config = SELECT FullPath, Mtime,
            plist(file=FullPath) AS LaunchdConfig,
            upload(file=FullPath) AS Upload
     FROM glob(globs=parse_json_array(data=LaunchAgentsDaemonsGlob))
@@ -117,28 +115,28 @@ sources:
 - name: ScriptingAdditions
   queries:
   - SELECT FullPath,
-           timestamp(epoch=Mtime.Sec) AS Mtime,
+           Mtime,
            upload(file=FullPath) AS Upload
     FROM glob(globs=parse_json_array(data=ScriptingAdditionsGlobs))
 
 - name: StartupItems
   queries:
   - SELECT FullPath,
-           timestamp(epoch=Mtime.Sec) AS Mtime,
+           Mtime,
            upload(file=FullPath) AS Upload
     FROM glob(globs=parse_json_array(data=StartupItemsGlobs))
 
 - name: MiscItems
   queries:
   - SELECT FullPath,
-           timestamp(epoch=Mtime.Sec) AS Mtime,
+           Mtime,
            upload(file=FullPath) AS Upload
     FROM glob(globs=parse_json_array(data=MiscItemsGlobs))
 
 - name: LoginItems
   queries:
   - SELECT FullPath,
-           timestamp(epoch=Mtime.Sec) AS Mtime,
+           Mtime,
            plist(file=FullPath) AS LoginItemConfig,
            upload(file=FullPath) AS Upload
     FROM glob(globs=parse_json_array(data=LoginItemsGlobs))

artifacts/definitions/MacOS/System/Plist.yaml

@@ -27,7 +27,7 @@ sources:
                 row=plist(file=FullPath),
                 query={ SELECT
                     FullPath AS FullPath,
-                    timestamp(epoch=Mtime.Sec) AS Mtime,
+                    Mtime,
                     plist(file=FullPath) AS Content,
                     if(condition=Upload_File,
                       then=upload(file=FullPath)) AS Upload

artifacts/definitions/Triage/Collection/Upload.yaml

@@ -14,7 +14,7 @@ sources:
   - queries:
       - |
         LET results = SELECT FullPath, Size,
-               timestamp(epoch=Mtime.Sec) As Modifed,
+               Mtime As Modifed,
                type AS Type, {
                  SELECT * FROM upload(files=FullPath, accessor=accessor)
                } AS FileDetails

artifacts/definitions/Triage/Collection/UploadTable.yaml

@@ -14,7 +14,7 @@ sources:
   - queries:
       - |
         LET results = SELECT FullPath, Size,
-               timestamp(epoch=Mtime.Sec) As Modifed,
+               Mtime As Modifed,
                Type, {
                  SELECT * FROM upload(files=FullPath, accessor=Accessor)
                } AS FileDetails

artifacts/definitions/Windows/Applications/Chrome/History.yaml

@@ -33,7 +33,7 @@ sources:
         SELECT * FROM foreach(row=history_files,
           query={
             SELECT User, FullPath,
-                   timestamp(epoch=Mtime.Sec) as Mtime,
+                   Mtime,
                    visited_url,
                    title, visit_count, typed_count,
                    timestamp(winfiletime=last_visit_time * 10) as last_visit_time

artifacts/definitions/Windows/Attack/Prefetch.yaml

@@ -8,7 +8,7 @@ precondition: SELECT OS From info() where OS = 'windows'
 
 sources:
      - queries:
-       - SELECT Name, ModTime, Mtime.Sec AS modified
+       - SELECT Name, ModTime, Mtime AS modified
          FROM glob(globs="C:/Windows/Prefetch/*")
 
