Full Report
Authors: Axel Boesenach and Erik Schamper In this blog post we will go into a user-friendly memory scanning Python library that was created out of the necessity of having more control during memory scanning. We will give an overview of how this library works, share the thought process and the why’s. This blog post will … Continue reading Memory Scanning for the Masses →
Analysis Summary
# Tool/Technique: Skrapa
## Overview
Skrapa is a user-friendly, open-source Python library designed to provide greater control and efficiency during system memory scanning. Its primary purpose is to speed up the often time-consuming process of searching through process memory for specific patterns (like malware traces, credentials, or cryptographic material) by leveraging known memory attributes for filtering.
## Technical Details
- Type: Tool (Python Library)
- Platform: Linux and Microsoft Windows
- Capabilities: Configurable memory scanning, filtering based on memory attributes, support for Regex and YARA rules, and extensible via user callback functions.
- First Seen: January 25, 2024 (Publication Date)
## MITRE ATT&CK Mapping
The primary focus of this tool relates to discovery and credential access techniques by actively inspecting running processes' memory.
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (If used to circumvent less granular detection mechanisms)
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping
- T1003.001 - LSASS Memory
- **TA0007 - Discovery**
- T1057 - Process Discovery
- T1082 - System Information Discovery (By inspecting process memory space)
## Functionality
### Core Capabilities
* **Configurable Scanning:** Ability to scan all process memory, target specific processes by name, or target processes by Process Identifier (PID).
* **Pattern Matching:** Supports searching for patterns using Regular Expressions (Regex) and YARA rules.
* **Attribute-Based Filtering:** A core innovation is the ability to filter memory regions based on their security attributes (Read, Write, Execute permissions) before beginning pattern matching, significantly improving scan speed.
### Advanced Features
* **User Callbacks:** Allows users to define custom Python functions that execute routines when user-specified conditions (patterns found) are met during the scan.
* **Extensible API:** Designed to be easily incorporated into larger projects and scripts due to its accessible Application Programming Interface (API).
## Indicators of Compromise
Since Skrapa is a legitimate analysis tool, IoCs are tied to its usage context rather than the tool itself being malware.
- File Hashes: N/A (Tool distribution link is GitHub)
- File Names: N/A (Library structure)
- Registry Keys: N/A
- Network Indicators: N/A (It is a local scanning tool; connectivity is not inherent to its function, though it could be used to search for network indicators found in memory.)
- Behavioral Indicators: Unexpected memory scanning activity across multiple processes, especially targeting memory regions with specific protection flags (e.g., Executable + Read + Write).
## Associated Threat Actors
The tool is presented as an internal development by Fox-IT (Fox-SRT team) for advanced threat hunting and incident response, intended for security professionals. It is generally not associated with malicious threat actors; however, the *techniques* it leverages (memory scanning) are common among threat actors.
## Detection Methods
Detection focuses on the activity of using memory scanning tools, rather than signatures for the library itself.
- Signature-based detection: Not applicable unless specific scripts incorporating Skrapa are deployed.
- Behavioral detection: Monitoring for rapid, systematic iteration and mapping of process memory regions, especially targeting sensitive processes like `lsass.exe` or processes known to host implants (e.g., DLL injection targets).
- YARA rules: While Skrapa *uses* YARA rules for pattern matching, security systems can use YARA rules to detect common adversary artifacts *found* within the memory images generated by tools like Skrapa.
## Mitigation Strategies
Mitigation focuses on reducing the attack surface and hardening memory accessibility rather than blocking the use of a general-purpose Python library.
- Prevention measures: Implement robust application control policies to restrict execution of unknown Python scripts or unauthorized tools.
- Hardening recommendations: Reduce the privileges of running processes wherever possible (Principle of Least Privilege) to limit the scope of accessible memory regions. Use modern operating system features that enhance memory isolation.
## Related Tools/Techniques
* **Volatility Framework:** A leading framework for memory forensics and analysis, which heavily relies on analyzing memory attributes and regions, similar in conceptual goals but broader in scope.
* **Standard Windows APIs:** The underlying concepts are derived from Windows API calls like `VirtualAlloc` and constants related to memory protection.
* **Cobalt Strike Beacons:** The article explicitly mentions utilizing knowledge of Cobalt Strike beacon memory attributes to optimize scanning.