{ "attributes": { "authentihash": { "description": "Authenticode executable signature hash (sha256)", "misp-attribute": "authentihash", "ui-priority": 1 }, "characteristics": { "description": "The characteristics that indicate the attributes of the file", "disable_correlation": true, "misp-attribute": "text", "multiple": true, "sane_default": [ "AGGRESSIVE_WS_TRIM", "BYTES_REVERSED_HI", "BYTES_REVERSED_LO", "DEBUG_STRIPPED", "DLL", "EXECUTABLE_IMAGE", "LARGE_ADDRESS_AWARE", "LINE_NUMS_STRIPPED", "LOCAL_SYMS_STRIPPED", "NEED_32BIT_MACHINE", "NET_RUN_FROM_SWAP", "RELOCS_STRIPPED", "REMOVABLE_RUN_FROM_SWAP", "SYSTEM", "UP_SYSTEM_ONLY" ], "ui-priority": 0 }, "characteristics_hex": { "description": "The characteristics in a single hex value", "disable_correlation": true, "misp-attribute": "hex", "ui-priority": 0 }, "company-name": { "description": "CompanyName in the resources", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "compilation-timestamp": { "description": "Compilation timestamp defined in the PE header", "misp-attribute": "datetime", "ui-priority": 1 }, "entrypoint-address": { "description": "Address of the entry point", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "entrypoint-section-at-position": { "description": "Name of the section and position of the section in the PE", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "file-description": { "description": "FileDescription in the resources", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "file-version": { "description": "FileVersion in the resources", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "impfuzzy": { "description": "Fuzzy Hash (ssdeep) calculated from the import table", "misp-attribute": "impfuzzy", "ui-priority": 0 }, "imphash": { "description": "Hash (md5) calculated from the import table", "misp-attribute": "imphash", "ui-priority": 0 }, "internal-filename": { "description": "InternalFilename in the resources", "disable_correlation": true, "misp-attribute": "filename", "ui-priority": 0 }, "lang-id": { "description": "Lang ID in the resources", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "legal-copyright": { "description": "LegalCopyright in the resources", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "machine-type": { "description": "Type of machine", "disable_correlation": true, "misp-attribute": "text", "sane_default": [ "AM33", "AMD64", "ARM", "ARM64", "ARMNT", "EBC", "I386", "IA64", "M32R", "MIPS16", "MIPSFPU", "MIPSFPU16", "POWERPC", "POWERPCFP", "R4000", "SH3", "SH3DSP", "SH4", "SH5", "THUMB", "UNKNOWN", "WCEMIPSV2" ], "ui-priority": 0 }, "number-of-symbols": { "description": "Number of entries in the symbol table", "disable_correlation": true, "misp-attribute": "counter", "ui-priority": 0 }, "number-sections": { "description": "Number of sections", "disable_correlation": true, "misp-attribute": "counter", "ui-priority": 0 }, "original-filename": { "description": "OriginalFilename in the resources", "disable_correlation": true, "misp-attribute": "filename", "ui-priority": 1 }, "pehash": { "description": "Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/", "misp-attribute": "pehash", "ui-priority": 0 }, "pointer-to-symbol-table": { "description": "The file offset of the COFF symbol table.", "disable_correlation": true, "misp-attribute": "hex", "ui-priority": 0 }, "product-name": { "description": "ProductName in the resources", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "product-version": { "description": "ProductVersion in the resources", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "richpe": { "description": "RichPE metadata hash", "misp-attribute": "md5", "multiple": true, "ui-priority": 0 }, "size-of-optional-header": { "description": "Size of the optional header and the data directories which follow this header", "misp-attribute": "size-in-bytes", "ui-priority": 0 }, "text": { "description": "Free text value to attach to the PE", "disable_correlation": true, "misp-attribute": "text", "recommended": false, "ui-priority": 1 }, "type": { "description": "Type of PE", "disable_correlation": true, "misp-attribute": "text", "sane_default": [ "exe", "dll", "driver", "unknown" ], "ui-priority": 1 } }, "description": "Object describing a Portable Executable", "meta-category": "file", "name": "pe", "requiredOneOf": [ "text", "type", "original-filename", "internal-filename", "entrypoint-address", "imphash", "impfuzzy" ], "uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07", "version": 9 }