From 69a66adaa770d403ddd21b6f2a1e75cfa7f2ea29 Mon Sep 17 00:00:00 2001
From: Lars Karlslund <lars@karlslund.dk>
Date: Mon, 22 Jan 2024 11:51:34 +0100
Subject: [PATCH] Parsing of msPKIRoamingTimeStamp

---
 modules/integrations/activedirectory/attributes.go | 1 +
 modules/integrations/activedirectory/rawobject.go  | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/modules/integrations/activedirectory/attributes.go b/modules/integrations/activedirectory/attributes.go
index fbfb94d..ee5b034 100644
--- a/modules/integrations/activedirectory/attributes.go
+++ b/modules/integrations/activedirectory/attributes.go
@@ -18,6 +18,7 @@ var (
 	MemberOf                                = engine.NewAttribute("memberOf").Tag("AD")
 	Member                                  = engine.NewAttribute("member").Tag("AD")
 	BadPasswordTime                         = engine.NewAttribute("badPasswordTime").Tag("AD").Type(engine.AttributeTypeTime100NS)
+	MsPKIRoamingTimeStamp                   = engine.NewAttribute("msPKIRoamingTimeStamp").Tag("AD").Type(engine.AttributeTypeTime100NS)
 	CreationTime                            = engine.NewAttribute("creationTime").Tag("AD").Type(engine.AttributeTypeTime100NS)
 	AccountExpires                          = engine.NewAttribute("accountExpires").Tag("AD").Type(engine.AttributeTypeTime100NS)
 	RepsTo                                  = engine.NewAttribute("repsTo").Tag("AD")
diff --git a/modules/integrations/activedirectory/rawobject.go b/modules/integrations/activedirectory/rawobject.go
index 3a89abf..b4e8f35 100644
--- a/modules/integrations/activedirectory/rawobject.go
+++ b/modules/integrations/activedirectory/rawobject.go
@@ -94,6 +94,10 @@ func EncodeAttributeData(attribute engine.Attribute, values []string) engine.Att
 		var attributevalue engine.AttributeValue
 		switch attribute {
 		// Add more things here, like time decoding etc
+		case MsPKIRoamingTimeStamp:
+			// https://www.sysadmins.lv/blog-en/how-to-convert-ms-pki-roaming-timestamp-attribute.aspx
+			t := util.FiletimeToTime(binary.LittleEndian.Uint64([]byte(value[8:])))
+			attributevalue = engine.AttributeValueTime(t)
 		case AccountExpires, CreationTime, PwdLastSet, LastLogon, LastLogonTimestamp, MSmcsAdmPwdExpirationTime, BadPasswordTime:
 			if intval, err := strconv.ParseInt(value, 10, 64); err == nil {
 				if intval == 0 {