mirror of https://github.com/MISP/misp-objects
244 lines
8.0 KiB
JSON
244 lines
8.0 KiB
JSON
{
|
|
"attributes": {
|
|
"address-of-entrypoint": {
|
|
"description": "The address of the entry point relative to the image base when the executable file is loaded into memory",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "integer",
|
|
"ui-priority": 1
|
|
},
|
|
"base-of-code": {
|
|
"description": "Address relative to the imagebase where the binary's code starts",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "integer",
|
|
"ui-priority": 0
|
|
},
|
|
"base-of-data": {
|
|
"description": "Address relative to the imagebase where the binary's data starts",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "integer",
|
|
"ui-priority": 0
|
|
},
|
|
"checksum": {
|
|
"description": "The image file checksum",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "hex",
|
|
"ui-priority": 0
|
|
},
|
|
"dll-characteristics": {
|
|
"description": "Some characteristics of the underlying binary",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "text",
|
|
"multiple": true,
|
|
"sane_default": [
|
|
"APPCONTAINER",
|
|
"DYNAMIC_BASE",
|
|
"FORCE_INTEGRITY",
|
|
"GUARD_CF",
|
|
"HIGH_ENTROPY_VA",
|
|
"NO_BIND",
|
|
"NO_ISOLATION",
|
|
"NO_SEH",
|
|
"NX_COMPAT",
|
|
"TERMINAL_SERVER_AWARE",
|
|
"WDM_DRIVER"
|
|
],
|
|
"ui-priority": 0
|
|
},
|
|
"dll-characteristics-hex": {
|
|
"description": "The DLL characteristics in a single hex value",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "hex",
|
|
"ui-priority": 0
|
|
},
|
|
"file-alignment": {
|
|
"description": "The alignment factor (in bytes) that is used to align the raw data of sections in the image file",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "size-in-bytes",
|
|
"ui-priority": 0
|
|
},
|
|
"image-base": {
|
|
"description": "The preferred base address when mapping the binary in memory",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "integer",
|
|
"ui-priority": 0
|
|
},
|
|
"loader-flags": {
|
|
"description": "According to the PE specifications, this value is reserved and should be 0",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "hex",
|
|
"ui-priority": 0
|
|
},
|
|
"magic": {
|
|
"description": "Magic value (PE_TYPE) that identifies a PE32 from a PE64",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "text",
|
|
"sane_default": [
|
|
"PE32",
|
|
"PE32_PLUS"
|
|
],
|
|
"ui-priority": 0
|
|
},
|
|
"magic-hex": {
|
|
"description": "The magic value in a simple hex value",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "hex",
|
|
"ui-priority": 0
|
|
},
|
|
"major-image-version": {
|
|
"description": "The major version number of the image",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "integer",
|
|
"ui-priority": 0
|
|
},
|
|
"major-linker-version": {
|
|
"description": "The linker major version number",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "integer",
|
|
"ui-priority": 0
|
|
},
|
|
"major-os-version": {
|
|
"description": "The major version number of the required operating system",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "integer",
|
|
"ui-priority": 0
|
|
},
|
|
"major-subsystem-version": {
|
|
"description": "The major version number of the subsystem",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "integer",
|
|
"ui-priority": 0
|
|
},
|
|
"minor-image-version": {
|
|
"description": "The minor version number of the image",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "integer",
|
|
"ui-priority": 0
|
|
},
|
|
"minor-linker-version": {
|
|
"description": "The linker minor version number",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "integer",
|
|
"ui-priority": 0
|
|
},
|
|
"minor-os-version": {
|
|
"description": "The minor version number of the required operating system",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "integer",
|
|
"ui-priority": 0
|
|
},
|
|
"minor-subsystem-version": {
|
|
"description": "The minor version number of the subsystem",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "integer",
|
|
"ui-priority": 0
|
|
},
|
|
"number-of-rva-and-size": {
|
|
"description": "The number of DataDirectory that follow this header",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "integer",
|
|
"ui-priority": 0
|
|
},
|
|
"section-alignment": {
|
|
"description": "The alignment (in bytes) of sections when they are loaded into memory. It must be greater than or equal to file_alignment and the default is the page size for the architecture",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "size-in-bytes",
|
|
"ui-priority": 0
|
|
},
|
|
"size-of-code": {
|
|
"description": "The size of the code .text section or the sum of all the sections that contain code",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "size-in-bytes",
|
|
"ui-priority": 0
|
|
},
|
|
"size-of-headers": {
|
|
"description": "The combined size of an MS-DOS stub, PE header, and section headers rounded up to a multiple of file_alignment",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "size-in-bytes",
|
|
"ui-priority": 0
|
|
},
|
|
"size-of-heap-commit": {
|
|
"description": "The size of the local heap space to commit",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "size-in-bytes",
|
|
"ui-priority": 0
|
|
},
|
|
"size-of-heap-reserve": {
|
|
"description": "The size of the local heap space to reserve",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "size-in-bytes",
|
|
"ui-priority": 0
|
|
},
|
|
"size-of-image": {
|
|
"description": "The size (in bytes) of the image, including all headers, as the image is loaded in memory",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "size-in-bytes",
|
|
"ui-priority": 0
|
|
},
|
|
"size-of-initialised-data": {
|
|
"description": "The size of the initialized data which are usually located in the .data section. If the initialized data are split across multiple sections, it is the sum of the sections",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "size-in-bytes",
|
|
"ui-priority": 0
|
|
},
|
|
"size-of-stack-commit": {
|
|
"description": "The size of the stack to commit",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "size-in-bytes",
|
|
"ui-priority": 0
|
|
},
|
|
"size-of-stack-reserve": {
|
|
"description": "The size of the stack to reserve",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "size-in-bytes",
|
|
"ui-priority": 0
|
|
},
|
|
"size-of-uninitialised-data": {
|
|
"description": "The size of the uninitialized data which are usually located in the .bss section. If the uninitialized data are split across multiple sections, it is the sum of the sections",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "size-in-bytes",
|
|
"ui-priority": 0
|
|
},
|
|
"subsystem": {
|
|
"description": "Target subsystem",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "text",
|
|
"sane_default": [
|
|
"EFI_APPLICATION",
|
|
"EFI_BOOT_SERVICE_DRIVER",
|
|
"EFI_ROM",
|
|
"EFI_RUNTIME_DRIVER",
|
|
"NATIVE",
|
|
"NATIVE_WINDOWS",
|
|
"OS2_CUI",
|
|
"POSIX_CUI",
|
|
"UNKNOWN",
|
|
"WINDOWS_BOOT_APPLICATION",
|
|
"WINDOWS_CE_GUI",
|
|
"WINDOWS_CUI",
|
|
"WINDOWS_GUI",
|
|
"XBOX"
|
|
],
|
|
"ui-priority": 0
|
|
},
|
|
"subsystem-hex": {
|
|
"description": "The subsystem in a simple hex value",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "hex",
|
|
"ui-priority": 0
|
|
},
|
|
"win32-version-value": {
|
|
"description": "Specifies the reserved win32 version value (must be zero)",
|
|
"disable_correlation": true,
|
|
"misp-attribute": "hex",
|
|
"ui-priority": 0
|
|
}
|
|
},
|
|
"description": "Object describing a Portable Executable Optional Header",
|
|
"meta-category": "file",
|
|
"name": "pe-optional-header",
|
|
"requiredOneOf": [
|
|
"address-of-entrypoint"
|
|
],
|
|
"uuid": "ebde65ab-ce98-413d-a518-8f37bc79bcb9",
|
|
"version": 2
|
|
} |