Summary
The Portable Executable (PE) sub-field, of the file top-level fieldset, can be updated to include more file attributes to aid in malware analysis.
Because this is extending an existing sub-field vs. creating a top-level fieldset, I wanted to make an Issue first to determine if this required an RFC.
Motivation:
In creating a VirusTotal Filebeat module, we identified opportunities to extend the file.* top-level fieldset.
Detailed Design:
- name: file.pe
type: group
fields:
- name: flattened
release: beta
type: group
fields:
- name: debug
default_field: false
description: >
Debug information, if present
type: flattened
- name: import_list
default_field: false
description: >
List of all imported functions
type: flattened
- name: sections
default_field: false
description: >
Data about sections of compiled binary PE
type: flattened
- name: resource_details
default_field: false
type: flattened
description: >
If the PE contains resources, some info about them
- name: resource_languages
default_field: false
type: flattened
description: >
Digest of languages found in resources. Key is language (as string) and
value is how many resources there are having that language (as integer)
- name: resource_types
default_field: false
type: flattened
description: >
Digest of resource types. Key is resource type (as string) and value
is how many resources there are of that specific type (as integer)
- name: packers
default_field: false
type: flattened
description: >
Identifies packers used on Windows PE files by several tools and AVs.
Keys are tool names and values are identified packers, both strings.
see `file.pe.packers` for merged list of packers from all tools.
overwrite: true
- name: exports
type: keyword
description: >
List of symbols exported by PE
- name: creation_date
default_field: false
description: >
extracted when possible from the file's metadata. Indicates when it was
built or compiled. It can also be faked by malware creators.
type: date
- name: authentihash
description: >
Authentihash of the PE file.
type: keyword
- name: compile_timestamp
description: >
Compile timestamp of the PE file.
type: date
- name: packers
type: keyword
description: >
Merged list of all detected packers by all tools used. See `file.pe.flattened.packers`.
- name: main_icon.hash
type: group
description: >
Hashes of embedded program icon
fields:
- name: dhash
description: >
Difference Hash for a given PE file.
type: keyword
release: beta
- name: md5
type: keyword
description: >
MD5 hash of raw icon data
release: beta
- name: compiler_product_versions
type: keyword
description: >
Version of the compiler.
- name: rich_pe_header_hash
type: keyword
description: >
Hash of the PE header.
- name: entry_point
description: >
Entry point of the PE file.
format: string
type: long
- name: machine_type
description: >
Machine type of the PE file.
type: keyword
- name: overlay
description: >
Overlay information of the PE file.
release: beta
type: group
fields:
- name: chi2
description: >
Chi2 information of the PE file.
type: float
- name: entropy
description: >
Entropy information of the PE file.
type: float
- name: filetype
description: >
Filetype of the PE file.
type: keyword
- name: md5
description: >
Overlay MD5 hash of the PE file.
type: keyword
- name: offset
description: >
Offset of the overlay information of the PE file.
type: long
- name: size
description: >
Size of the PE file.
format: bytes
type: long
- name: rich_pe_header_hash
description: >
Hash of the header for the PE file.
type: keyword
Summary
The Portable Executable (PE) sub-field, of the
filetop-level fieldset, can be updated to include more file attributes to aid in malware analysis.Because this is extending an existing sub-field vs. creating a top-level fieldset, I wanted to make an Issue first to determine if this required an RFC.
Motivation:
In creating a VirusTotal Filebeat module, we identified opportunities to extend the
file.*top-level fieldset.Detailed Design: