ECS Field Reference
DLL
ECS Version:

DLL

These fields contain information about code libraries dynamically loaded into processes.

Fields

Field Summary

FieldTypeLevelDescription
dll.code_signature.digest_algorithmkeywordExtendedHashing algorithm used to sign the process.
dll.code_signature.existsbooleanCoreBoolean to capture if a signature is present.
dll.code_signature.flagskeywordExtendedCode signing flags of the process
dll.code_signature.signing_idkeywordExtendedThe identifier used to sign the process.
dll.code_signature.statuskeywordExtendedAdditional information about the certificate status.
dll.code_signature.subject_namekeywordCoreSubject name of the code signer
dll.code_signature.team_idkeywordExtendedThe team identifier used to sign the process.
dll.code_signature.timestampdateExtendedWhen the signature was generated and signed.
dll.code_signature.trustedbooleanExtendedStores the trust status of the certificate chain.
dll.code_signature.validbooleanExtendedBoolean to capture if the digital signature is verified against the binary content.
dll.hash.cdhashkeywordExtendedThe Code Directory (CD) hash of an executable.
dll.hash.md5keywordExtendedMD5 hash.
dll.hash.sha1keywordExtendedSHA1 hash.
dll.hash.sha256keywordExtendedSHA256 hash.
dll.hash.sha384keywordExtendedSHA384 hash.
dll.hash.sha512keywordExtendedSHA512 hash.
dll.hash.ssdeepkeywordExtendedSSDEEP hash.
dll.hash.tlshkeywordExtendedTLSH hash.
dll.namekeywordCoreName of the library.
dll.origin_referrer_urlkeywordExtendedThe URL of the webpage that linked to the dll file.
dll.origin_urlkeywordExtendedThe URL where the dll file is hosted.
dll.pathkeywordExtendedFull file path of the library.
dll.pe.architecturekeywordExtendedCPU architecture target for the file.
dll.pe.companykeywordExtendedInternal company name of the file, provided at compile-time.
dll.pe.descriptionkeywordExtendedInternal description of the file, provided at compile-time.
dll.pe.file_versionkeywordExtendedProcess name.
dll.pe.go_import_hashkeywordExtendedA hash of the Go language imports in a PE file.
dll.pe.go_importsflattenedExtendedList of imported Go language element names and types.
dll.pe.go_imports_names_entropylongExtendedShannon entropy calculation from the list of Go imports.
dll.pe.go_imports_names_var_entropylongExtendedVariance for Shannon entropy calculation from the list of Go imports.
dll.pe.go_strippedbooleanExtendedWhether the file is a stripped or obfuscated Go executable.
dll.pe.imphashkeywordExtendedA hash of the imports in a PE file.
dll.pe.import_hashkeywordExtendedA hash of the imports in a PE file.
dll.pe.importsflattenedExtendedList of imported element names and types.
dll.pe.imports_names_entropylongExtendedShannon entropy calculation from the list of imported element names and types.
dll.pe.imports_names_var_entropylongExtendedVariance for Shannon entropy calculation from the list of imported element names and types.
dll.pe.original_file_namekeywordExtendedInternal name of the file, provided at compile-time.
dll.pe.pehashkeywordExtendedA hash of the PE header and data from one or more PE sections.
dll.pe.productkeywordExtendedInternal product name of the file, provided at compile-time.
dll.pe.sectionsnestedExtendedSection information of the PE file.
dll.pe.sections.entropylongExtendedShannon entropy calculation from the section.
dll.pe.sections.namekeywordExtendedPE Section List name.
dll.pe.sections.physical_sizelongExtendedPE Section List physical size.
dll.pe.sections.var_entropylongExtendedVariance for Shannon entropy calculation from the section.
dll.pe.sections.virtual_sizelongExtendedPE Section List virtual size. This is always the same as physical_size.

Field Details

dll.code_signature.digest_algorithm

Type: keyword

Level: Extended

Description: Hashing algorithm used to sign the process.

Example: sha256

Indexed: true

dll.code_signature.exists

Type: boolean

Level: Core

Description: Boolean to capture if a signature is present.

Example: true

Indexed: true

dll.code_signature.flags

Type: keyword

Level: Extended

Description: Code signing flags of the process

Example: 570522385

Indexed: true

dll.code_signature.signing_id

Type: keyword

Level: Extended

Description: The identifier used to sign the process.

Example: com.apple.xpc.proxy

Indexed: true

dll.code_signature.status

Type: keyword

Level: Extended

Description: Additional information about the certificate status.

Example: ERROR_UNTRUSTED_ROOT

Indexed: true

dll.code_signature.subject_name

Type: keyword

Level: Core

Description: Subject name of the code signer

Example: Microsoft Corporation

Indexed: true

dll.code_signature.team_id

Type: keyword

Level: Extended

Description: The team identifier used to sign the process.

Example: EQHXZ8M8AV

Indexed: true

dll.code_signature.timestamp

Type: date

Level: Extended

Description: When the signature was generated and signed.

Example: 2021-01-01T12:10:30Z

Indexed: true

dll.code_signature.trusted

Type: boolean

Level: Extended

Description: Stores the trust status of the certificate chain.

