playbooks

home / skills / a5c-ai / babysitter / security-sandbox

security-sandbox skill

/plugins/babysitter/skills/babysit/process/specializations/security-research/skills/security-sandbox

This skill helps you safely create and manage isolated analysis environments for malware research, capturing changes and preserving evidence.

npx playbooks add skill a5c-ai/babysitter --skill security-sandbox

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
12.3 KB
---
name: security-sandbox
description: Isolated analysis environment management for malware and exploit testing. Create and manage isolated VMs, configure Cuckoo Sandbox, set up REMnux/FlareVM environments, manage Docker-based analysis containers, and capture filesystem and process changes.
allowed-tools: Bash(*) Read Write Edit Glob Grep WebFetch
metadata:
  author: babysitter-sdk
  version: "1.0.0"
  category: analysis-environment
  backlog-id: SK-008
---

# security-sandbox

You are **security-sandbox** - a specialized skill for isolated analysis environment management, providing capabilities for safe malware analysis, exploit testing, and dynamic security research.

## Overview

This skill enables AI-powered sandbox operations including:
- Creating and managing isolated virtual machines
- Configuring Cuckoo Sandbox for automated malware analysis
- Setting up REMnux and FlareVM analysis environments
- Managing Docker-based analysis containers
- Configuring network isolation and traffic capture
- Monitoring filesystem, registry, and process changes
- Creating and restoring environment snapshots

## Prerequisites

- **Virtualization**: VirtualBox, VMware, or KVM/QEMU
- **Cuckoo Sandbox**: Python-based automated malware analysis
- **Docker**: For containerized analysis environments
- **Network Tools**: Inetsim, FakeDNS for network simulation
- **Analysis VMs**: REMnux, FlareVM images

## IMPORTANT: Safety First

This skill is designed for authorized security research. All operations:
- Must be conducted in properly isolated environments
- Should never allow malware to escape containment
- Require careful network isolation configuration
- Must preserve evidence for forensic analysis

## Capabilities

### 1. Virtual Machine Management

Create and manage isolated analysis VMs:

```bash
# VirtualBox VM Management
# Create new analysis VM
VBoxManage createvm --name "MalwareAnalysis" --ostype "Windows10_64" --register

# Configure VM resources
VBoxManage modifyvm "MalwareAnalysis" \
  --memory 4096 \
  --cpus 2 \
  --vram 128 \
  --nic1 intnet \
  --intnet1 "analysis-net" \
  --audio none \
  --clipboard disabled \
  --draganddrop disabled

# Create snapshot for clean state
VBoxManage snapshot "MalwareAnalysis" take "clean-state" --description "Clean analysis state"

# Restore to clean state
VBoxManage snapshot "MalwareAnalysis" restore "clean-state"

# Start VM headless
VBoxManage startvm "MalwareAnalysis" --type headless

# Power off VM
VBoxManage controlvm "MalwareAnalysis" poweroff
```

### 2. Cuckoo Sandbox Configuration

Set up and manage Cuckoo Sandbox:

```bash
# Install Cuckoo
pip install cuckoo

# Initialize Cuckoo
cuckoo init

# Configure analysis machines
cuckoo community  # Download community modules
```

```ini
# ~/.cuckoo/conf/cuckoo.conf
[cuckoo]
machinery = virtualbox
memory_dump = yes
enforce_timeout = yes
max_analysis_count = 50

[resultserver]
ip = 192.168.56.1
port = 2042

[processing]
analysis_size_limit = 134217728
```

```ini
# ~/.cuckoo/conf/virtualbox.conf
[virtualbox]
mode = headless
path = /usr/bin/VBoxManage
interface = vboxnet0

[analysis1]
label = MalwareAnalysis
platform = windows
ip = 192.168.56.101
snapshot = clean-state
resultserver_ip = 192.168.56.1
resultserver_port = 2042
tags = win10,64bit
```

```bash
# Submit sample for analysis
cuckoo submit /path/to/sample.exe --timeout 120 --enforce-timeout

# Start Cuckoo
cuckoo -d  # Debug mode

# Start web interface
cuckoo web runserver 0.0.0.0:8080
```

### 3. Docker Analysis Containers

Create isolated analysis containers:

```dockerfile
# Dockerfile for analysis environment
FROM remnux/remnux-distro:focal

# Install additional tools
RUN apt-get update && apt-get install -y \
    radare2 \
    yara \
    volatility3 \
    strace \
    ltrace

# Create analysis directory
WORKDIR /analysis
VOLUME /samples
VOLUME /output

# Network isolation
# Run with --network none for full isolation

ENTRYPOINT ["/bin/bash"]
```

```bash
# Build analysis container
docker build -t malware-analysis:latest .

# Run isolated container (no network)
docker run -it --rm \
  --network none \
  --memory 4g \
  --cpus 2 \
  --read-only \
  --tmpfs /tmp:rw,noexec,nosuid \
  -v /path/to/samples:/samples:ro \
  -v /path/to/output:/output:rw \
  malware-analysis:latest

# Run with host-only network for controlled internet simulation
docker run -it --rm \
  --network analysis-net \
  --cap-drop ALL \
  --security-opt no-new-privileges \
  -v /path/to/samples:/samples:ro \
  malware-analysis:latest
```

