# Environment Variables ## Overview **Evidence:** Environment Variables\ **Description:** ESXi Environment Variables\ **Category:** System\ **Platform:** esxi\ **Short Name:** envvar\ **Is Parsed:** Yes\ **Sent to Investigation Hub:** Yes\ **Collect File(s):** No ## Background Environment variables in ESXi control process execution contexts, system paths, configuration locations, and runtime behavior. Attackers may inject malicious paths, proxy settings, or library preloads via environment variables to enable persistence or hijack system processes. ## Data Collected This collector gathers structured data about environment variables. ### Environment Variables Data | Field | Description | Example | | ---------------------- | --------------------- | ------------------------- | | `AccessTime` | Access Time | 2023-10-15 14:30:25+03:00 | | `AccessCount` | Access Count | 123 | | `URL` | URL | Example value | | `Browser` | Browser | Example value | | `Title` | Title | Example value | | `VisitDuration` | Visit Duration | Example value | | `Referrer` | Referrer | Example value | | `TypedCount` | Typed Count | 123 | | `IsHidden` | Is Hidden | true | | `TransitionType` | Transition Type | Example value | | `VisitID` | Visit ID | 123 | | `TransitionQualifiers` | Transition Qualifiers | Example value | | `User` | User | Example value | | `Profile` | Profile | Example value | | `HistoryFilePath` | History File Path | Example value | ## Collection Method This collector parses system environment variables, extracting variable names and their assigned values from the ESXi shell environment and system-wide configuration contexts. ## Forensic Value Environment variable analysis reveals configuration tampering, malicious PATH manipulations, suspicious LD\_PRELOAD entries, unauthorized proxy configurations, and other environment-based persistence mechanisms. Comparing against baselines identifies unauthorized modifications that enable privilege escalation or process hijacking.