PE Header Fields
editPE Header Fields
editThese fields contain Windows Portable Executable (PE) metadata.
PE Header Field Details
editField | Description | Level |
---|---|---|
CPU architecture target for the file. type: keyword example: |
extended |
|
Internal company name of the file, provided at compile-time. type: keyword example: |
extended |
|
Internal description of the file, provided at compile-time. type: keyword example: |
extended |
|
Internal version of the file, provided at compile-time. type: keyword example: |
extended |
|
A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword example: |
extended |
|
Internal name of the file, provided at compile-time. type: keyword example: |
extended |
|
Internal product name of the file, provided at compile-time. type: keyword example: |
extended |
Field Reuse
editThe pe
fields are expected to be nested at:
-
dll.pe
-
file.pe
-
process.pe
-
threat.enrichments.indicator.pe
-
threat.indicator.pe
Note also that the pe
fields are not expected to be used directly at the root of the events.