pathPath to open and hash.string (required)
accessorThe accessor to usestring
typeMagic type (can be empty or ‘mime’ or ’extension’)string
magicAdditional magic to loadstring


Identify a file using magic rules.

Magic rules are designed to identify a file based on a sequence of tests. They are a great way of quickly triaging a file type based on its content, not its name.

Detection is facilitated via libmagic - a common library powering the unix “file” utility. Velociraptor comes with all of “file” basic magic signatures.

You can also write your own signatures using the magic syntax (see )


The following will check all files in /var/lib applying a custom magic rule.

LET Magic = '''
0 search/1024 "GET Apache Logs
!:strength + 100

SELECT FullPath, Size, magic(path=FullPath, magic=Magic)
FROM glob(globs="/var/lib/*")

NOTE: magic() requires reading the headers of each file which causes the file to be opened. If you have on-access scanning such as Windows Defender “Realtime monitoring”, applying magic() on many files (e.g. in a glob) may result in substantial load on the endpoint.

comments powered by Disqus