execve

Plugin

ArgDescriptionType
argvArgv to run the command with.list of string (required)
sepThe separator that will be used to split the stdout into rows.string
lengthSize of buffer to capture output per row.int64
envEnvironment variables to launch with.LazyExpr
cwdIf specified we change to this working directory first.string

Description

This plugin launches an external command and captures its STDERR, STDOUT and return code. The command’s stdout is split using the sep parameter as required.

This plugin is mostly useful for running arbitrary code on the client. If you do not want to allow arbitrary code to run, you can disable this by setting the prevent_execve flag in the client’s config file. Be aware than many artifacts require running external commands to collect their output though.

We do not actually transfer the external program to the system automatically. If you need to run programs which are not usually installed (e.g. Sysinternal’s autoruns.exe) you will need to use Velociraptor’s external tools feature to deliver and manage the tools on the client.

https://docs.velociraptor.app/docs/extending_vql/#using-external-tools

comments powered by Disqus