misp-objects/objects/pe/definition.json

217 lines
5.9 KiB
JSON
Raw Normal View History

2017-03-09 14:14:36 +01:00
{
"attributes": {
"authentihash": {
"description": "Authenticode executable signature hash (sha256)",
"misp-attribute": "authentihash",
"ui-priority": 1
},
"characteristics": {
"description": "The characteristics that indicate the attributes of the file",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
2024-04-03 14:29:36 +02:00
"sane_default": [
"AGGRESSIVE_WS_TRIM",
"BYTES_REVERSED_HI",
"BYTES_REVERSED_LO",
"DEBUG_STRIPPED",
"DLL",
"EXECUTABLE_IMAGE",
"LARGE_ADDRESS_AWARE",
"LINE_NUMS_STRIPPED",
"LOCAL_SYMS_STRIPPED",
"NEED_32BIT_MACHINE",
"NET_RUN_FROM_SWAP",
"RELOCS_STRIPPED",
"REMOVABLE_RUN_FROM_SWAP",
"SYSTEM",
"UP_SYSTEM_ONLY"
],
"ui-priority": 0
},
"characteristics_hex": {
"description": "The characteristics in a single hex value",
"disable_correlation": true,
"misp-attribute": "hex",
"ui-priority": 0
},
"company-name": {
"description": "CompanyName in the resources",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
2017-03-15 11:30:54 +01:00
},
"compilation-timestamp": {
"description": "Compilation timestamp defined in the PE header",
"misp-attribute": "datetime",
"ui-priority": 1
2017-07-03 12:17:46 +02:00
},
"entrypoint-address": {
"description": "Address of the entry point",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
2017-07-03 12:17:46 +02:00
},
"entrypoint-section-at-position": {
"description": "Name of the section and position of the section in the PE",
2017-03-14 15:57:05 +01:00
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
2017-07-03 12:17:46 +02:00
},
"file-description": {
"description": "FileDescription in the resources",
2017-07-03 12:17:46 +02:00
"disable_correlation": true,
2017-08-29 13:25:58 +02:00
"misp-attribute": "text",
"ui-priority": 0
2017-07-03 12:17:46 +02:00
},
"file-version": {
"description": "FileVersion in the resources",
2017-07-03 12:17:46 +02:00
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"impfuzzy": {
"description": "Fuzzy Hash (ssdeep) calculated from the import table",
"misp-attribute": "impfuzzy",
"ui-priority": 0
2017-03-09 14:14:36 +01:00
},
2017-07-03 12:17:46 +02:00
"imphash": {
2017-08-29 13:25:58 +02:00
"description": "Hash (md5) calculated from the import table",
"misp-attribute": "imphash",
"ui-priority": 0
2017-03-09 14:14:36 +01:00
},
"internal-filename": {
"description": "InternalFilename in the resources",
2017-07-03 12:17:46 +02:00
"disable_correlation": true,
"misp-attribute": "filename",
"ui-priority": 0
2017-03-09 14:14:36 +01:00
},
"lang-id": {
"description": "Lang ID in the resources",
2017-07-03 12:17:46 +02:00
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
2017-03-09 14:14:36 +01:00
},
"legal-copyright": {
"description": "LegalCopyright in the resources",
2017-07-03 12:17:46 +02:00
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
2017-03-09 14:14:36 +01:00
},
"machine-type": {
"description": "Type of machine",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"AM33",
"AMD64",
"ARM",
"ARM64",
"ARMNT",
"EBC",
"I386",
"IA64",
"M32R",
"MIPS16",
"MIPSFPU",
"MIPSFPU16",
"POWERPC",
"POWERPCFP",
"R4000",
"SH3",
"SH3DSP",
"SH4",
"SH5",
"THUMB",
"UNKNOWN",
"WCEMIPSV2"
],
"ui-priority": 0
},
"number-of-symbols": {
"description": "Number of entries in the symbol table",
"disable_correlation": true,
"misp-attribute": "counter",
"ui-priority": 0
},
"number-sections": {
"description": "Number of sections",
2017-07-03 12:17:46 +02:00
"disable_correlation": true,
"misp-attribute": "counter",
"ui-priority": 0
2017-03-09 14:14:36 +01:00
},
"original-filename": {
"description": "OriginalFilename in the resources",
2017-07-03 12:17:46 +02:00
"disable_correlation": true,
"misp-attribute": "filename",
"ui-priority": 1
},
"pehash": {
"description": "Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/",
"misp-attribute": "pehash",
"ui-priority": 0
2017-03-09 14:14:36 +01:00
},
"pointer-to-symbol-table": {
"description": "The file offset of the COFF symbol table.",
"disable_correlation": true,
"misp-attribute": "hex",
"ui-priority": 0
},
2017-03-09 14:14:36 +01:00
"product-name": {
2017-08-29 13:25:58 +02:00
"description": "ProductName in the resources",
2017-07-03 12:17:46 +02:00
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
2017-03-09 14:14:36 +01:00
},
"product-version": {
2017-08-29 13:25:58 +02:00
"description": "ProductVersion in the resources",
2017-07-03 12:17:46 +02:00
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
2017-03-12 23:06:39 +01:00
},
2020-08-20 10:39:49 +02:00
"richpe": {
"description": "RichPE metadata hash",
"misp-attribute": "md5",
2020-08-20 10:44:41 +02:00
"multiple": true,
2020-08-20 10:39:49 +02:00
"ui-priority": 0
},
"size-of-optional-header": {
"description": "Size of the optional header and the data directories which follow this header",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"text": {
"description": "Free text value to attach to the PE",
2017-07-03 12:17:46 +02:00
"disable_correlation": true,
"misp-attribute": "text",
"recommended": false,
"ui-priority": 1
2017-03-12 23:06:39 +01:00
},
"type": {
"description": "Type of PE",
2017-07-03 12:17:46 +02:00
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"exe",
"dll",
"driver",
"unknown"
],
"ui-priority": 1
2017-03-09 14:14:36 +01:00
}
},
2017-07-03 12:17:46 +02:00
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"requiredOneOf": [
"text",
"type",
"original-filename",
"internal-filename",
"entrypoint-address",
"imphash",
"impfuzzy"
],
2017-07-03 12:17:46 +02:00
"uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
2024-04-03 14:29:36 +02:00
"version": 9
}