cit.modules
#
$ target-query <path/to/target> -f cit.modules
Module |
|
Output |
|
Module documentation
Plugin that parses CIT data from the registry.
Reference: - https://dfir.ru/2018/12/02/the-cit-database-and-the-syscache-hive/
Function documentation
Parse CIT tracked module information from the registry.
Contains applications that loaded a tracked module. By default these are:
System32mrt100.dll Microsoft.NETFrameworkv1.0.3705mscorwks.dll Microsoft.NETFrameworkv1.0.3705mscorsvr.dll Microsoft.NETFrameworkv1.1.4322mscorwks.dll Microsoft.NETFrameworkv1.1.4322mscorsvr.dll Microsoft.NETFrameworkv2.0.50727mscorwks.dll Microsoft.NETFrameworkv4.0.30319clr.dll Microsoft.NETFramework64v4.0.30319clr.dll Microsoft.NETFramework64v2.0.50727mscorwks.dll
When the amount of executables exceeds 64, the OverflowQuota value is set with the last timestamp. When the path length of an executable exceeds 520 characters, the OverflowValue value is set.
Generally only available since Windows 10.