A self-hosted payload-analysis sandbox for red teams. Upload a sample, run static / dynamic / EDR analysis against it, get a Detection Score and a triggering-indicators breakdown — decide whether the payload is field-ready before it leaves the lab.
LitterBox can also dispatch payloads to a separate EDR-instrumented Windows VM (Elastic Defend or Fibratus) and pull the correlated detection alerts back into the results page.
While designed primarily for red teams, LitterBox is equally useful for blue teams running the same tools in their malware-analysis workflows.
Operator and developer documentation lives in the LitterBox Wiki.
| Topic | Wiki page |
|---|---|
| How everything fits together | Application Architecture |
| Run static + every reachable EDR in parallel | All in One Pipeline |
| Dispatch payloads to a real EDR VM | EDR Integration → Elastic Defend / Fibratus |
| Whiskers agent (install, endpoints, build) | Whiskers Agent |
| Every HTTP endpoint | HTTP API Reference |
| CLI / Python lib / MCP for LLMs | GrumpyCats CLI · GrumpyCats Library · LitterBoxMCP |
| What feeds the Detection Score | Detection Score Explained |
| Configure scanners / paths / timeouts | Configuration Reference |
| Add custom YARA rules / scanners | YARA Rules Management · New Scanner |
git clone https://github.com/BlackSnufkin/LitterBox.git
cd LitterBox
python -m venv venv
.\venv\Scripts\Activate.ps1
pip install -r requirements.txt
python litterbox.py # add --debug for verbose loggingOpen http://127.0.0.1:1337. Requires Python 3.11+ and an admin shell.
git clone https://github.com/BlackSnufkin/LitterBox.git
cd LitterBox/Docker
chmod +x setup.sh
./setup.shThe setup script provisions a Windows 10 container with KVM and runs LitterBox inside. Initial build takes ~1 hour.
- Install monitor:
http://localhost:8006 - RDP:
localhost:3389(creds in the docker compose file) - LitterBox UI:
http://127.0.0.1:1337once setup completes
Drop one or more profile YAMLs under Config/edr_profiles/ and the upload page picks them up at boot. Full walkthroughs in the wiki: Whiskers Agent → Elastic Defend Setup or Fibratus Setup.
See CONTRIBUTING.md. Work in feature branches on personal forks.
- Development use only. This platform is designed for testing environments. Production deployment presents significant security risks.
- Isolation required. Run only in isolated VMs or dedicated testing environments.
- No warranty. Provided without guarantees; use at your own risk.
- Legal compliance. Users are responsible for ensuring usage complies with applicable laws.
LitterBox stands on the work of these projects and their authors:
| Tool | Author |
|---|---|
| YARA rules · Elastic Defend | Elastic Security |
| PE-Sieve · Hollows-Hunter | hasherezade |
| Moneta | Forrest Orr |
| Patriot | joe-desimone |
| Hunt-Sleeping-Beacons | thefLink |
| RedEdr | dobin |
| Fibratus | rabbitstack |
| ThreatCheck (basis for CheckPlz) | rasta-mouse |
| MalAPI reference DB | mr.d0x |
