Full Report
Authors: Axel Boesenach and Erik Schamper In this blog post we will go into a user-friendly memory scanning Python library that was created out of the necessity of having more control during memory scanning. We will give an overview of how this library works, share the thought process and the why’s. This blog post will … Continue reading Memory Scanning for the Masses →
Analysis Summary
# Tool/Technique: Skrapa
## Overview
Skrapa is a user-friendly Python library developed by Fox-IT for efficient memory scanning. It was created to address the time-consuming nature of pattern searching in process memory by leveraging memory attributes (permissions) to filter and target specific regions. While designed as a detection and forensics tool, its capabilities mirror techniques used in credential access and malware analysis.
## Technical Details
- **Type:** Tool (Memory Scanning/Forensic Library)
- **Platform:** Windows, Linux
- **Capabilities:** Memory attribute filtering, YARA integration, Regex support, process targeting.
- **First Seen:** January 25, 2024 (Official Release)
## MITRE ATT&CK Mapping
- **[TA0007 - Discovery]**
- [T1057 - Process Discovery]
- **[TA0006 - Credential Access]**
- [T1003 - OS Credential Dumping]
- [T1003.001 - LSASS Memory]
- **[TA0040 - Impact]**
- [T1497.001 - System Semantics Check] (Identifying implants via memory artifacts)
## Functionality
### Core Capabilities
- **Attribute Filtering:** Speeds up scans by only inspecting memory regions with specific permissions (Read, Write, Execute).
- **Targeted Scanning:** Ability to scan all process memory or filter by specific process names and Process Identifiers (PIDs).
- **Pattern Matching:** Native support for Regular Expressions (Regex) and YARA rules to identify specific byte sequences.
### Advanced Features
- **User Callback Functions:** Allows developers to define custom Python routines that execute automatically when specific conditions or patterns are met during a scan.
- **Extensible API:** Designed to be integrated into larger security automation frameworks or custom incident response scripts.
- **Cross-Platform Compatibility:** Unified interface for interacting with memory management structures on both Windows and Linux.
## Indicators of Compromise
*Note: As Skrapa is a legitimate security tool, its "IOCs" refer to its presence during an investigation or potential unauthorized use by an actor.*
- **File Names:** `skrapa` (Python package name)
- **Source Repository:** `https://github[.]com/fox-it/skrapa`
- **Behavioral Indicators:**
- Frequent calls to `VirtualQueryEx` or `OpenProcess` with `PROCESS_QUERY_INFORMATION` and `PROCESS_VM_READ` access rights on Windows.
- Accessing `/proc/[pid]/maps` and `/proc/[pid]/mem` on Linux systems.
## Associated Threat Actors
- **Fox-IT (Creators):** Used for defensive operations and incident response.
- **General Incident Responders:** Utilized for identifying Cobalt Strike beacons and other memory-resident implants.
## Detection Methods
- **Behavioral Detection:** Monitor for processes attempting to access the memory of sensitive processes (like `lsass.exe`) that are not recognized security tools.
- **API Monitoring:** Watch for high-frequency calls to memory enumeration APIs (e.g., iterating through memory regions of multiple processes).
- **YARA Rules:** Security teams can write YARA rules to detect the Skrapa library itself if it is bundled into a malicious toolkit.
## Mitigation Strategies
- **Least Privilege:** Restrict administrative privileges to prevent unauthorized processes from gaining the `SeDebugPrivilege` (Windows) required to read memory of other processes.
- **PPL (Protected Process Light):** Enable Configurable Code Integrity and LSA Protection to prevent memory reading of the LSASS process.
- **EDR Monitoring:** Deploy Endpoint Detection and Response tools to alert on suspicious memory scanning patterns.
## Related Tools/Techniques
- **[Cobalt Strike]**: Skrapa is specifically optimized to detect Cobalt Strike beacons by filtering for specific memory attributes (e.g., private ERW regions).
- **[Volatility Framework]**: A more comprehensive memory forensics framework.
- **[Process Hacker/System Informer]**: GUI-based tools that allow for similar memory region inspection.