# LitterBox — Self-Hosted Payload Sandbox (MCP) > LitterBox is a self-hosted payload-analysis sandbox: upload a sample, run static and EDR analysis, and review a Detection Score before it leaves the lab. ## Install Merge the JSON below into your `.mcp.json`: ## Quick Use ```bash git clone https://github.com/BlackSnufkin/LitterBox.git # Windows (Python 3.11+) cd LitterBox python -m venv venv pip install -r requirements.txt python litterbox.py # Linux (Docker): see LitterBox/Docker/setup.sh ``` ## Intro LitterBox is a self-hosted payload-analysis sandbox: upload a sample, run static and EDR analysis, and review a Detection Score before it leaves the lab. - **Best for:** Red/blue teams who need a repeatable lab sandbox to measure detection before live engagements - **Works with:** Python 3.11+; Windows and Docker (Linux); optional EDR profiles; includes a wiki-linked MCP integration (per README) - **Setup time:** 30–90 minutes (Docker build can take ~1 hour) ## Practical Notes - GitHub: 1,416 stars · 161 forks; pushed 2026-05-05 (verified via GitHub API). - README states Docker setup provisions a Windows 10 container with KVM and exposes UI at `http://127.0.0.1:1337`. - README lists bundled scanners with versions/dates (e.g., PE-Sieve 0.4.1.2 updated 2026-05-02; Elastic YARA rules commit `d131ea8`). ## Main If you use LitterBox in a real workflow, keep it disciplined: 1. Treat it as a **staging gate**: every payload must pass the same pipeline before it leaves the lab. 2. Keep EDR profiles and scanner versions under change control; the README’s scanner table makes drift visible. 3. Use the results to decide between: - *rewrite/refactor* (reduce detections) - *environmental changes* (different execution context) - *abandon* (too risky) 4. Run it isolated. The README’s advisory calls out VM isolation and “development use only”. Even if you never use the MCP path, the “Detection Score + indicators breakdown” framing is a strong way to standardize review discussions. ### FAQ **Q: Is this safe to run on a workstation?** A: Only in isolated environments. The README warns against production use and recommends VM/dedicated lab setups. **Q: Where do EDR profiles live?** A: README says to drop YAML profiles under `Config/edr_profiles/` so the upload page picks them up at boot. **Q: Does it support MCP?** A: README links to a wiki page named `LitterBoxMCP` under its documentation table. ## Source & Thanks > Source: https://github.com/BlackSnufkin/LitterBox > License: GPL-3.0 > GitHub stars: 1,416 · forks: 161 --- ## 快速使用 ```bash git clone https://github.com/BlackSnufkin/LitterBox.git # Windows(Python 3.11+) cd LitterBox python -m venv venv pip install -r requirements.txt python litterbox.py # Linux(Docker):参考 LitterBox/Docker/setup.sh ``` ## 简介 LitterBox 是自建的 payload 分析沙箱:上传样本后可跑静态/动态/EDR 分析,输出 Detection Score 与触发指标,支持用 profile 接入 EDR,用于出手前的实验室验证。 - **适合谁:** 红蓝对抗团队:想在实验室先量化检测风险,再决定是否进入真实环境 - **可搭配:** Python 3.11+;Windows 与 Docker(Linux);可选 EDR profiles;README 链接到 MCP 集成说明(Wiki) - **准备时间:** 30–90 分钟(Docker 初次构建约 1 小时) ## 实战建议 - GitHub:1,416 stars · 161 forks;最近更新 2026-05-05(GitHub API 验证)。 - README 表示 Docker 安装会拉起带 KVM 的 Windows 10 容器,完成后 UI 在 `http://127.0.0.1:1337`。 - README 给出内置扫描器版本与日期(例如 PE-Sieve 0.4.1.2 更新至 2026-05-02;Elastic YARA 规则 commit `d131ea8`)。 ## 主要内容 把 LitterBox 用成“可落地的门禁”: 1. 作为 **出手前的关卡**:每个样本都走同一套 pipeline,别靠拍脑袋放行。 2. EDR profiles 与扫描器版本做变更管理;README 的 scanner 表让漂移一眼可见。 3. 用结果推动决策:是 *重写/降噪*、还是 *换环境*,还是 *直接放弃*。 4. 一定要隔离运行。README 的安全提示强调只在隔离 VM/专用测试环境中使用。 即便不走 MCP,单靠 “Detection Score + 触发指标拆解” 也足以把评审讨论标准化。 ### FAQ **能在日常工作机上跑吗?** 答:建议只在隔离环境跑。README 提示不要用于生产,推荐隔离 VM/实验室环境。 **EDR profiles 放哪?** 答:README 说把 YAML profile 放到 `Config/edr_profiles/`,启动时会自动加载。 **支持 MCP 吗?** 答:README 的文档表格链接到 `LitterBoxMCP`(Wiki 页面)。 ## 来源与感谢 > Source: https://github.com/BlackSnufkin/LitterBox > License: GPL-3.0 > GitHub stars: 1,416 · forks: 161 --- Source: https://tokrepo.com/en/workflows/litterbox-self-hosted-payload-sandbox-mcp Author: MCP Hub