Client Side

This page lists the plugins used to collect information from clients.

VQL plugins are the data sources of VQL queries. While SQL queries refer to static tables of data, VQL queries refer to plugins, which generate data rows to be filtered by the query.

Unlike SQL, VQL plugins also receive keyword arguments. When the plugin is evaluated it simply generates a sequence of rows which are further filtered by the query.

This allows VQL statements to be chained naturally since plugin args may also be other queries.

VQL plugins are not the same as VQL functions. A plugin is the subject of the VQL query - i.e. plugins always follow the FROM keyword, while functions (which return a single value instead of a sequence of rows) are only present in column specification (e.g. after SELECT) or in condition clauses (i.e. after the WHERE keyword).

chainPluginChain the output of several queries into the same table
collectPluginCollect artifacts into a local file
commandline_splitFunctionSplit a commandline into separate components following the windows
connectionsPluginList all active connections
crypto_rc4FunctionApply rc4 to the string and key
environPluginThe row returned will have all environment variables as
execvePluginThis plugin launches an external command and captures its STDERR,
filesystemsPluginEnumerates mounted filesystems
flattenPluginFlatten the columns in query
forPluginIterate over a list
foreachPluginExecutes ‘query’ once for each row in the ‘row’ query
globPluginRetrieve files based on a list of glob expressions
grepFunctionSearch a file for keywords
hashFunctionCalculate the hash of a file
http_clientPluginMake a http request
ifPluginConditional execution of query
infoPluginGet information about the running host
intFunctionTruncate to an integer
ipFunctionFormat an IP address
js_getFunctionGet a variable’s value from the JS VM
js_setFunctionSet a variables value in the JS VM
magicFunctionIdentify a file using magic rules
netcatPluginMake a tcp connection and read data from a socket
pathspecFunctionCreate a structured path spec to pass to certain accessors
pipeFunctionA pipe allows plugins that use files to read data from a vql
profilePluginReturns a profile dump from the running process
pslistPluginEnumerate running processes
read_filePluginRead files in chunks
reg_rm_keyFunctionRemoves a key and all its values from the registry
reg_rm_valueFunctionRemoves a value in the registry
reg_set_valueFunctionSet a value in the registry
rmFunctionRemove a file from the filesystem using the API
scopePluginThe scope plugin returns the current scope as a single row
sqlPluginRun queries against sqlite, mysql, and postgres databases
statPluginGet file information
switchPluginExecutes each query
tempfileFunctionCreate a temporary file and write some data into it
uploadFunctionUpload a file to the upload service
uploadPluginUpload files to the server
upload_gcsFunctionUpload files to GCS
upload_s3FunctionUpload files to S3
whoamiFunctionReturns the username that is running the query
write_csvPluginWrite a query into a CSV file
yaraPluginScan files using yara rules
comments powered by Disqus