⚠️ Outdated Version: You are viewing ECS version 8.17, which is outdated. View the latest version (9.0)

ECS Version:

DLL

These fields contain information about code libraries dynamically loaded into processes.

Fields

Field Summary

Field	Type	Level	Description
`dll.code_signature.digest_algorithm`	keyword	Extended	Hashing algorithm used to sign the process.
`dll.code_signature.exists`	boolean	Core	Boolean to capture if a signature is present.
`dll.code_signature.flags`	keyword	Extended	Code signing flags of the process
`dll.code_signature.signing_id`	keyword	Extended	The identifier used to sign the process.
`dll.code_signature.status`	keyword	Extended	Additional information about the certificate status.
`dll.code_signature.subject_name`	keyword	Core	Subject name of the code signer
`dll.code_signature.team_id`	keyword	Extended	The team identifier used to sign the process.
`dll.code_signature.timestamp`	date	Extended	When the signature was generated and signed.
`dll.code_signature.trusted`	boolean	Extended	Stores the trust status of the certificate chain.
`dll.code_signature.valid`	boolean	Extended	Boolean to capture if the digital signature is verified against the binary content.
`dll.hash.cdhash`	keyword	Extended	The Code Directory (CD) hash of an executable.
`dll.hash.md5`	keyword	Extended	MD5 hash.
`dll.hash.sha1`	keyword	Extended	SHA1 hash.
`dll.hash.sha256`	keyword	Extended	SHA256 hash.
`dll.hash.sha384`	keyword	Extended	SHA384 hash.
`dll.hash.sha512`	keyword	Extended	SHA512 hash.
`dll.hash.ssdeep`	keyword	Extended	SSDEEP hash.
`dll.hash.tlsh`	keyword	Extended	TLSH hash.
`dll.name`	keyword	Core	Name of the library.
`dll.path`	keyword	Extended	Full file path of the library.
`dll.pe.architecture`	keyword	Extended	CPU architecture target for the file.
`dll.pe.company`	keyword	Extended	Internal company name of the file, provided at compile-time.
`dll.pe.description`	keyword	Extended	Internal description of the file, provided at compile-time.
`dll.pe.file_version`	keyword	Extended	Process name.
`dll.pe.go_import_hash`	keyword	Extended	A hash of the Go language imports in a PE file.
`dll.pe.go_imports`	flattened	Extended	List of imported Go language element names and types.
`dll.pe.go_imports_names_entropy`	long	Extended	Shannon entropy calculation from the list of Go imports.
`dll.pe.go_imports_names_var_entropy`	long	Extended	Variance for Shannon entropy calculation from the list of Go imports.
`dll.pe.go_stripped`	boolean	Extended	Whether the file is a stripped or obfuscated Go executable.
`dll.pe.imphash`	keyword	Extended	A hash of the imports in a PE file.
`dll.pe.import_hash`	keyword	Extended	A hash of the imports in a PE file.
`dll.pe.imports`	flattened	Extended	List of imported element names and types.
`dll.pe.imports_names_entropy`	long	Extended	Shannon entropy calculation from the list of imported element names and types.
`dll.pe.imports_names_var_entropy`	long	Extended	Variance for Shannon entropy calculation from the list of imported element names and types.
`dll.pe.original_file_name`	keyword	Extended	Internal name of the file, provided at compile-time.
`dll.pe.pehash`	keyword	Extended	A hash of the PE header and data from one or more PE sections.
`dll.pe.product`	keyword	Extended	Internal product name of the file, provided at compile-time.
`dll.pe.sections`	nested	Extended	Section information of the PE file.
`dll.pe.sections.entropy`	long	Extended	Shannon entropy calculation from the section.
`dll.pe.sections.name`	keyword	Extended	PE Section List name.
`dll.pe.sections.physical_size`	long	Extended	PE Section List physical size.
`dll.pe.sections.var_entropy`	long	Extended	Variance for Shannon entropy calculation from the section.
`dll.pe.sections.virtual_size`	long	Extended	PE Section List virtual size. This is always the same as `physical_size`.

Field Details

`dll.code_signature.digest_algorithm`

Type: keyword

Level: Extended

Description: Hashing algorithm used to sign the process.

Example: sha256

Indexed: true

`dll.code_signature.exists`

Type: boolean

Level: Core

Description: Boolean to capture if a signature is present.

Example: true

Indexed: true

`dll.code_signature.flags`

Type: keyword

Level: Extended

Description: Code signing flags of the process

Example: 570522385

Indexed: true

`dll.code_signature.signing_id`

Type: keyword

Level: Extended

Description: The identifier used to sign the process.

Example: com.apple.xpc.proxy

Indexed: true

`dll.code_signature.status`

Type: keyword

Level: Extended

Description: Additional information about the certificate status.

Example: ERROR_UNTRUSTED_ROOT

Indexed: true

`dll.code_signature.subject_name`

Type: keyword

Level: Core

Description: Subject name of the code signer

Example: Microsoft Corporation

Indexed: true

`dll.code_signature.team_id`

Type: keyword

Level: Extended

Description: The team identifier used to sign the process.

Example: EQHXZ8M8AV

Indexed: true

`dll.code_signature.timestamp`

Type: date

Level: Extended

Description: When the signature was generated and signed.

