-
Notifications
You must be signed in to change notification settings - Fork 19
/
Copy pathcustom_macro.yml
79 lines (69 loc) · 1.95 KB
/
custom_macro.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
---
- name: macro
title: Macro
group: 2
short: Fields describing a Windows macro.
description: >
Fields describing a Windows macro.
type: group
reusable:
top_level: false
expected:
- file.Ext
fields:
- name: errors
level: custom
type: nested
description: >
Errors that occurred when parsing this document file.
- name: errors.count
level: custom
type: long
description: >
Number of times this error that occurred.
- name: errors.error_type
level: custom
type: keyword
description: >
The type of parsing error that occurred.
- name: collection
level: custom
type: object
description: >
Object containing hashes for the macro collection.
- name: project_file
level: custom
type: object
description: >
Metadata about the corresponding VBA project file
- name: stream
level: custom
type: nested
description: >
Streams associated with the document.
- name: stream.name
level: custom
type: keyword
description: >
Name of the stream.
- name: stream.raw_code
level: custom
type: keyword
description: >
First 100KB of raw stream binary. Can be useful to analyze false positives and malicious payloads.
- name: stream.raw_code_size
level: custom
type: keyword
description: >
The original stream size. Indicates whether stream.raw_code was truncated.
- name: code_page
level: custom
type: long
description: >
Identifies the character encoding used for this macro. https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
short: Identifies the character encoding used for this macro.
- name: file_extension
level: custom
type: keyword
description: >
The extension of the file containing this macro (e.g. .docm)