.NET Metadata Hashes (#307)

* Add .NET PE metadata hashes

* Bugfix

* Switching sections and streams over to

* It built?

* More-thorough cleaning

* Fix bad paste

* Update Makefile

* Fix build

* Tests pass

* Reuse existing hash field

* Move new .NET fields from file.Ext to file.pe.Ext since they are PE-specific

Author: gabriellandau

Makefile

@@ -74,6 +74,7 @@ clean:
 	rm -rf $(ROOT_DIR)/build
 	rm -rf $(GO_TOOLS)
 	rm -rf $(VENV_DIR)
+	find $(ROOT_DIR)/package/endpoint/data_stream -name fields.yml -delete
 
 # create package/endpoint/docs/README.md based on the template file, and the fields inputs
 $(DOC_TARGET): doc_templates/endpoint/docs/* $(PKG_FIELDS_TARGETS) $(MANIFESTS)

custom_schemas/custom_file.yml

@@ -408,3 +408,8 @@
         This is used to identify the team or vendor of a software product. The field is
         relevant to Apple *OS only.'
       example: EQHXZ8M8AV
+
+    - name: pe
+      level: custom
+      type: object
+      description: PE fields

custom_schemas/custom_hash.yml

@@ -18,3 +18,5 @@
       - macro.collection
       - macro.project_file
       - macro.stream
+      - pe.Ext.streams
+      - pe.Ext.sections

custom_schemas/custom_pe.yml

@@ -11,3 +11,49 @@
         as: mapped_pe
       - at: memory_region
         as: memory_pe
+  fields:
+    - name: Ext.dotnet
+      level: custom
+      type: boolean
+      description: Whether this file is a .NET PE
+      example: "true"
+
+    - name: Ext.sections
+      level: custom
+      type: object
+      short: The file's sections, if it is a PE
+      description: >
+        The file's relevant sections, if it is a PE
+        
+    - name: Ext.sections.name
+      level: custom
+      type: keyword
+      example: ".reloc"
+      description: >
+        The section's name
+
+    - name: Ext.sections.hash
+      level: custom
+      type: object
+      description: >
+        Hashes
+        
+    - name: Ext.streams
+      level: custom
+      type: object
+      short: The file's streams, if it is a PE
+      description: >
+        The file's streams, if it is a PE
+        
+    - name: Ext.streams.name
+      level: custom
+      type: keyword
+      example: ".reloc"
+      description: >
+        The stream's name
+
+    - name: Ext.streams.hash
+      level: custom
+      type: object
+      description: >
+        Hashes

custom_subsets/elastic_endpoint/alerts/malware_event.yaml

@@ -587,6 +587,23 @@ fields:
           imphash: {}
           original_file_name: {}
           product: {}
+          Ext:
+            fields:
+              dotnet: {}
+              sections:
+                fields:
+                  name: {}
+                  hash:
+                    fields:
+                      md5: {}
+                      sha256: {}
+              streams:
+                fields:
+                  name: {}
+                  hash:
+                    fields:
+                      md5: {}
+                      sha256: {}
       size: {}
       target_path: {}
       type: {}

package/endpoint/data_stream/alerts/fields/fields.yml

@@ -3841,6 +3841,60 @@
           default_field: false
       description: Full path to the file, including the file name. It should include the drive letter, when appropriate.
       example: /home/alice/example.png
+    - name: pe.Ext.dotnet
+      level: custom
+      type: boolean
+      description: Whether this file is a .NET PE
+      example: 'true'
+      default_field: false
+    - name: pe.Ext.sections
+      level: custom
+      type: object
+      description: The file's relevant sections, if it is a PE
+      default_field: false
+    - name: pe.Ext.sections.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: pe.Ext.sections.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: pe.Ext.sections.name
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: The section's name
+      example: .reloc
+      default_field: false
+    - name: pe.Ext.streams
+      level: custom
+      type: object
+      description: The file's streams, if it is a PE
+      default_field: false
+    - name: pe.Ext.streams.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: pe.Ext.streams.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: pe.Ext.streams.name
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: The stream's name
+      example: .reloc
+      default_field: false
     - name: pe.company
       level: extended
       type: keyword

package/endpoint/data_stream/alerts/sample_event.json

@@ -117,7 +117,35 @@
         "pe": {
             "file_version": "0.0.0.0",
             "description": " ",
-            "original_file_name": "5t5mpwxc.dll"
+            "original_file_name": "5t5mpwxc.dll",
+            "Ext": {
+                "dotnet": true,
+                "streams": [
+                    {
+                        "name": "#~",
+                        "hash": {
+                            "md5": "debf08c09d49337fbe7acde4d3749242",
+                            "sha256": "90143dfb2e3210f18e1bcc50eb6c3961d11071e3ec024215b8835e468fa63e53"
+                        }
+                    },
+                    {
+                        "name": "#Blob",
+                        "hash": {
+                            "md5": "debf08c09d49337fbe7acde4d3749242",
+                            "sha256": "90143dfb2e3210f18e1bcc50eb6c3961d11071e3ec024215b8835e468fa63e53"
+                        }
+                    }
+                ],
+                "sections": [
+                    {
+                        "name": ".reloc",
+                        "hash": {
+                            "md5": "debf08c09d49337fbe7acde4d3749242",
+                            "sha256": "90143dfb2e3210f18e1bcc50eb6c3961d11071e3ec024215b8835e468fa63e53"
+                        }
+                    }
+                ]
+            }
         },
         "name": "9C0E42A47D34240A9A4101CC5D3BC5787DC5AD73DEBF08C09D49337FBE7ACDE4D374924290143DFB2E3210F18E1BCC50EB6C3961D11071E3EC024215B8835E468FA63E53DAE02F32A21E03CE65412F6E56942DAA.dll",
         "hash": {

package/endpoint/docs/README.md

@@ -520,6 +520,15 @@ sent by the endpoint.
 | file.name | Name of the file including the extension, without the directory. | keyword |
 | file.owner | File owner's username. | keyword |
 | file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.pe.Ext.dotnet | Whether this file is a .NET PE | boolean |
+| file.pe.Ext.sections | The file's relevant sections, if it is a PE | object |
+| file.pe.Ext.sections.hash.md5 | MD5 hash. | keyword |
+| file.pe.Ext.sections.hash.sha256 | SHA256 hash. | keyword |
+| file.pe.Ext.sections.name | The section's name | keyword |
+| file.pe.Ext.streams | The file's streams, if it is a PE | object |
+| file.pe.Ext.streams.hash.md5 | MD5 hash. | keyword |
+| file.pe.Ext.streams.hash.sha256 | SHA256 hash. | keyword |
+| file.pe.Ext.streams.name | The stream's name | keyword |
 | file.pe.company | Internal company name of the file, provided at compile-time. | keyword |
 | file.pe.description | Internal description of the file, provided at compile-time. | keyword |
 | file.pe.file_version | Internal version of the file, provided at compile-time. | keyword |