New

The executive guide to generative AI

Read more

PE Header Fields

edit

These fields contain Windows Portable Executable (PE) metadata.

PE Header Field Details

edit
Field Description Level

pe.architecture

CPU architecture target for the file.

type: keyword

example: x64

extended

pe.company

Internal company name of the file, provided at compile-time.

type: keyword

example: Microsoft Corporation

extended

pe.description

Internal description of the file, provided at compile-time.

type: keyword

example: Paint

extended

pe.file_version

Internal version of the file, provided at compile-time.

type: keyword

example: 6.3.9600.17415

extended

pe.go_import_hash

A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.

The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).

type: keyword

example: 10bddcb4cee42080f76c88d9ff964491

extended

pe.go_imports

List of imported Go language element names and types.

type: flattened

extended

pe.go_imports_names_entropy

Shannon entropy calculation from the list of Go imports.

type: long

extended

pe.go_imports_names_var_entropy

Variance for Shannon entropy calculation from the list of Go imports.

type: long

extended

pe.go_stripped

Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.

type: boolean

extended

pe.imphash

A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.

Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.

type: keyword

example: 0c6803c4e922103c4dca5963aad36ddf

extended

pe.import_hash

A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.

This is a synonym for imphash.

type: keyword

example: d41d8cd98f00b204e9800998ecf8427e

extended

pe.imports

List of imported element names and types.

type: flattened

Note: this field should contain an array of values.

extended

pe.imports_names_entropy

Shannon entropy calculation from the list of imported element names and types.

type: long

extended

pe.imports_names_var_entropy

Variance for Shannon entropy calculation from the list of imported element names and types.

type: long

extended

pe.original_file_name

Internal name of the file, provided at compile-time.

type: keyword

example: MSPAINT.EXE

extended

pe.pehash

A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value.

Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.

type: keyword

example: 73ff189b63cd6be375a7ff25179a38d347651975

extended

pe.product

Internal product name of the file, provided at compile-time.

type: keyword

example: Microsoft® Windows® Operating System

extended

pe.sections

An array containing an object for each section of the PE file.

The keys that should be present in these objects are defined by sub-fields underneath pe.sections.*.

type: nested

Note: this field should contain an array of values.

extended

pe.sections.entropy

Shannon entropy calculation from the section.

type: long

extended

pe.sections.name

PE Section List name.

type: keyword

extended

pe.sections.physical_size

PE Section List physical size.

type: long

extended

pe.sections.var_entropy

Variance for Shannon entropy calculation from the section.

type: long

extended

pe.sections.virtual_size

PE Section List virtual size. This is always the same as physical_size.

type: long

extended

Field Reuse

edit

The pe fields are expected to be nested at:

  • dll.pe
  • file.pe
  • process.pe

Note also that the pe fields are not expected to be used directly at the root of the events.

Was this helpful?
Feedback