Class: PEBinaryExt
The Windows PE Binary File extension specifies a default extension for capturing properties specific to Windows portable executable (PE) files.
URI: attack:PEBinaryExt
classDiagram
class PEBinaryExt
click PEBinaryExt href "../PEBinaryExt/"
CommonSchemaComponent <|-- PEBinaryExt
click CommonSchemaComponent href "../CommonSchemaComponent/"
PEBinaryExt : characteristics_hex
PEBinaryExt : description
PEBinaryExt : file_header_hashes
PEBinaryExt --> "0..1" HashesType : file_header_hashes
click HashesType href "../HashesType/"
PEBinaryExt : id
PEBinaryExt : imphash
PEBinaryExt : machine_hex
PEBinaryExt : name
PEBinaryExt : number_of_sections
PEBinaryExt : number_of_symbols
PEBinaryExt : optional_header
PEBinaryExt --> "0..1" WindowsPEOptionalHeaderType : optional_header
click WindowsPEOptionalHeaderType href "../WindowsPEOptionalHeaderType/"
PEBinaryExt : pe_type
PEBinaryExt : pointer_to_symbol_table_hex
PEBinaryExt : sections
PEBinaryExt --> "*" WindowsPESection : sections
click WindowsPESection href "../WindowsPESection/"
PEBinaryExt : size_of_optional_header
PEBinaryExt : time_date_stamp
PEBinaryExt : type
Inheritance
- StixEntity
- CommonSchemaComponent
- PEBinaryExt
- CommonSchemaComponent
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| pe_type | 1 WindowsPEBinaryTypeOv or String |
Specifies the type of the PE binary | direct |
| imphash | 0..1 String |
Specifies the special import hash, or 'imphash', calculated for the PE binary | direct |
| machine_hex | 0..1 String |
Specifies the type of target machine | direct |
| number_of_sections | 0..1 Integer |
Specifies the number of sections in the PE binary, as a non-negative integer | direct |
| time_date_stamp | 0..1 Datetime |
Specifies the time when the PE binary was created | direct |
| pointer_to_symbol_table_hex | 0..1 String |
Specifies the file offset of the COFF symbol table | direct |
| number_of_symbols | 0..1 Integer |
Specifies the number of entries in the symbol table of the PE binary, as a no... | direct |
| size_of_optional_header | 0..1 Integer |
Specifies the size of the optional header of the PE binary | direct |
| characteristics_hex | 0..1 String |
Specifies the flags that indicate the file's characteristics | direct |
| file_header_hashes | 0..1 HashesType |
Specifies any hashes that were computed for the file header | direct |
| optional_header | 0..1 WindowsPEOptionalHeaderType |
Specifies the PE optional header of the PE binary | direct |
| sections | * WindowsPESection |
Specifies metadata about the sections in the PE file | direct |
| id | 0..1 StixIdentifier |
STIX object identifier | StixEntity |
| type | 0..1 StixTypeName |
STIX object type | StixEntity |
| name | 0..1 String |
Human-readable name | StixEntity |
| description | 0..1 String |
Human-readable description | StixEntity |
In Subsets
Comments
- stix_extension_key: windows-pebinary-ext stix_parent_type: file jsonschema_source: https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/observables/file.json
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/attack
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | attack:PEBinaryExt |
| native | attack:PEBinaryExt |
LinkML Source
Direct
name: PEBinaryExt
description: The Windows PE Binary File extension specifies a default extension for
capturing properties specific to Windows portable executable (PE) files.
comments:
- 'stix_extension_key: windows-pebinary-ext stix_parent_type: file jsonschema_source:
https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/observables/file.json'
in_subset:
- observables
from_schema: https://w3id.org/lmodel/attack
is_a: CommonSchemaComponent
slots:
- pe_type
- imphash
- machine_hex
- number_of_sections
- time_date_stamp
- pointer_to_symbol_table_hex
- number_of_symbols
- size_of_optional_header
- characteristics_hex
- file_header_hashes
- optional_header
- sections
slot_usage:
pe_type:
name: pe_type
required: true
sections:
name: sections
comments:
- 'jsonschema_minItems: "1"'
Induced
name: PEBinaryExt
description: The Windows PE Binary File extension specifies a default extension for
capturing properties specific to Windows portable executable (PE) files.
