Summary
The Executable Linkable Format (ELF) sub-field does not yet exist for the file top-level fieldset. This can be created to include more file attributes to aid in malware and file analysis.
Because this is creating a sub-field vs. a top-level fieldset, I wanted to make an Issue first to determine if this required an RFC.
Motivation:
In creating a VirusTotal Filebeat module, we identified opportunities to extend the file.* top-level fieldset with the creation of the ELF sub-field..
Detailed Design:
- name: file.elf
default_field: false
description: >
ELF events from VirusTotal Intelligence Live Hunt results.
overwrite: true
type: group
release: beta
fields:
- name: creation_date
default_field: false
description: >
extracted when possible from the file's metadata. Indicates when it was
built or compiled. It can also be faked by malware creators.
type: date
- name: header
default_field: false
description: >
Header information of the ELF file.
release: beta
type: group
fields:
- name: class
description: >
Header class of the ELF file.
type: keyword
- name: data
description: >
Data table of the ELF header.
type: keyword
- name: machine
description: >
Machine architecture of the ELF header.
type: keyword
- name: os_abi
description: >
NEED TO ADD
type: keyword
- name: type
description: >
Header type of the ELF file.
type: keyword
- name: version
description: >
Version of the ELF header.
type: keyword
- name: abi_version
type: keyword
description: >
Version of the ELF Application Binary Interface (ABI).
- name: entrypoint
format: string
type: long
description: >
Header entrypoint of the ELF file.
- name: object_version
type: keyword
description: >
"0x1" for original ELF files.
- name: number_program_headers
description: >
Number of ELF Program Headers.
type: long
- name: number_section_headers
description: >
Number of ELF Section Headers.
type: long
- name: sections
default_field: false
description: >
Section information of the ELF file.
release: beta
type: group
fields:
- name: flags
description: >
ELF Section List flags.
type: keyword
- name: name
description: >
ELF Section List name.
type: keyword
- name: physical_offset
description: >
ELF Section List offset.
type: keyword
- name: section_type
description: >
ELF Section List type.
type: keyword
- name: size
description: >
ELF Section List size.
format: bytes
type: long
- name: virtual_address
description: >
ELF Section List virtual address.
format: string
type: long
- name: exports
description: >
List of exported element names and types
release: beta
type: group
fields:
- name: name
description: >
Name of exported symbol
type: keyword
default_field: false
- name: type
description: >
Type of exported symbol
type: keyword
default_field: false
- name: imports
description: >
List of imported element names and types
release: beta
type: group
fields:
- name: name
description: >
Name of imported symbol
type: keyword
default_field: false
- name: type
description: >
Type of imported symbol
type: keyword
default_field: false
- name: shared_libraries
description: >
List of shared libraries used by this ELF object
type: keyword
- name: telfhash
description: >
telfhash hash for ELF files.
type: keyword
- name: flattened
default_field: false
description: >
Flattened ELF events from VirusTotal Intelligence Live Hunt results.
release: beta
type: group
fields:
- name: segment_list
description: >
ELF object segment list.
type: flattened
Summary
The Executable Linkable Format (ELF) sub-field does not yet exist for the
filetop-level fieldset. This can be created to include more file attributes to aid in malware and file analysis.Because this is creating a sub-field vs. a top-level fieldset, I wanted to make an Issue first to determine if this required an RFC.
Motivation:
In creating a VirusTotal Filebeat module, we identified opportunities to extend the
file.*top-level fieldset with the creation of the ELF sub-field..Detailed Design: