Skip to content
AIR Knowledge Base

Module List

Overview

Section titled “Overview”

Evidence: Module List
Description: List ESXi Modules
Category: System
Platform: esxi
Short Name: modlist
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Section titled “Background”

ESXi kernel modules extend hypervisor functionality with device drivers, storage adapters, and system services. Loaded modules represent active kernel components and can include malicious kernel-mode rootkits or unauthorized driver installations that compromise hypervisor security.

Data Collected

Section titled “Data Collected”

This collector gathers structured data about module list.

Module List Data

Section titled “Module List Data”
FieldDescriptionExample
AccessTimeAccess Time2023-10-15 14:30:25+03:00
AccessCountAccess Count123
URLURLExample value
BrowserBrowserExample value
TitleTitleExample value
VisitDurationVisit DurationExample value
ReferrerReferrerExample value
TypedCountTyped Count123
IsHiddenIs Hiddentrue
TransitionTypeTransition TypeExample value
VisitIDVisit ID123
TransitionQualifiersTransition QualifiersExample value
UserUserExample value
ProfileProfileExample value
HistoryFilePathHistory File PathExample value

Collection Method

Section titled “Collection Method”

This collector parses loaded kernel module information, extracting module names, descriptions, versions, vendor information, license types, load addresses, module sizes, and dependency relationships for each currently loaded VMkernel module.

Forensic Value

Section titled “Forensic Value”

Module analysis reveals unauthorized kernel extensions, detects known malicious modules, validates driver integrity, and identifies unsigned or suspicious kernel components. Comparing module lists against baselines helps discover rootkits, backdoors, or compromised drivers that operate at the highest privilege level.