dissect.target.loaders.cb

Module Contents

Classes

CbLoader	Use Carbon Black endpoints as targets using Live Response.
CbRegistry	Provides registry access for Windows targets.
CbRegistryHive	Base class for registry hives.
CbRegistryKey	Base class for registry keys.
CbRegistryValue	Base class for registry values.

class dissect.target.loaders.cb.CbLoader(path: str, parsed_path: urllib.parse.ParseResult = None, **kwargs)

Bases: dissect.target.loader.Loader

Use Carbon Black endpoints as targets using Live Response.

Use as cb://<hostname or IP>[@<instance>].

Refer to the Carbon Black documentation for setting up a credentials.cbc file.

sensor

session

get_device() → cbc_sdk.platform.Device | None

static detect(path: pathlib.Path) → bool

Detects wether this Loader class can load this specific path.

Parameters:

path – The target path to check.

Returns:

True if the path can be loaded by a Loader instance. False otherwise.

map(target: dissect.target.target.Target) → None

Maps the loaded path into a Target.

Parameters:

target – The target that we’re mapping into.

class dissect.target.loaders.cb.CbRegistry(target: dissect.target.target.Target, session: cbc_sdk.live_response_api.LiveResponseSession)

Bases: dissect.target.plugins.os.windows.registry.RegistryPlugin

Provides registry access for Windows targets.

Acts much the same to how the registry works on a live Windows machine. Hives are correctly mapped under e.g. HKLMSOFTWARE.

Internal functions only.

__register__ = False

Determines whether this plugin will be registered.

session

check_compatible() → bool

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

class dissect.target.loaders.cb.CbRegistryHive(session: cbc_sdk.live_response_api.LiveResponseSession, root_key: str)

Bases: dissect.target.helpers.regutil.RegistryHive

Base class for registry hives.

session

root_key

key(key: str) → CbRegistryKey

Retrieve a registry key from a specific path.

Parameters:

key – A path to a registry key within this hive.

Raises:

RegistryKeyNotFoundError – If the registry key could not be found.

class dissect.target.loaders.cb.CbRegistryKey(hive: CbRegistryHive, path: str)

Bases: dissect.target.helpers.regutil.RegistryKey

Base class for registry keys.

Parameters:

hive – The registry hive to which this registry key belongs.

session

property data: dict

property name: str

Returns the name of this key.

property path: str

Returns the path of this key.

property timestamp: datetime.datetime

Returns the last modified timestamp of this key.

subkey(subkey: str) → CbRegistryKey

Returns a specific subkey from this key.

Parameters:

subkey – The name of the subkey to retrieve.

Raises:

RegistryKeyNotFoundError – If this key has no subkey with the requested name.

subkeys() → list[CbRegistryKey]

Returns a list of subkeys from this key.

values() → list[CbRegistryValue]

Returns a list of all the values from this key.

class dissect.target.loaders.cb.CbRegistryValue(hive: CbRegistryHive, name: str, data: str, type: str)

Bases: dissect.target.helpers.regutil.RegistryValue

Base class for registry values.

Parameters:

hive – The registry hive to which this registry value belongs.

property name: str

Returns the name of this value.

property value: dissect.target.helpers.regutil.ValueType

Returns the value of this value.

property type: str

Returns the type of this value.

Reference:

• https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types