comments:
- 'stix_extension_key: windows-pebinary-ext stix_parent_type: file jsonschema_source:
https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/observables/file.json'
in_subset:
- observables
from_schema: https://w3id.org/lmodel/attack
is_a: CommonSchemaComponent
slot_usage:
pe_type:
name: pe_type
required: true
sections:
name: sections
comments:
- 'jsonschema_minItems: "1"'
attributes:
pe_type:
name: pe_type
description: Specifies the type of the PE binary. Open Vocabulary - windows-pebinary-type-ov
comments:
- 'open_vocabulary: WindowsPEBinaryTypeOv'
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: pe_type
owner: PEBinaryExt
domain_of:
- PEBinaryExt
range: string
required: true
any_of:
- range: WindowsPEBinaryTypeOv
- range: string
imphash:
name: imphash
description: Specifies the special import hash, or 'imphash', calculated for the
PE binary.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: imphash
owner: PEBinaryExt
domain_of:
- PEBinaryExt
range: string
machine_hex:
name: machine_hex
description: Specifies the type of target machine.
comments:
- 'jsonschema_format: hex'
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: machine_hex
owner: PEBinaryExt
domain_of:
- PEBinaryExt
range: string
number_of_sections:
name: number_of_sections
description: Specifies the number of sections in the PE binary, as a non-negative
integer.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: number_of_sections
owner: PEBinaryExt
domain_of:
- PEBinaryExt
range: integer
minimum_value: 0
time_date_stamp:
name: time_date_stamp
description: Specifies the time when the PE binary was created. The timestamp
value MUST BE precise to the second.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: time_date_stamp
owner: PEBinaryExt
domain_of:
- PEBinaryExt
range: datetime
pointer_to_symbol_table_hex:
name: pointer_to_symbol_table_hex
description: Specifies the file offset of the COFF symbol table.
comments:
- 'jsonschema_format: hex'
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: pointer_to_symbol_table_hex
owner: PEBinaryExt
domain_of:
- PEBinaryExt
range: string
number_of_symbols:
name: number_of_symbols
description: Specifies the number of entries in the symbol table of the PE binary,
as a non-negative integer.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: number_of_symbols
owner: PEBinaryExt
domain_of:
- PEBinaryExt
range: integer
minimum_value: 0
size_of_optional_header:
name: size_of_optional_header
description: Specifies the size of the optional header of the PE binary.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: size_of_optional_header
owner: PEBinaryExt
domain_of:
- PEBinaryExt
range: integer
minimum_value: 0
characteristics_hex:
name: characteristics_hex
description: Specifies the flags that indicate the file's characteristics.
comments:
- 'jsonschema_format: hex'
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: characteristics_hex
owner: PEBinaryExt
domain_of:
- PEBinaryExt
range: string
file_header_hashes:
name: file_header_hashes
description: Specifies any hashes that were computed for the file header.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: file_header_hashes
owner: PEBinaryExt
domain_of:
- PEBinaryExt
range: HashesType
optional_header:
name: optional_header
description: Specifies the PE optional header of the PE binary.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: optional_header
owner: PEBinaryExt
domain_of:
- PEBinaryExt
range: WindowsPEOptionalHeaderType
inlined: true
sections:
name: sections
description: Specifies metadata about the sections in the PE file.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: sections
owner: PEBinaryExt
domain_of:
- PEBinaryExt
range: WindowsPESection
multivalued: true
inlined: true
id:
name: id
description: STIX object identifier.
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:externalReference
rank: 1000
alias: id
owner: PEBinaryExt
domain_of:
- StixEntity
- Bundle
- Core
- CyberObservableCore
- ExtensionDefinition
- LanguageContent
- MarkingDefinition
- File
range: stix_identifier
type:
name: type
description: STIX object type.
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:state
rank: 1000
alias: type
owner: PEBinaryExt
domain_of:
- StixEntity
- Bundle
- Core
- CyberObservableCore
- ExtensionDefinition
- LanguageContent
- MarkingDefinition
- File
range: stix_type_name
name:
name: name
description: Human-readable name.
from_schema: https://w3id.org/lmodel/attack
exact_mappings:
- unified_cyber_ontology:name
rank: 1000
alias: name
owner: PEBinaryExt
domain_of:
- RelatedAsset
- StixEntity
- ExtensionDefinition
- MarkingDefinition
- AutonomousSystem
- File
range: string
description:
name: description
description: Human-readable description.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:description
rank: 1000
alias: description
owner: PEBinaryExt
domain_of:
- RelatedAsset
- MutableElement
- StixEntity
- ExtensionDefinition
- ExternalReference
range: string