Driver and DLL fields #675

rw-access · 2019-12-05T15:25:24Z

Endgame and Sysmon both collect events for loaded DLLs and drivers within Windows. I think this is fairly standard, and posix also has concepts of kernel modules and process modules. There's plenty of wiggle room with the name of this field set. module, library, dll, lib, etc. I see pros and cons of each, so we may need a vote.

Here are some of the fields that are needed

name - analogous to process.name, the name of the file
path - analogous to process.path, path to the file
hash - nested fieldset
pe - if we have a field set, this could be nested here as well

The text was updated successfully, but these errors were encountered:

dcode · 2020-02-07T20:42:14Z

@rw-access do you have a sample event that includes this data from endgame, sysmon, and maybe others? I think it's important that we abstract out commonalities across file types.

rw-access self-assigned this Dec 5, 2019

This was referenced Dec 5, 2019

Parity with Elastic Endpoint #647

Closed

PE header metadata #676

Closed

Add DLL fieldset #679

Merged

Code signature field set #681

Closed

rw-access added the endpoint Relevant to elastic endpoint security label Jan 24, 2020

webmat closed this as completed in #679 Feb 12, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Driver and DLL fields #675

Driver and DLL fields #675

rw-access commented Dec 5, 2019

dcode commented Feb 7, 2020

Driver and DLL fields #675

Driver and DLL fields #675

Comments

rw-access commented Dec 5, 2019

dcode commented Feb 7, 2020