# Module List ## Overview **Evidence:** Module List\ **Description:** List ESXi Modules\ **Category:** System\ **Platform:** esxi\ **Short Name:** modlist\ **Is Parsed:** Yes\ **Sent to Investigation Hub:** Yes\ **Collect File(s):** No ## Background ESXi kernel modules extend hypervisor functionality with device drivers, storage adapters, and system services. Loaded modules represent active kernel components and can include malicious kernel-mode rootkits or unauthorized driver installations that compromise hypervisor security. ## Data Collected This collector gathers structured data about module list. ### Module List Data | Field | Description | Example | | ---------------------- | --------------------- | ------------------------- | | `AccessTime` | Access Time | 2023-10-15 14:30:25+03:00 | | `AccessCount` | Access Count | 123 | | `URL` | URL | Example value | | `Browser` | Browser | Example value | | `Title` | Title | Example value | | `VisitDuration` | Visit Duration | Example value | | `Referrer` | Referrer | Example value | | `TypedCount` | Typed Count | 123 | | `IsHidden` | Is Hidden | true | | `TransitionType` | Transition Type | Example value | | `VisitID` | Visit ID | 123 | | `TransitionQualifiers` | Transition Qualifiers | Example value | | `User` | User | Example value | | `Profile` | Profile | Example value | | `HistoryFilePath` | History File Path | Example value | ## Collection Method This collector parses loaded kernel module information, extracting module names, descriptions, versions, vendor information, license types, load addresses, module sizes, and dependency relationships for each currently loaded VMkernel module. ## Forensic Value Module analysis reveals unauthorized kernel extensions, detects known malicious modules, validates driver integrity, and identifies unsigned or suspicious kernel components. Comparing module lists against baselines helps discover rootkits, backdoors, or compromised drivers that operate at the highest privilege level.