Parsers

Many Velociraptor artifacts rely on specialized parsing of file formats. This page outlines all the plugins and functions designed to allow the client to parse information for various files.

Simple file formats may be parsed using regular expressions and other generic rules. However some specialized file formats have dedicated parsers. These dedicated parsers are exported into VQL plugins so their results may be used in further queries.

Plugin/FunctionTypeDescription
grokFunctionParse a string using a Grok expression
olevbaPluginExtracts VBA Macros from Office documents
parse_auditdPluginParse log files generated by auditd
parse_binaryFunctionParse a binary file into a data structure using a profile
parse_csvPluginParses events from a CSV file
parse_esePluginOpens an ESE file and dump a table
parse_ese_catalogPluginOpens an ESE file and dump the schema
parse_evtxPluginParses events from an EVTX file
parse_floatFunctionConvert a string to a float
parse_jsonFunctionParse a JSON string into an object
parse_json_arrayFunctionParse a JSON string into an array
parse_json_arrayPluginParses events from a line oriented json file
parse_jsonlPluginParses a line oriented json file
parse_linesPluginParse a file separated into lines
parse_mftPluginScan the $MFT from an NTFS volume
parse_ntfsFunctionParse specific inodes from an NTFS image file or the raw device
parse_ntfs_i30PluginScan the $I30 stream from an NTFS MFT entry
parse_ntfs_rangesPluginShow the run ranges for an NTFS stream
parse_peFunctionParse a PE file
parse_pkcs7FunctionParse a DER encoded pkcs7 string into an object
parse_records_with_regexPluginParses a file with a set of regexp and yields matches as records
parse_recyclebinPluginParses a $I file found in the $Recycle
parse_string_with_regexFunctionParse a string with a set of regex and extract fields
parse_usnPluginParse the USN journal from a device
parse_x509FunctionParse a DER encoded x509 string into an object
parse_xmlFunctionParse an XML document into a dict like object
parse_yamlFunctionParse yaml into an object
plistFunctionParse plist file
plistPluginParses a plist file
prefetchPluginParses a prefetch file
regex_replaceFunctionSearch and replace a string with a regexp
rot13FunctionApply rot13 deobfuscation to the string
split_recordsPluginParses files by splitting lines into records
sqlitePluginOpens an SQLite file and run a query against it
starlFunctionCompile a starlark code block - returns a module usable in VQL
xorFunctionApply xor to the string and key
comments powered by Disqus