Windows Specific

Many VQL plugins and functions provide access to the Windows APIs. The following are only available when running on Windows.

appcompatcache

Plugin

Parses the appcompatcache.

authenticode

Function

This plugin parses authenticode information from PE files.

On windows, the plugin will also use the windows API to determine if the binary is trusted by the system.

Arg Description Type
accessor The accessor to use. string
filename The filename to parse. string (required)
verbose Set to receive verbose information about all the certs. bool

certificates

Plugin

Collect certificate from the system trust store.

This plugin uses the Windows APIs to fetch the certificates. You migth also want to look at the Windows.System.RootCAStore artifact.

dns

Plugin

Monitor dns queries.

This plugin opens a raw socket and monitors network traffic for DNS questions and answers.

When Velociraptor attempts to open a raw socket, sometimes Windows Defender treats that as suspicious behavior and quarantines the Velociraptor binary. This can be avoided by signing the binary which signals to Windows Defender that the binary is legitimate.

If you do not intend to build Velociraptor from source, use the official signed Velociraptor binaries which should not trigger alerts from Windows Defender.

It is generally better to use ETW for DNS monitoring than this plugin (see Windows.Events.DNSQueries)

handles

Plugin

Enumerate process handles.

Arg Description Type
pid The PID to dump out. int64 (required)

interfaces

Plugin

List all active network interfaces using the API.

lookupSID

Function

Get information about the SID.

Arg Description Type
sid A SID to lookup using LookupAccountSid string (required)

modules

Plugin

Enumerate Loaded DLLs.

Arg Description Type
pid The PID to dump out. int64 (required)

netstat

Plugin

Collect network information.

partitions

Plugin

List all partititions

Arg Description Type
all If specified list all Partitions bool

proc_dump

Plugin

Dumps process memory.

Dumps a process into a crashdump. The crashdump file can be opened with the windows debugger as normal. The plugin returns the filename of the crash dump which is a temporary file - the file will be removed when the query completes, so if you want to hold on to it, you should use the upload() plugin to upload it to the server or otherwise copy it.

Arg Description Type
pid The PID to dump out. int64 (required)

proc_yara

Plugin

Scan processes using yara rules.

This plugin uses yara’s own engine to scan process memory for the signatures.

Process memory access depends on having the SeDebugPrivilege which depends on how Velociraptor was started. Even when running as System, some processes are not accessible.

Arg Description Type
rules Yara rules string (required)
pid The pid to scan int (required)
context Return this many bytes either side of a hit int
key If set use this key to cache the yara rules. string

read_reg_key

Plugin

This is a convenience plugin which applies the globs to the registry accessor to find keys. For each key the plugin then lists all the values within it, and returns a row which has the value names as columns, while the cells contain the value’s stat info (and data content available in the Data field).

This makes it easier to access a bunch of related values at once.

Arg Description Type
globs Glob expressions to apply. list of string (required)
accessor The accessor to use. string

srum_lookup_id

Function

Lookup a SRUM id.

Arg Description Type
file string (required)
accessor The accessor to use. string
id int64 (required)

token

Function

Extract process token.

Arg Description Type
pid The PID to get the token for. int64 (required)

users

Plugin

Display information about workstation local users. This is obtained through the NetUserEnum() API.

vad

Plugin

Enumerate process memory regions.

Arg Description Type
pid The PID to dump out. int64 (required)

winobj

Plugin

Enumerate The Windows Object Manager namespace.

Arg Description Type
path Object namespace path. string

wmi

Plugin

Execute simple WMI queries synchronously.

This plugin issues a WMI query and returns its rows directly. The exact format of the returned row depends on the WMI query issued.

This plugin creates a bridge between WMI and VQL and it is a very commonly used plugin for inspecting the state of windows systems.

Arg Description Type
query The WMI query to issue. string (required)
namespace The WMI namespace to use (ROOT/CIMV2) string