proc_yara

Plugin

ArgDescriptionType
rulesYara rulesstring (required)
pidThe pid to scanint (required)
contextReturn this many bytes either side of a hitint
keyIf set use this key to cache the yara rules.string
namespaceThe Yara namespece to use.string
varsThe Yara variables to use.ordereddict.Dict
numberStop after this many hits (1).int64

Required Permissions: MACHINE_STATE

Description

Scan processes using yara rules.

This plugin uses yara’s own engine to scan process memory for the signatures.

Process memory access depends on having the SeDebugPrivilege which depends on how Velociraptor was started. Even when running as System, some processes are not accessible.