PE Header Fields

edit

These fields contain Windows Portable Executable (PE) metadata.

PE Header Field Details

edit
Field Description Level

pe.architecture

CPU architecture target for the file.

type: keyword

example: x64

extended

pe.company

Internal company name of the file, provided at compile-time.

type: keyword

example: Microsoft Corporation

extended

pe.description

Internal description of the file, provided at compile-time.

type: keyword

example: Paint

extended

pe.file_version

Internal version of the file, provided at compile-time.

type: keyword

example: 6.3.9600.17415

extended

pe.imphash

A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.

Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.

type: keyword

example: 0c6803c4e922103c4dca5963aad36ddf

extended

pe.original_file_name

Internal name of the file, provided at compile-time.

type: keyword

example: MSPAINT.EXE

extended

pe.product

Internal product name of the file, provided at compile-time.

type: keyword

example: Microsoft® Windows® Operating System

extended

Field Reuse

edit

The pe fields are expected to be nested at:

  • dll.pe
  • file.pe
  • process.pe
  • threat.enrichments.indicator.pe
  • threat.indicator.pe

Note also that the pe fields are not expected to be used directly at the root of the events.