Example: true

Indexed: true

dll.code_signature.valid

Type: boolean

Level: Extended

Description: Boolean to capture if the digital signature is verified against the binary content.

Example: true

Indexed: true

dll.hash.cdhash

Type: keyword

Level: Extended

Description: The Code Directory (CD) hash of an executable.

Example: 3783b4052fd474dbe30676b45c329e7a6d44acd9

Indexed: true

dll.hash.md5

Type: keyword

Level: Extended

Description: MD5 hash.

Indexed: true

dll.hash.sha1

Type: keyword

Level: Extended

Description: SHA1 hash.

Indexed: true

dll.hash.sha256

Type: keyword

Level: Extended

Description: SHA256 hash.

Indexed: true

dll.hash.sha384

Type: keyword

Level: Extended

Description: SHA384 hash.

Indexed: true

dll.hash.sha512

Type: keyword

Level: Extended

Description: SHA512 hash.

Indexed: true

dll.hash.ssdeep

Type: keyword

Level: Extended

Description: SSDEEP hash.

Indexed: true

dll.hash.tlsh

Type: keyword

Level: Extended

Description: TLSH hash.

Indexed: true

dll.name

Type: keyword

Level: Core

Description: Name of the library.

Example: kernel32.dll

Indexed: true

dll.origin_referrer_url

Type: keyword

Level: Extended

Description: The URL of the webpage that linked to the dll file.

Example: http://example.com/article1.html

Indexed: true

dll.origin_url

Type: keyword

Level: Extended

Description: The URL where the dll file is hosted.

Example: http://example.com/files/example.dll

Indexed: true

dll.path

Type: keyword

Level: Extended

Description: Full file path of the library.

Example: C:\Windows\System32\kernel32.dll

Indexed: true

dll.pe.architecture

Type: keyword

Level: Extended

Description: CPU architecture target for the file.

Example: x64

Indexed: true

dll.pe.company

Type: keyword

Level: Extended

Description: Internal company name of the file, provided at compile-time.

Example: Microsoft Corporation

Indexed: true

dll.pe.description

Type: keyword

Level: Extended

Description: Internal description of the file, provided at compile-time.

Example: Paint

Indexed: true

dll.pe.file_version

Type: keyword

Level: Extended

Description: Process name.

Example: 6.3.9600.17415

Indexed: true

dll.pe.go_import_hash

Type: keyword

Level: Extended

Description: A hash of the Go language imports in a PE file.

Example: 10bddcb4cee42080f76c88d9ff964491

Indexed: true

dll.pe.go_imports

Type: flattened

Level: Extended

Description: List of imported Go language element names and types.

Indexed: true

dll.pe.go_imports_names_entropy

Type: long

Level: Extended

Description: Shannon entropy calculation from the list of Go imports.

Indexed: true

dll.pe.go_imports_names_var_entropy

Type: long

Level: Extended

Description: Variance for Shannon entropy calculation from the list of Go imports.

Indexed: true

dll.pe.go_stripped

Type: boolean

Level: Extended

Description: Whether the file is a stripped or obfuscated Go executable.

Indexed: true

dll.pe.imphash

Type: keyword

Level: Extended

Description: A hash of the imports in a PE file.

Example: 0c6803c4e922103c4dca5963aad36ddf

Indexed: true

dll.pe.import_hash

Type: keyword

Level: Extended

Description: A hash of the imports in a PE file.

Example: d41d8cd98f00b204e9800998ecf8427e

Indexed: true

dll.pe.imports

Type: flattened

Level: Extended

Description: List of imported element names and types.

Normalization: array

Indexed: true

dll.pe.imports_names_entropy

Type: long

Level: Extended

Description: Shannon entropy calculation from the list of imported element names and types.

Indexed: true

dll.pe.imports_names_var_entropy

Type: long

Level: Extended

Description: Variance for Shannon entropy calculation from the list of imported element names and types.

Indexed: true

dll.pe.original_file_name

Type: keyword

Level: Extended

Description: Internal name of the file, provided at compile-time.

Example: MSPAINT.EXE

Indexed: true

dll.pe.pehash

Type: keyword

Level: Extended

Description: A hash of the PE header and data from one or more PE sections.

Example: 73ff189b63cd6be375a7ff25179a38d347651975

Indexed: true

dll.pe.product

Type: keyword

Level: Extended

Description: Internal product name of the file, provided at compile-time.

Example: Microsoft® Windows® Operating System

Indexed: true

dll.pe.sections

Type: nested

Level: Extended

Description: Section information of the PE file.

Normalization: array

Indexed: true

dll.pe.sections.entropy

Type: long

Level: Extended

Description: Shannon entropy calculation from the section.

Indexed: true

dll.pe.sections.name

Type: keyword

Level: Extended

Description: PE Section List name.

Indexed: true

dll.pe.sections.physical_size

Type: long

Level: Extended

Description: PE Section List physical size.

Indexed: true

dll.pe.sections.var_entropy

Type: long

Level: Extended

Description: Variance for Shannon entropy calculation from the section.

Indexed: true

dll.pe.sections.virtual_size

Type: long

Level: Extended

Description: PE Section List virtual size. This is always the same as physical_size.

Indexed: true

DeviceDNS