Example: 2021-01-01T12:10:30Z

Indexed: true

`dll.code_signature.trusted`

Type: boolean

Level: Extended

Description: Stores the trust status of the certificate chain.

Example: true

Indexed: true

`dll.code_signature.valid`

Type: boolean

Level: Extended

Description: Boolean to capture if the digital signature is verified against the binary content.

Example: true

Indexed: true

`dll.hash.cdhash`

Type: keyword

Level: Extended

Description: The Code Directory (CD) hash of an executable.

Example: 3783b4052fd474dbe30676b45c329e7a6d44acd9

Indexed: true

`dll.hash.md5`

Type: keyword

Level: Extended

Description: MD5 hash.

Indexed: true

`dll.hash.sha1`

Type: keyword

Level: Extended

Description: SHA1 hash.

Indexed: true

`dll.hash.sha256`

Type: keyword

Level: Extended

Description: SHA256 hash.

Indexed: true

`dll.hash.sha384`

Type: keyword

Level: Extended

Description: SHA384 hash.

Indexed: true

`dll.hash.sha512`

Type: keyword

Level: Extended

Description: SHA512 hash.

Indexed: true

`dll.hash.ssdeep`

Type: keyword

Level: Extended

Description: SSDEEP hash.

Indexed: true

`dll.hash.tlsh`

Type: keyword

Level: Extended

Description: TLSH hash.

Indexed: true

`dll.name`

Type: keyword

Level: Core

Description: Name of the library.

Example: kernel32.dll

Indexed: true

`dll.path`

Type: keyword

Level: Extended

Description: Full file path of the library.

Example: C:\Windows\System32\kernel32.dll

Indexed: true

`dll.pe.architecture`

Type: keyword

Level: Extended

Description: CPU architecture target for the file.

Example: x64

Indexed: true

`dll.pe.company`

Type: keyword

Level: Extended

Description: Internal company name of the file, provided at compile-time.

Example: Microsoft Corporation

Indexed: true

`dll.pe.description`

Type: keyword

Level: Extended

Description: Internal description of the file, provided at compile-time.

Example: Paint

Indexed: true

`dll.pe.file_version`

Type: keyword

Level: Extended

Description: Process name.

Example: 6.3.9600.17415

Indexed: true

`dll.pe.go_import_hash`

Type: keyword

Level: Extended

Description: A hash of the Go language imports in a PE file.

Example: 10bddcb4cee42080f76c88d9ff964491

Indexed: true

`dll.pe.go_imports`

Type: flattened

Level: Extended

Description: List of imported Go language element names and types.

Indexed: true

`dll.pe.go_imports_names_entropy`

Type: long

Level: Extended

Description: Shannon entropy calculation from the list of Go imports.

Indexed: true

`dll.pe.go_imports_names_var_entropy`

Type: long

Level: Extended

Description: Variance for Shannon entropy calculation from the list of Go imports.

Indexed: true

`dll.pe.go_stripped`

Type: boolean

Level: Extended

Description: Whether the file is a stripped or obfuscated Go executable.

Indexed: true

`dll.pe.imphash`

Type: keyword

Level: Extended

Description: A hash of the imports in a PE file.

Example: 0c6803c4e922103c4dca5963aad36ddf

Indexed: true

`dll.pe.import_hash`

Type: keyword

Level: Extended

Description: A hash of the imports in a PE file.

Example: d41d8cd98f00b204e9800998ecf8427e

Indexed: true

`dll.pe.imports`

Type: flattened

Level: Extended

Description: List of imported element names and types.

Normalization: array

Indexed: true

`dll.pe.imports_names_entropy`

Type: long

Level: Extended

Description: Shannon entropy calculation from the list of imported element names and types.

Indexed: true

`dll.pe.imports_names_var_entropy`

Type: long

Level: Extended

Description: Variance for Shannon entropy calculation from the list of imported element names and types.

Indexed: true

`dll.pe.original_file_name`

Type: keyword

Level: Extended

Description: Internal name of the file, provided at compile-time.

Example: MSPAINT.EXE

Indexed: true

`dll.pe.pehash`

Type: keyword

Level: Extended

Description: A hash of the PE header and data from one or more PE sections.

Example: 73ff189b63cd6be375a7ff25179a38d347651975

Indexed: true

`dll.pe.product`

Type: keyword

Level: Extended

Description: Internal product name of the file, provided at compile-time.

Example: Microsoft® Windows® Operating System

Indexed: true

`dll.pe.sections`

Type: nested

Level: Extended

Description: Section information of the PE file.

Normalization: array

Indexed: true

`dll.pe.sections.entropy`

Type: long

Level: Extended

Description: Shannon entropy calculation from the section.

Indexed: true

`dll.pe.sections.name`

Type: keyword

Level: Extended

Description: PE Section List name.

Indexed: true

`dll.pe.sections.physical_size`

Type: long

Level: Extended

Description: PE Section List physical size.

Indexed: true

`dll.pe.sections.var_entropy`

Type: long

Level: Extended

Description: Variance for Shannon entropy calculation from the section.

Indexed: true

`dll.pe.sections.virtual_size`

Type: long

Level: Extended

Description: PE Section List virtual size. This is always the same as physical_size.

Indexed: true

Device DNS