User Info
Overview
Section titled “Overview”Evidence: User Info
Description: ESXi User Info
Category: System
Platform: esxi
Short Name: userinfo
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”ESXi user session information tracks active and recent user logins, including administrator and service account access. This data is critical for identifying unauthorized access, establishing user activity timelines, and detecting compromised credentials or suspicious login patterns.
Data Collected
Section titled “Data Collected”This collector gathers structured data about user info.
User Info Data
Section titled “User Info Data”| Field | Description | Example |
|---|---|---|
Name | Name | Example value |
Terminal | Terminal | Example value |
SessionTime | Session Time | Example value |
Date | Date | Example value |
IP | IP | Example value |
Collection Method
Section titled “Collection Method”This collector parses the user information file (user_info.txt), extracting username, terminal/session type, login timestamp with date, and source IP address for each user session recorded on the ESXi host.
Forensic Value
Section titled “Forensic Value”User login records provide evidence of account access, help establish user activity timelines, and identify suspicious login sources. Analyzing login times, source IPs, and session types helps detect unauthorized access, credential misuse, and potential lateral movement from compromised accounts.