From 92c2f16dbcc68ba186998ae7a4aadb8da8b29e09 Mon Sep 17 00:00:00 2001
From: Lars Karlslund <lars@karlslund.dk>
Date: Sun, 10 Dec 2023 15:31:23 +0100
Subject: [PATCH] Time decoding for BadPasswordTime

---
 modules/integrations/activedirectory/attributes.go | 1 +
 modules/integrations/activedirectory/rawobject.go  | 8 +++-----
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/modules/integrations/activedirectory/attributes.go b/modules/integrations/activedirectory/attributes.go
index 5f35816..ee7b04f 100644
--- a/modules/integrations/activedirectory/attributes.go
+++ b/modules/integrations/activedirectory/attributes.go
@@ -17,6 +17,7 @@ var (
 	GroupType                  = engine.NewAttribute("groupType").Tag("AD").Single()
 	MemberOf                   = engine.NewAttribute("memberOf").Tag("AD")
 	Member                     = engine.NewAttribute("member").Tag("AD")
+	BadPasswordTime            = engine.NewAttribute("badPasswordTime").Tag("AD").Type(engine.AttributeTypeTime100NS)
 	CreationTime               = engine.NewAttribute("creationTime").Tag("AD").Type(engine.AttributeTypeTime100NS)
 	AccountExpires             = engine.NewAttribute("accountExpires").Tag("AD").Type(engine.AttributeTypeTime100NS)
 	RepsTo                     = engine.NewAttribute("repsTo").Tag("AD")
diff --git a/modules/integrations/activedirectory/rawobject.go b/modules/integrations/activedirectory/rawobject.go
index c64edc6..fa8f0a7 100644
--- a/modules/integrations/activedirectory/rawobject.go
+++ b/modules/integrations/activedirectory/rawobject.go
@@ -94,11 +94,9 @@ func EncodeAttributeData(attribute engine.Attribute, values []string) engine.Att
 		var attributevalue engine.AttributeValue
 		switch attribute {
 		// Add more things here, like time decoding etc
-		case CreationTime, AccountExpires, PwdLastSet, LastLogon, LastLogonTimestamp, MSmcsAdmPwdExpirationTime:
-			// Just use string encoding
+		case CreationTime, PwdLastSet, LastLogon, LastLogonTimestamp, MSmcsAdmPwdExpirationTime, BadPasswordTime:
 			if intval, err := strconv.ParseInt(value, 10, 64); err == nil {
-				if attribute == PwdLastSet && intval == 0 {
-					// ui.Warn().Msg("PwdLastSet is 0")
+				if intval == 0 {
 					attributevalue = engine.AttributeValueInt(intval)
 				} else {
 					t := util.FiletimeToTime(uint64(intval))
@@ -107,7 +105,7 @@ func EncodeAttributeData(attribute engine.Attribute, values []string) engine.Att
 			} else {
 				ui.Warn().Msgf("Failed to convert attribute %v value %2x to timestamp: %v", attribute.String(), value, err)
 			}
-		case WhenChanged, WhenCreated, DsCorePropagationData,
+		case AccountExpires, WhenChanged, WhenCreated, DsCorePropagationData,
 			MsExchLastUpdateTime, MsExchPolicyLastAppliedTime, MsExchWhenMailboxCreated,
 			GWARTLastModified, SpaceLastComputed: