Environment Variables
Overview
Section titled “Overview”Evidence: Environment Variables
Description: ESXi Environment Variables
Category: System
Platform: esxi
Short Name: envvar
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Environment variables in ESXi control process execution contexts, system paths, configuration locations, and runtime behavior. Attackers may inject malicious paths, proxy settings, or library preloads via environment variables to enable persistence or hijack system processes.
Data Collected
Section titled “Data Collected”This collector gathers structured data about environment variables.
Environment Variables Data
Section titled “Environment Variables Data”| Field | Description | Example |
|---|---|---|
AccessTime | Access Time | 2023-10-15 14:30:25+03:00 |
AccessCount | Access Count | 123 |
URL | URL | Example value |
Browser | Browser | Example value |
Title | Title | Example value |
VisitDuration | Visit Duration | Example value |
Referrer | Referrer | Example value |
TypedCount | Typed Count | 123 |
IsHidden | Is Hidden | true |
TransitionType | Transition Type | Example value |
VisitID | Visit ID | 123 |
TransitionQualifiers | Transition Qualifiers | Example value |
User | User | Example value |
Profile | Profile | Example value |
HistoryFilePath | History File Path | Example value |
Collection Method
Section titled “Collection Method”This collector parses system environment variables, extracting variable names and their assigned values from the ESXi shell environment and system-wide configuration contexts.
Forensic Value
Section titled “Forensic Value”Environment variable analysis reveals configuration tampering, malicious PATH manipulations, suspicious LD_PRELOAD entries, unauthorized proxy configurations, and other environment-based persistence mechanisms. Comparing against baselines identifies unauthorized modifications that enable privilege escalation or process hijacking.