 # Reports can be MONITORING_DAILY, CLIENT, SERVER_EVENT

artifacts/definitions/Windows/Collectors/File.yaml

@@ -33,9 +33,9 @@ sources:
       # only make one pass over the filesystem. We only want LFNs.
       - |
         LET hits = SELECT FullPath AS SourceFile, Size,
-               timestamp(epoch=Ctime.Sec) AS Created,
-               timestamp(epoch=Mtime.Sec) AS Modified,
-               timestamp(epoch=Atime.Sec) AS LastAccessed
+               Ctime AS Created,
+               Mtime AS Modified,
+               Atime AS LastAccessed
         FROM glob(globs=specs.Glob, accessor=Accessor)
         WHERE NOT IsDir AND log(message="Found " + SourceFile)
 

artifacts/definitions/Windows/Collectors/VSS.yaml

@@ -50,9 +50,9 @@ sources:
       # only make one pass over the filesystem. We only want LFNs.
       - |
         LET hits = SELECT FullPath AS SourceFile, Size,
-               timestamp(epoch=Ctime.Sec) AS Created,
-               timestamp(epoch=Mtime.Sec) AS Modified,
-               timestamp(epoch=Atime.Sec) AS LastAccessed,
+               Ctime AS Created,
+               Mtime AS Modified,
+               Atime AS LastAccessed,
                Device, strip(string=FullPath, prefix=Device) AS Path,
                Data.mft AS MFT, Data.name_type AS NameType
         FROM glob(globs=specs.Glob, accessor=Accessor)

artifacts/definitions/Windows/Detection/Thumbdrives/List.yaml

@@ -31,7 +31,7 @@ sources:
 
       - |
         LET file_listing = SELECT FullPath,
-            timestamp(epoch=Mtime.Sec) As Modified,
+            Mtime As Modified,
             Size
         FROM glob(globs=Drive+"\\**", accessor="file")
         LIMIT 1000

artifacts/definitions/Windows/Persistence/Wow64cpu.yaml

@@ -17,7 +17,7 @@ sources:
       SELECT dirname(path=FullPath) as KeyPath,
         Name as KeyName,
         Data.value as Value,
-        timestamp(epoch=Mtime.Sec) AS LastModified
+        Mtime AS LastModified
       FROM glob(globs=split(string=TargetRegKey, sep=","), accessor="reg")
       WHERE Data.value and
         not (Name = "@" and (Data.value =~ "(wow64cpu.dll|wowarmhw.dll|xtajit.dll)"))

artifacts/definitions/Windows/Registry/EnableUnsafeClientMailRules.yaml

@@ -36,7 +36,7 @@ sources:
               SELECT Username,
                 NTUser as Userhive,
                 url(parse=key.FullPath).fragment as Key,
-                timestamp(epoch=key.Mtime.Sec) AS LastModified,
+                key.Mtime AS LastModified,
                 EnableUnsafeClientMailRules,
                 OutlookSecureTempFolder
               FROM read_reg_key(

artifacts/definitions/Windows/Registry/EnabledMacro.yaml

@@ -35,7 +35,7 @@ sources:
               Username,
               NTUser as Userhive,
               dirname(path=url(parse=FullPath).fragment) as Key,
-              timestamp(epoch=Mtime.Sec) AS LastModified
+              Mtime AS LastModified
             FROM glob(
               globs=url(scheme="file",
                 path=NTUser,

artifacts/definitions/Windows/Registry/MountPoints2.yaml

@@ -4,7 +4,7 @@ description: |
     With a "$" in the share path. This key will store all remotely mapped
     drives unless removed so is a great hunt for simple admin $ mapping based
     lateral movement.
-    
+
 author: Matt Green - @mgreen27
 
 precondition: SELECT OS From info() where OS = 'windows'
@@ -16,11 +16,11 @@ parameters:
 sources:
  - queries:
      - |
-        SELECT regex_replace(source=basename(path=url(parse=FullPath).Fragment), 
+        SELECT regex_replace(source=basename(path=url(parse=FullPath).Fragment),
           re="#", replace="\\") as MountPoint,
-          timestamp(epoch=Mtime) as ModifiedTime,
+          Mtime as ModifiedTime,
           Username,
           url(parse=FullPath).Path as Hive,
           url(parse=FullPath).Fragment as Key
         FROM Artifact.Windows.Registry.NTUser(KeyGlob=KeyGlob)
-        WHERE FullPath =~ "\\$"
+        WHERE FullPath =~ "\\$"

