# Licensed to Elasticsearch B.V. under one or more contributor # license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright # ownership. Elasticsearch B.V. licenses this file to you under # the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. --- - name: pe title: PE Header group: 2 description: These fields contain Windows Portable Executable (PE) metadata. type: group reusable: top_level: false order: 1 expected: - file - dll - process fields: - name: original_file_name level: extended type: keyword description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE - name: file_version level: extended type: keyword short: Process name. description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 - name: description level: extended type: keyword description: Internal description of the file, provided at compile-time. example: Paint - name: product level: extended type: keyword description: Internal product name of the file, provided at compile-time. example: Microsoft® Windows® Operating System - name: company level: extended type: keyword description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation - name: imphash level: extended type: keyword short: A hash of the imports in a PE file. description: > A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. example: 0c6803c4e922103c4dca5963aad36ddf - name: architecture level: extended type: keyword description: CPU architecture target for the file. example: x64 - name: go_import_hash short: A hash of the Go language imports in a PE file. description: > A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). example: 10bddcb4cee42080f76c88d9ff964491 type: keyword level: extended - name: go_imports description: > List of imported Go language element names and types. type: flattened level: extended - name: go_imports_names_entropy description: > Shannon entropy calculation from the list of Go imports. type: long format: number level: extended - name: go_imports_names_var_entropy description: > Variance for Shannon entropy calculation from the list of Go imports. type: long format: number level: extended - name: go_stripped short: Whether the file is a stripped or obfuscated Go executable. description: > Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. type: boolean level: extended - name: import_hash short: A hash of the imports in a PE file. description: > A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for imphash. example: d41d8cd98f00b204e9800998ecf8427e type: keyword level: extended - name: imports description: > List of imported element names and types. type: flattened level: extended normalize: - array - name: imports_names_entropy description: > Shannon entropy calculation from the list of imported element names and types. format: number type: long level: extended - name: imports_names_var_entropy description: > Variance for Shannon entropy calculation from the list of imported element names and types. format: number type: long level: extended - name: pehash level: extended type: keyword short: A hash of the PE header and data from one or more PE sections. description: > A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html. example: 73ff189b63cd6be375a7ff25179a38d347651975 - name: sections short: Section information of the PE file. description: > An array containing an object for each section of the PE file. The keys that should be present in these objects are defined by sub-fields underneath `pe.sections.*`. type: nested level: extended normalize: - "array" - name: sections.entropy description: > Shannon entropy calculation from the section. format: number type: long level: extended - name: sections.name description: > PE Section List name. type: keyword level: extended - name: sections.physical_size description: > PE Section List physical size. format: bytes type: long level: extended - name: sections.var_entropy description: > Variance for Shannon entropy calculation from the section. format: number type: long level: extended - name: sections.virtual_size description: > PE Section List virtual size. This is always the same as `physical_size`. format: string type: long level: extended