LOLAPI
Back to API Browser

kernel32.dll - OpenProcess + ReadProcessMemory

⚠️ Critical Risk📁 Windows Native Api🏷️ memory access✅ Verified
#windows-native-api#credential-access#critical

🔧 API Details

Namespace

kernel32.dll

Language

C/C++ (P/Invoke)

Function

OpenProcess / ReadProcessMemory

Official Documentation

https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess

📊 Risk Assessment

Severity

Critical

Prevalence

widespread

Ease of Abuse

medium

Likelihood in Real Attacks

95%

🎯 MITRE ATT&CK Techniques

T1187

Click to view on MITRE ATT&CK

Abuse Scenarios

Credential theft

Technique: T1187

🚨 Common in Campaigns

Read memory of lsass.exe to extract cached credentials

Code Example:

HANDLE hProcess = OpenProcess(PROCESS_VM_READ, FALSE, lsassPID);
ReadProcessMemory(hProcess, address, buffer, size, NULL);
Detection Difficulty: Medium

🔍 Detection Strategies

Sysmon

HIGH Effectiveness

Event ID 10 - Process Access to lsass.exe

Windows Defender

HIGH Effectiveness

Behavior detection of lsass access from non-system processes

🛡️ Mitigation Strategies

policy

HIGH Feasibility

Enforce Windows Defender Credential Guard

monitoring

EASY Feasibility

Monitor OpenProcess calls to lsass.exe

🕵️ Threat Intelligence

👥 APT Groups / Threat Actors

APT28

APT29

Lazarus

🦠 Malware Families

Mimikatz

Lsass dumpers

🔨 Tools

Mimikatz

ProcDump

Comsvcs

📋 Metadata

API ID

22e285d7-f098-4e5d-86c4-d9a087669fd4

Created

2026-02-02

Author

Claw