Add architecture and imphash for PE field set (#763)

* Add architecture and imphash for PE field set * Add changelog entry * Update schemas/pe.yml Co-Authored-By: Mathieu Martin <[email protected]> Co-authored-by: Mathieu Martin <[email protected]>
elastic · Apr 6, 2020 · 1f7fa10 · 1f7fa10
1 parent 816ed67
commit 1f7fa10
Show file tree

Hide file tree

Showing 10 changed files with 440 additions and 4 deletions.
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
@@ -21,6 +21,7 @@ Thanks, you're awesome :-) -->
 #### Added
 
 * Added `search.*` fields #729
+* Add architecture and imphash for PE field set. (#763)
 
 #### Improvements
 

diff --git a/code/go/ecs/pe.go b/code/go/ecs/pe.go
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
@@ -3960,6 +3960,19 @@ These fields contain Windows Portable Executable (PE) metadata.
 
 // ===============================================================
 
+| pe.architecture
+| CPU architecture target for the file.
+
+type: keyword
+
+
+
+example: `x64`
+
+| extended
+
+// ===============================================================
+
 | pe.company
 | Internal company name of the file, provided at compile-time.
 
@@ -3999,6 +4012,21 @@ example: `6.3.9600.17415`
 
 // ===============================================================
 
+| pe.imphash
+| A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
+
+Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
+
+type: keyword
+
+
+
+example: `0c6803c4e922103c4dca5963aad36ddf`
+
+| extended
+
+// ===============================================================
+
 | pe.original_file_name
 | Internal name of the file, provided at compile-time.
 

diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
@@ -833,6 +833,13 @@
       description: Full file path of the library.
       example: C:\Windows\System32\kernel32.dll
       default_field: false
+    - name: pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
     - name: pe.company
       level: extended
       type: keyword
@@ -854,6 +861,17 @@
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
+    - name: pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
     - name: pe.original_file_name
       level: extended
       type: keyword
@@ -1572,6 +1590,13 @@
       description: Full path to the file, including the file name. It should include
         the drive letter, when appropriate.
       example: /home/alice/example.png
+    - name: pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
     - name: pe.company
       level: extended
       type: keyword
@@ -1593,6 +1618,17 @@
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
+    - name: pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
     - name: pe.original_file_name
       level: extended
       type: keyword
@@ -2845,6 +2881,13 @@
     description: These fields contain Windows Portable Executable (PE) metadata.
     type: group
     fields:
+    - name: architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
     - name: company
       level: extended
       type: keyword
@@ -2866,6 +2909,17 @@
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
+    - name: imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
     - name: original_file_name
       level: extended
       type: keyword
@@ -3258,6 +3312,13 @@
       description: The working directory of the process.
       example: /home/alice
       default_field: false
+    - name: pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
     - name: pe.company
       level: extended
       type: keyword
@@ -3279,6 +3340,17 @@
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
+    - name: pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
     - name: pe.original_file_name
       level: extended
       type: keyword

diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
@@ -106,9 +106,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.6.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
 1.6.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
 1.6.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+1.6.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
 1.6.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 1.6.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 1.6.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.6.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
 1.6.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 1.6.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
 1.6.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
@@ -187,9 +189,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.6.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
 1.6.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
 1.6.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.6.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
 1.6.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 1.6.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 1.6.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.6.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
 1.6.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 1.6.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
 1.6.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
@@ -355,9 +359,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.6.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
 1.6.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
 1.6.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
+1.6.0-dev,true,pe,pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
 1.6.0-dev,true,pe,pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 1.6.0-dev,true,pe,pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 1.6.0-dev,true,pe,pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.6.0-dev,true,pe,pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
 1.6.0-dev,true,pe,pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 1.6.0-dev,true,pe,pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
 1.6.0-dev,true,process,process.args,keyword,extended,array,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments.
@@ -409,9 +415,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.6.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
 1.6.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 1.6.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process.
+1.6.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
 1.6.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 1.6.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 1.6.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.6.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
 1.6.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 1.6.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
 1.6.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.