From 4d883c957d44529174f7ecfbece84d2dfc076344 Mon Sep 17 00:00:00 2001 From: Dave McCormack Date: Wed, 22 Jan 2025 18:08:28 +0000 Subject: [PATCH] Add 'internal_name' attribute to 'file' object. (#1322) #### Description of changes: This PR adds an `internal_name` to the dictionary and to the `file` object. This attribute is intended to capture the name of the file as identified within the file itself. This contrasts with the name by which the file is known on disk. Where available, the internal name is widely used by security practitioners and detection content because the on-disk file name is not reliable. On the Windows OS, most PE files contain a VERSIONINFO resource from which the internal name can be obtained. On macOS, binaries can optionally embed a copy of the application's Info.plist file which in turn contains the name of the executable (#NotAMacGuy). --------- Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com> --- CHANGELOG.md | 2 ++ dictionary.json | 5 +++++ objects/file.json | 4 ++++ 3 files changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 37d3aeed7..133e55952 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -83,6 +83,7 @@ Thankyou! --> 1. Added `event_uid` as a `string_t`. #1312 1. Added `debug` attribute as a `string_t` array, used in the `metadata` object. #1308 1. Added `ancestry` as a list of `process_entity`. #1317 + 1. Added `internal_name` as a `string_t`. #1322 * #### Objects 1. Added `environment_variable` object. #1172, #1288 @@ -182,6 +183,7 @@ Thankyou! --> 1. Added optional `url` attribute to the `file` object. This was allows capturing a file's URL in the File Hosting Activity (6006) event class. #1289 1. Changed the `process` object to extend the `process_entity` object. #1317 1. Added `ancestry` to the `process` object. #1317 + 1. Added `internal_name` to the `file` object. #1322 ### Bugfixes 1. Added sibling definition to `confidence_id` in dictionary, accurately associating `confidence` as its sibling. #1180 diff --git a/dictionary.json b/dictionary.json index ed57d1ae2..f8c656e79 100644 --- a/dictionary.json +++ b/dictionary.json @@ -2660,6 +2660,11 @@ "type": "ip_t", "is_array": true }, + "internal_name": { + "caption": "Internal Name", + "description": "The name by which a resource identifies itself internally. See specific usage.", + "type": "string_t" + }, "invoked_by": { "caption": "Invoked by", "description": "The name of the service that invoked the activity as described in the event.", diff --git a/objects/file.json b/objects/file.json index 5ed579e02..e2c6e9b64 100644 --- a/objects/file.json +++ b/objects/file.json @@ -60,6 +60,10 @@ "hashes": { "requirement": "recommended" }, + "internal_name": { + "description": "The name of the file as identified within the file itself. This contrasts with the name by which the file is known on disk. Where available, the internal name is widely used by security practitioners and detection content because the on-disk file name is not reliable. On the Windows OS, most PE files contain a VERSIONINFO resource from which the internal name can be obtained. On macOS, binaries can optionally embed a copy of the application's Info.plist file which in turn contains the name of the executable.", + "requirement": "optional" + }, "is_deleted": { "description": "Indicates if the file was deleted from the filesystem.", "requirement": "optional"