⚠️ Outdated Version: You are viewing ECS version 1.12, which is outdated. View the latest version (9.0)

ECS Version:

DLL

These fields contain information about code libraries dynamically loaded into processes.

Fields

Field Summary

Field	Type	Level	Description
`dll.code_signature.digest_algorithm`	keyword	Extended	Hashing algorithm used to sign the process.
`dll.code_signature.exists`	boolean	Core	Boolean to capture if a signature is present.
`dll.code_signature.signing_id`	keyword	Extended	The identifier used to sign the process.
`dll.code_signature.status`	keyword	Extended	Additional information about the certificate status.
`dll.code_signature.subject_name`	keyword	Core	Subject name of the code signer
`dll.code_signature.team_id`	keyword	Extended	The team identifier used to sign the process.
`dll.code_signature.timestamp`	date	Extended	When the signature was generated and signed.
`dll.code_signature.trusted`	boolean	Extended	Stores the trust status of the certificate chain.
`dll.code_signature.valid`	boolean	Extended	Boolean to capture if the digital signature is verified against the binary content.
`dll.hash.md5`	keyword	Extended	MD5 hash.
`dll.hash.sha1`	keyword	Extended	SHA1 hash.
`dll.hash.sha256`	keyword	Extended	SHA256 hash.
`dll.hash.sha512`	keyword	Extended	SHA512 hash.
`dll.hash.ssdeep`	keyword	Extended	SSDEEP hash.
`dll.name`	keyword	Core	Name of the library.
`dll.path`	keyword	Extended	Full file path of the library.
`dll.pe.architecture`	keyword	Extended	CPU architecture target for the file.
`dll.pe.company`	keyword	Extended	Internal company name of the file, provided at compile-time.
`dll.pe.description`	keyword	Extended	Internal description of the file, provided at compile-time.
`dll.pe.file_version`	keyword	Extended	Process name.
`dll.pe.imphash`	keyword	Extended	A hash of the imports in a PE file.
`dll.pe.original_file_name`	keyword	Extended	Internal name of the file, provided at compile-time.
`dll.pe.product`	keyword	Extended	Internal product name of the file, provided at compile-time.

Field Details

`dll.code_signature.digest_algorithm`

Type: keyword

Level: Extended

Description: Hashing algorithm used to sign the process.

Example: sha256

Indexed: true

`dll.code_signature.exists`

Type: boolean

Level: Core

Description: Boolean to capture if a signature is present.

Example: true

Indexed: true

`dll.code_signature.signing_id`

Type: keyword

Level: Extended

Description: The identifier used to sign the process.

Example: com.apple.xpc.proxy

Indexed: true

`dll.code_signature.status`

Type: keyword

Level: Extended

Description: Additional information about the certificate status.

Example: ERROR_UNTRUSTED_ROOT

Indexed: true

`dll.code_signature.subject_name`

Type: keyword

Level: Core

Description: Subject name of the code signer

Example: Microsoft Corporation

Indexed: true

`dll.code_signature.team_id`

Type: keyword

Level: Extended

Description: The team identifier used to sign the process.

Example: EQHXZ8M8AV

Indexed: true

`dll.code_signature.timestamp`

Type: date

Level: Extended

Description: When the signature was generated and signed.

Example: 2021-01-01T12:10:30Z

Indexed: true

`dll.code_signature.trusted`

Type: boolean

Level: Extended

Description: Stores the trust status of the certificate chain.

Example: true

Indexed: true

`dll.code_signature.valid`

Type: boolean

Level: Extended

Description: Boolean to capture if the digital signature is verified against the binary content.

Example: true

Indexed: true

`dll.hash.md5`

Type: keyword

Level: Extended

Description: MD5 hash.

Indexed: true

`dll.hash.sha1`

Type: keyword

Level: Extended

Description: SHA1 hash.

Indexed: true

`dll.hash.sha256`

Type: keyword

Level: Extended

Description: SHA256 hash.

Indexed: true

`dll.hash.sha512`

Type: keyword

Level: Extended

Description: SHA512 hash.

Indexed: true

`dll.hash.ssdeep`

Type: keyword

Level: Extended

Description: SSDEEP hash.

Indexed: true

`dll.name`

Type: keyword

Level: Core

Description: Name of the library.

Example: kernel32.dll

Indexed: true

`dll.path`

Type: keyword

Level: Extended

Description: Full file path of the library.

Example: C:\Windows\System32\kernel32.dll

Indexed: true

`dll.pe.architecture`

Type: keyword

Level: Extended

Description: CPU architecture target for the file.

Example: x64

Indexed: true

`dll.pe.company`

Type: keyword

Level: Extended

Description: Internal company name of the file, provided at compile-time.

Example: Microsoft Corporation

Indexed: true

`dll.pe.description`

Type: keyword

Level: Extended

Description: Internal description of the file, provided at compile-time.

Example: Paint

Indexed: true

`dll.pe.file_version`

Type: keyword

Level: Extended

Description: Process name.

Example: 6.3.9600.17415

Indexed: true

`dll.pe.imphash`

Type: keyword

Level: Extended

Description: A hash of the imports in a PE file.

Example: 0c6803c4e922103c4dca5963aad36ddf

Indexed: true

`dll.pe.original_file_name`

Type: keyword

Level: Extended

Description: Internal name of the file, provided at compile-time.

Example: MSPAINT.EXE

Indexed: true

`dll.pe.product`

Type: keyword

Level: Extended

Description: Internal product name of the file, provided at compile-time.

Example: Microsoft® Windows® Operating System

Indexed: true

Device DNS