forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpe.yml
228 lines (193 loc) · 5.76 KB
/
pe.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
---
- name: pe
fields:
- name: icon.hash.dhash
level: extended
type: keyword
description: >
Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
example: b806e17c8e330d82
- name: debug
level: extended
type: nested
short: Debug information
description: >
An array containing an object for each debug entry, if present.
The expected fields for this nested object fall under the `debug.` prefix.
normalize:
- array
- name: debug.offset
level: extended
type: keyword
description: Debug offset information.
example: 1296336
- name: debug.size
level: extended
type: long
format: bytes
description: Size of the debug information.
example: 816
- name: debug.type
level: extended
type: keyword
description: Information type generated by the debug options.
example: IMAGE_DEBUG_TYPE_POGO
- name: debug.timestamp
level: extended
type: date
description: Timestamp of the debug information.
example: "2020-11-05T17:25:47.000Z"
- name: imports
level: extended
type: flattened
description: List of all imported functions
example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" }'
- name: sections
level: extended
short: Data about sections of the compiled binary PE
description: >
Data about sections of compiled binary PE
type: nested
normalize:
- array
- name: sections.chi2
level: extended
description: Chi-square probability distribution.
type: long
example: 3027194
- name: sections.virtual_address
level: extended
description: Virtual address available to the file.
type: long
format: bytes
example: 8192
- name: sections.entropy
level: extended
description: Measurement of entropy randomness in the file.
type: float
example: 6.24
- name: sections.flags
level: extended
description: Section flags of the file.
type: keyword
example: rx
- name: sections.name
level: extended
description: Section names of the file.
type: keyword
example: .text, .data
- name: sections.raw_size
level: extended
description: Size of the section or the dize of the initialized data on disk.
type: long
format: bytes
example: 198144
- name: resources
level: extended
type: nested
short: PE resource information
description: >
An array containing an object for each PE resource, if present.
The expected fields for this nested object fall under the `resources.` prefix.
normalize:
- array
- name: resources.chi2
level: extended
description: Chi-square probability distribution.
type: long
example: -1
- name: resources.filetype
level: extended
description: File type of the resources section.
type: keyword
example: Data
- name: resources.entropy
level: extended
description: Measurement of entropy randomness in the resources section.
type: long
example: 0, 1
- name: resources.sha256
level: extended
description: SHA256 hash of resources section.
type: keyword
example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
- name: resources.language
level: extended
description: Language identification.
type: keyword
example: "CHINESE SIMPLIFIED"
- name: resources.type
level: extended
type: keyword
short: List of resource types.
description: >
Digest of resource types.
example: '["RT_VERSION", "RT_MANIFEST"]'
normalize:
- array
- name: exports
level: extended
type: keyword
description: >
List of symbols exported by PE
example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
normalize:
- array
- name: creation_date
level: extended
short: Build or compile date.
description: >
Extracted when possible from the file's metadata. Indicates when it was
built or compiled. It can also be faked by malware creators.
type: date
example: "2020-11-05T17:25:47.000Z"
- name: authentihash
level: extended
description: >
Authentihash of the PE file.
type: keyword
example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
- name: compile_timestamp
level: extended
description: >
Compile timestamp of the PE file.
type: date
example: "2020-11-05T17:25:47.000Z"
- name: compiler.name
level: extended
type: keyword
description: >
Name of the compiler
example: Clang
- name: compiler.version
level: extended
type: keyword
description: >
Version of the compiler.
example: 11.0.0
- name: rich_header.hash.md5
level: extended
type: keyword
description: >
MD5 hash of the header for the PE file.
example: 5aa1aa0f2b4be70397a1e9e2b87627cd
- name: entry_point
level: extended
description: >
Relative byte offset to the base of the PE file.
type: keyword
example: 25856
- name: machine_type
level: extended
description: >
Machine type of the PE file.
type: keyword
example: "Intel 386 or later, and compatibles"
- name: packers
level: extended
description: >
List of packers and tools used.
type: keyword
example: '["ASPack v2.12", ".NET executable"]'
normalize:
- array