`dissect.target.plugins.apps.edr.velociraptor`¶

Module Contents¶

Classes¶

`VelociraptorRecordBuilder`
`VelociraptorPlugin`	Returns records from Velociraptor artifacts.

Attributes¶

`VELOCIRAPTOR_RESULTS`
`ISO_8601_PATTERN`

dissect.target.plugins.apps.edr.velociraptor.VELOCIRAPTOR_RESULTS = '/$velociraptor_results$'¶

dissect.target.plugins.apps.edr.velociraptor.ISO_8601_PATTERN = '\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?(Z|[+-]\\d{2}:\\d{2})?'¶

class dissect.target.plugins.apps.edr.velociraptor.VelociraptorRecordBuilder(artifact_name: str)¶

record_name = 'velociraptor/Uninferable'¶

build(object: dict, target: dissect.target.target.Target) → dissect.target.helpers.record.TargetRecordDescriptor¶: Builds a Velociraptor record.

class dissect.target.plugins.apps.edr.velociraptor.VelociraptorPlugin(target: dissect.target.target.Target)¶

Bases: dissect.target.plugin.Plugin

Returns records from Velociraptor artifacts.

__namespace__ = 'velociraptor'¶: Defines the plugin namespace.

results_dir¶

check_compatible() → None¶

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:: UnsupportedPluginError – If the plugin could not be loaded.

results() → collections.abc.Iterator[flow.record.Record]¶

Return Rapid7 Velociraptor artifacts.

References

https://docs.velociraptor.app/docs/vql/artifacts/

dissect.target.plugins.apps.edr.velociraptor¶

Module Contents¶

Classes¶

Attributes¶

`dissect.target.plugins.apps.edr.velociraptor`¶