Processes
Overview
Section titled “Overview”Evidence: Processes
Description: Collect Processes
Category: System
Platform: esxi
Short Name: process
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”On ESXi, process snapshots capture running services and daemons that manage hypervisor operations and virtual machines. This visibility is key for detecting unauthorized services and runtime anomalies.
Data Collected
Section titled “Data Collected”This collector gathers structured data about processes.
Processes Data
Section titled “Processes Data”| Field | Description | Example |
|---|---|---|
WID | WID | 123 |
CID | CID | 123 |
Name | Name | Example value |
GID | GID | 123 |
PGID | PGID | 123 |
SID | SID | 123 |
PCID | PCID | 123 |
Type | Type | Example value |
State | State | Example value |
Wait | Wait | Example value |
CPU | CPU | Example value |
Time | Time | Example value |
SecurityDomain | Security Domain | Example value |
UserSpace | User Space | Example value |
Command | Command | Example value |
Collection Method
Section titled “Collection Method”This collector parses a pre-generated detailed process snapshot text file, tokenizes columns, and normalizes per-process attributes including identifiers, state, CPU/time fields, and command line.
Forensic Value
Section titled “Forensic Value”Process listings reveal active components, potential malicious or misconfigured services, and support timeline correlation with host events and VM operations.