forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
pe.yml
211 lines (182 loc) · 6.71 KB
/
pe.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
---
- name: pe
title: PE Header
group: 2
description: These fields contain Windows Portable Executable (PE) metadata.
type: group
reusable:
top_level: false
order: 1
expected:
- file
- dll
- process
fields:
- name: original_file_name
level: extended
type: keyword
description: Internal name of the file, provided at compile-time.
example: MSPAINT.EXE
- name: file_version
level: extended
type: keyword
short: Process name.
description: Internal version of the file, provided at compile-time.
example: 6.3.9600.17415
- name: description
level: extended
type: keyword
description: Internal description of the file, provided at compile-time.
example: Paint
- name: product
level: extended
type: keyword
description: Internal product name of the file, provided at compile-time.
example: Microsoft® Windows® Operating System
- name: company
level: extended
type: keyword
description: Internal company name of the file, provided at compile-time.
example: Microsoft Corporation
- name: imphash
level: extended
type: keyword
short: A hash of the imports in a PE file.
description: >
A hash of the imports in a PE file. An imphash -- or import hash -- can
be used to fingerprint binaries even after recompilation or other code-level
transformations have occurred, which would change more traditional hash values.
Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
example: 0c6803c4e922103c4dca5963aad36ddf
- name: architecture
level: extended
type: keyword
description: CPU architecture target for the file.
example: x64
- name: go_import_hash
short: A hash of the Go language imports in a PE file.
description: >
A hash of the Go language imports in a PE file excluding standard library imports.
An import hash can be used to fingerprint binaries even after recompilation or other
code-level transformations have occurred, which would change more traditional hash values.
The algorithm used to calculate the Go symbol hash and a reference implementation
are available [here](https://github.com/elastic/toutoumomoma).
example: 10bddcb4cee42080f76c88d9ff964491
type: keyword
level: extended
- name: go_imports
description: >
List of imported Go language element names and types.
type: flattened
level: extended
- name: go_imports_names_entropy
description: >
Shannon entropy calculation from the list of Go imports.
type: long
format: number
level: extended
- name: go_imports_names_var_entropy
description: >
Variance for Shannon entropy calculation from the list of Go imports.
type: long
format: number
level: extended
- name: go_stripped
short: Whether the file is a stripped or obfuscated Go executable.
description: >
Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
type: boolean
level: extended
- name: import_hash
short: A hash of the imports in a PE file.
description: >
A hash of the imports in a PE file. An import hash can be used to
fingerprint binaries even after recompilation or other code-level
transformations have occurred, which would change more traditional hash values.
This is a synonym for imphash.
example: d41d8cd98f00b204e9800998ecf8427e
type: keyword
level: extended
- name: imports
description: >
List of imported element names and types.
type: flattened
level: extended
normalize:
- array
- name: imports_names_entropy
description: >
Shannon entropy calculation from the list of imported element names and types.
format: number
type: long
level: extended
- name: imports_names_var_entropy
description: >
Variance for Shannon entropy calculation from the list of imported element names and types.
format: number
type: long
level: extended
- name: pehash
level: extended
type: keyword
short: A hash of the PE header and data from one or more PE sections.
description: >
A hash of the PE header and data from one or more PE sections. An pehash can
be used to cluster files by transforming structural information about a file into a hash value.
Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.
example: 73ff189b63cd6be375a7ff25179a38d347651975
- name: sections
short: Section information of the PE file.
description: >
An array containing an object for each section of the PE file.
The keys that should be present in these objects are defined by sub-fields
underneath `pe.sections.*`.
type: nested
level: extended
normalize:
- "array"
- name: sections.entropy
description: >
Shannon entropy calculation from the section.
format: number
type: long
level: extended
- name: sections.name
description: >
PE Section List name.
type: keyword
level: extended
- name: sections.physical_size
description: >
PE Section List physical size.
format: bytes
type: long
level: extended
- name: sections.var_entropy
description: >
Variance for Shannon entropy calculation from the section.
format: number
type: long
level: extended
- name: sections.virtual_size
description: >
PE Section List virtual size. This is always the same as `physical_size`.
format: string
type: long
level: extended