artifacts/definitions/Windows/Registry/NTUser.yaml

@@ -56,7 +56,7 @@ sources:
                 SELECT * FROM UserProfiles
             },
             query={
-                SELECT FullPath, Data, Mtime.Sec AS Mtime,
+                SELECT FullPath, Data, Mtime AS Mtime,
                        Username, Description, Uid, Gid, UUID, Directory
                 FROM glob(
                     globs=url(scheme="ntfs",

artifacts/definitions/Windows/Registry/PortProxy.yaml

@@ -1,19 +1,19 @@
 name: Windows.Registry.PortProxy
 description: |
-    **Description**: 
-    This artifact will return any items in the Windows PortProxy service 
+    **Description**:
+    This artifact will return any items in the Windows PortProxy service
     registry path. The most common configuration of this service is via the
-    lolbin netsh.exe; Metaspoit and other common attack tools also have 
+    lolbin netsh.exe; Metaspoit and other common attack tools also have
     configuration modules.
 
     **Reference**: [Port Proxy detection]
-    (http://www.dfirnotes.net/portproxy_detection/)  
+    (http://www.dfirnotes.net/portproxy_detection/)
 
-    **ATT&CK**: [T1090 - Connection Proxy](https://attack.mitre.org/techniques/T1090/)  
+    **ATT&CK**: [T1090 - Connection Proxy](https://attack.mitre.org/techniques/T1090/)
     Adversaries may use a connection proxy to direct network traffic between
-    systems or act as an intermediary for network communications to a command 
+    systems or act as an intermediary for network communications to a command
     and control server to avoid direct connections to their infrastructure.
-    
+
 author: Matt Green - @mgreen27
 
 precondition: SELECT OS From info() where OS = 'windows'
@@ -30,7 +30,7 @@ sources:
          basename(path=dirname(path=FullPath)) as Protocol,
          regex_replace(source=basename(path=FullPath),re="/",replace=":") as Listening,
          regex_replace(source=Data.value,re="/",replace=":") as Destination,
-         timestamp(epoch=Mtime.sec) as ModifiedTime,
+         Mtime as ModifiedTime,
          Type
        FROM glob(globs=KeyGlob, accessor="reg")
        WHERE Type
@@ -43,37 +43,37 @@ reports:
       Port Forwarding: PortProxy
       ==========================
       {{ .Description }}
-      
+
       {{ define "report" }}
-         LET report = SELECT Protocol, 
-            ProxyType, 
-            Listening, 
-            Destination, 
+         LET report = SELECT Protocol,
+            ProxyType,
+            Listening,
+            Destination,
             ModifiedTime,
             ProxyType + Protocol + Listening + Destination as ServiceKey
          FROM source(source='PortProxy')
          GROUP BY ServiceKey
       {{ end }}
-      
+
       {{ Query "report"  "SELECT ProxyType, Protocol, Listening, Destination, ModifiedTime FROM report" | Table }}
-      
+
   - type: HUNT
     template: |
 
       Port Forwarding: PortProxy
       ==========================
       {{ .Description }}
-      
+
       {{ define "report" }}
          LET report = SELECT Fqdn,
-            Protocol, 
-            ProxyType, 
-            Listening, 
-            Destination, 
+            Protocol,
+            ProxyType,
+            Listening,
+            Destination,
             ModifiedTime,
             ProxyType + Protocol + Listening + Destination as ServiceKey
          FROM source(source='PortProxy')
          GROUP BY ServiceKey
       {{ end }}
-      
+
       {{ Query "report"  "SELECT Fqdn, ProxyType, Protocol, Listening, Destination, ModifiedTime FROM report" | Table }}

artifacts/definitions/Windows/Registry/Sysinternals/Eulacheck.yaml

@@ -26,7 +26,7 @@ sources:
     - |
       SELECT Key.Name as ProgramName,
              Key.FullPath as Key,
-             timestamp(epoch=Key.Mtime.Sec) AS TimeAccepted,
+             Key.Mtime AS TimeAccepted,
              {
                 SELECT Name FROM users WHERE UUID=regex_replace(
                    source=Key.FullPath, re=".+\\\\(S-[^\\\\]+)\\\\.+", replace="$1")