LitterBox

Overview

LitterBox is a self-hosted payload-analysis sandbox designed for red teams to test malicious samples against modern detection systems before deployment. It integrates with multiple EDR solutions like Elastic Defend and Fibratus, providing both static and dynamic analysis capabilities. The MCP integration enables AI agents to drive the analysis process end-to-end, from sample submission to evaluation of detection scores and triggering indicators.

Try asking AI

After installing, here are 5 things you can ask your AI assistant:

• upload_payload

  Upload a payload file for analysis in the LitterBox sandbox

  Try:Upload this suspicious executable for analysisTry:Scan this binary file with LitterBoxTry:Test this payload against detection systems
• run_analysis

  Run static/dynamic/EDR analysis on an uploaded payload

  Try:Run full analysis on the uploaded fileTry:Perform static analysis on this sampleTry:Check payload detection score with all scanners
• get_detection_score

  Retrieve the detection score for an analyzed payload

  Try:What's the detection score for this payload?Try:Get the risk assessment for this fileTry:Check how detectable this sample is
• get_detection_breakdown

  Get detailed breakdown of which indicators triggered detection

  Try:Show me which specific alerts were triggeredTry:Break down the detection indicatorsTry:Which rules flagged this payload?
• dispatch_to_edr

  Send payload to EDR-instrumented VM for real-world testing

  Try:Test this payload against Elastic DefendTry:Run this file in the Fibratus environmentTry:Dispatch to EDR VM for dynamic analysis
• list_scanners

  List all available scanners and their versions

  Try:Show all available scannersTry:What analysis tools are available?Try:List scanners with versions
• update_scanner

  Update a specific scanner to the latest version

  Try:Update PE-Sieve to the latest versionTry:Refresh all scannersTry:Update YARA rules
• get_config

  Retrieve current LitterBox configuration

  Try:Show current configurationTry:Get scanner settingsTry:Check timeout configurations
• get_results

  Retrieve full results from a completed analysis

  Try:Get the full analysis resultsTry:Show me all detection alertsTry:Retrieve the complete report
• add_yara_rule

  Add a custom YARA rule to the analysis pipeline

  Try:Add this custom YARA rule for detectionTry:Upload a new YARA ruleTry:Create a custom detection rule
• list_files

  List files in the sandbox environment

  Try:Show files in the upload directoryTry:List all samples in the workspaceTry:What files are available for analysis?
• create_profile

  Create a new EDR profile for testing environments

  Try:Create a new Elastic Defend profileTry:Set up a Fibratus testing configurationTry:Create custom EDR profile

Note: Tool names inferred from documentation and functionality description. MCP documentation referenced in wiki but not explicitly listed in README.

Comparable tools

Installation

git clone https://github.com/BlackSnufkin/LitterBox.git
cd LitterBox
python -m venv venv
.\venv\Scripts\Activate.ps1
pip install -r requirements.txt
python litterbox.py

git clone https://github.com/BlackSnufkin/LitterBox.git
cd LitterBox/Docker
chmod +x setup.sh
./setup.sh

{
  "mcpServers": {
    "litterbox": {
      "command": "python",
      "args": ["/path/to/LitterBox/litterbox.py"],
      "env": {}
    }
  }
}

FAQ

What EDR solutions does LitterBox integrate with?

LitterBox supports integration with Elastic Defend and Fibratus, and can dispatch payloads to instrumented Windows VMs for dynamic analysis.

How is the detection score calculated?

The detection score is based on a combination of static analysis results, dynamic behavior observation, and EDR alert correlation. The exact methodology is documented in the Detection Score Explained wiki page.

Compare LitterBox with