{
  "attributes": {
    "authentihash": {
      "description": "Authenticode executable signature hash (sha256)",
      "misp-attribute": "authentihash",
      "ui-priority": 1
    },
    "characteristics": {
      "description": "The characteristics that indicate the attributes of the file",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "sane_default": [
        "AGGRESSIVE_WS_TRIM",
        "BYTES_REVERSED_HI",
        "BYTES_REVERSED_LO",
        "DEBUG_STRIPPED",
        "DLL",
        "EXECUTABLE_IMAGE",
        "LARGE_ADDRESS_AWARE",
        "LINE_NUMS_STRIPPED",
        "LOCAL_SYMS_STRIPPED",
        "NEED_32BIT_MACHINE",
        "NET_RUN_FROM_SWAP",
        "RELOCS_STRIPPED",
        "REMOVABLE_RUN_FROM_SWAP",
        "SYSTEM",
        "UP_SYSTEM_ONLY"
      ],
      "ui-priority": 0
    },
    "characteristics_hex": {
      "description": "The characteristics in a single hex value",
      "disable_correlation": true,
      "misp-attribute": "hex",
      "ui-priority": 0
    },
    "company-name": {
      "description": "CompanyName in the resources",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "compilation-timestamp": {
      "description": "Compilation timestamp defined in the PE header",
      "misp-attribute": "datetime",
      "ui-priority": 1
    },
    "entrypoint-address": {
      "description": "Address of the entry point",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "entrypoint-section-at-position": {
      "description": "Name of the section and position of the section in the PE",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "file-description": {
      "description": "FileDescription in the resources",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "file-version": {
      "description": "FileVersion in the resources",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "impfuzzy": {
      "description": "Fuzzy Hash (ssdeep) calculated from the import table",
      "misp-attribute": "impfuzzy",
      "ui-priority": 0
    },
    "imphash": {
      "description": "Hash (md5) calculated from the import table",
      "misp-attribute": "imphash",
      "ui-priority": 0
    },
    "internal-filename": {
      "description": "InternalFilename in the resources",
      "disable_correlation": true,
      "misp-attribute": "filename",
      "ui-priority": 0
    },
    "lang-id": {
      "description": "Lang ID in the resources",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "legal-copyright": {
      "description": "LegalCopyright in the resources",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "machine-type": {
      "description": "Type of machine",
      "disable_correlation": true,
      "misp-attribute": "text",
      "sane_default": [
        "AM33",
        "AMD64",
        "ARM",
        "ARM64",
        "ARMNT",
        "EBC",
        "I386",
        "IA64",
        "M32R",
        "MIPS16",
        "MIPSFPU",
        "MIPSFPU16",
        "POWERPC",
        "POWERPCFP",
        "R4000",
        "SH3",
        "SH3DSP",
        "SH4",
        "SH5",
        "THUMB",
        "UNKNOWN",
        "WCEMIPSV2"
      ],
      "ui-priority": 0
    },
    "number-of-symbols": {
      "description": "Number of entries in the symbol table",
      "disable_correlation": true,
      "misp-attribute": "counter",
      "ui-priority": 0
    },
    "number-sections": {
      "description": "Number of sections",
      "disable_correlation": true,
      "misp-attribute": "counter",
      "ui-priority": 0
    },
    "original-filename": {
      "description": "OriginalFilename in the resources",
      "disable_correlation": true,
      "misp-attribute": "filename",
      "ui-priority": 1
    },
    "pehash": {
      "description": "Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/",
      "misp-attribute": "pehash",
      "ui-priority": 0
    },
    "pointer-to-symbol-table": {
      "description": "The file offset of the COFF symbol table.",
      "disable_correlation": true,
      "misp-attribute": "hex",
      "ui-priority": 0
    },
    "product-name": {
      "description": "ProductName in the resources",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "product-version": {
      "description": "ProductVersion in the resources",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "richpe": {
      "description": "RichPE metadata hash",
      "misp-attribute": "md5",
      "multiple": true,
      "ui-priority": 0
    },
    "size-of-optional-header": {
      "description": "Size of the optional header and the data directories which follow this header",
      "misp-attribute": "size-in-bytes",
      "ui-priority": 0
    },
    "text": {
      "description": "Free text value to attach to the PE",
      "disable_correlation": true,
      "misp-attribute": "text",
      "recommended": false,
      "ui-priority": 1
    },
    "type": {
      "description": "Type of PE",
      "disable_correlation": true,
      "misp-attribute": "text",
      "sane_default": [
        "exe",
        "dll",
        "driver",
        "unknown"
      ],
      "ui-priority": 1
    }
  },
  "description": "Object describing a Portable Executable",
  "meta-category": "file",
  "name": "pe",
  "requiredOneOf": [
    "text",
    "type",
    "original-filename",
    "internal-filename",
    "entrypoint-address",
    "imphash",
    "impfuzzy"
  ],
  "uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
  "version": 9
}