### 4. Network Isolation and Simulation

Configure network isolation for safe analysis:

```bash
# Create isolated virtual network (VirtualBox)
VBoxManage hostonlyif create
VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0

# Set up INetSim for network simulation
sudo inetsim --config /etc/inetsim/inetsim.conf

# Start FakeDNS
fakedns -i 192.168.56.1

# Capture network traffic
tcpdump -i vboxnet0 -w /analysis/traffic.pcap

# iptables rules for isolation
sudo iptables -I FORWARD -i vboxnet0 -o eth0 -j DROP
sudo iptables -I FORWARD -i eth0 -o vboxnet0 -j DROP
```

```ini
# /etc/inetsim/inetsim.conf
service_bind_address 192.168.56.1
dns_default_ip 192.168.56.1

# Enable services
start_service dns
start_service http
start_service https
start_service smtp
start_service pop3
start_service ftp
```

### 5. REMnux Analysis Environment

Set up REMnux for malware analysis:

```bash
# Install REMnux on Ubuntu
wget https://REMnux.org/remnux-cli
chmod +x remnux-cli
sudo mv remnux-cli /usr/local/bin/remnux
sudo remnux install

# Key REMnux tools
# Static analysis
peframe malware.exe
pescanner malware.exe
pdfid suspicious.pdf
oledump.py document.doc

# Dynamic analysis
procmon  # Process monitor
regmon   # Registry monitor
fakenet  # Network simulation

# Memory analysis
vol.py -f memory.dmp imageinfo
vol.py -f memory.dmp --profile=Win10x64 pslist
```

### 6. FlareVM for Windows Analysis

Configure FlareVM analysis environment:

```powershell
# Install FlareVM (run in elevated PowerShell)
Set-ExecutionPolicy Bypass -Scope Process -Force

# Download and run installer
iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1'))

# Key FlareVM tools
# PE Analysis
pestudio.exe malware.exe
die.exe malware.exe  # Detect It Easy
cffexplorer.exe malware.exe

# Debugging
x64dbg.exe
windbg.exe

# Network
wireshark.exe
fakenet-ng.exe

# Decompilation
ghidra.exe
ida64.exe
```

### 7. Process and Filesystem Monitoring

Monitor changes during analysis:

```bash
# Linux - Monitor with sysdig
sysdig -c spy_users

# Monitor file changes
inotifywait -m -r /home/analysis --format '%w%f %e' -e modify,create,delete

# Process monitoring
procmon &
strace -f -o /output/syscalls.log ./sample

# Registry monitoring (Windows via wine)
wine reg export HKLM /output/hklm_before.reg
# ... run sample ...
wine reg export HKLM /output/hklm_after.reg
diff hklm_before.reg hklm_after.reg
```

### 8. Snapshot Management

Create and manage analysis snapshots:

```bash
# VirtualBox snapshots
VBoxManage snapshot "AnalysisVM" take "pre-analysis-$(date +%Y%m%d-%H%M%S)"
VBoxManage snapshot "AnalysisVM" list
VBoxManage snapshot "AnalysisVM" restore "clean-state"
VBoxManage snapshot "AnalysisVM" delete "old-snapshot"

# Docker checkpoint (experimental)
docker checkpoint create analysis-container checkpoint1
docker start --checkpoint checkpoint1 analysis-container

# QEMU/KVM snapshots
virsh snapshot-create-as AnalysisVM clean-state "Clean state for analysis"
virsh snapshot-revert AnalysisVM clean-state
virsh snapshot-list AnalysisVM
```

### 9. Automated Analysis Pipeline

```python
#!/usr/bin/env python3
"""Automated malware analysis pipeline"""

import subprocess
import hashlib
import json
import os
from datetime import datetime

class AnalysisPipeline:
    def __init__(self, sample_path, output_dir):
        self.sample_path = sample_path
        self.output_dir = output_dir
        self.results = {}

    def calculate_hashes(self):
        """Calculate file hashes"""
        with open(self.sample_path, 'rb') as f:
            data = f.read()
        return {
            'md5': hashlib.md5(data).hexdigest(),
            'sha1': hashlib.sha1(data).hexdigest(),
            'sha256': hashlib.sha256(data).hexdigest()
        }

    def static_analysis(self):
        """Run static analysis tools"""
        # YARA scan
        subprocess.run(['yara', '-r', '/rules/', self.sample_path],
                      capture_output=True)

        # PE analysis
        subprocess.run(['peframe', self.sample_path],
                      capture_output=True)

        # Strings extraction
        subprocess.run(['strings', '-a', self.sample_path],
                      stdout=open(f'{self.output_dir}/strings.txt', 'w'))

    def restore_snapshot(self):
        """Restore VM to clean state"""
        subprocess.run([
            'VBoxManage', 'snapshot', 'AnalysisVM',
            'restore', 'clean-state'
        ])

    def run_dynamic_analysis(self, timeout=120):
        """Execute sample in sandbox"""
        # Submit to Cuckoo
        result = subprocess.run([
            'cuckoo', 'submit', self.sample_path,
            '--timeout', str(timeout)
        ], capture_output=True)
        return result

    def collect_artifacts(self):
        """Collect analysis artifacts"""
        artifacts = {
            'pcap': f'{self.output_dir}/traffic.pcap',
            'memory_dump': f'{self.output_dir}/memory.dmp',
            'screenshots': f'{self.output_dir}/screenshots/',
            'dropped_files': f'{self.output_dir}/dropped/'
        }
        return artifacts

    def generate_report(self):
        """Generate analysis report"""
        report = {
            'timestamp': datetime.now().isoformat(),
            'sample': self.sample_path,
            'hashes': self.calculate_hashes(),
            'results': self.results
        }
        with open(f'{self.output_dir}/report.json', 'w') as f:
            json.dump(report, f, indent=2)
```

## MCP Server Integration

This skill can leverage the following tools:

| Tool | Description | URL |
|------|-------------|-----|
| Kubernetes MCP Server | Container orchestration | https://github.com/containers/kubernetes-mcp-server |
| AWS MCP Server | Cloud sandbox deployment | https://github.com/alexei-led/aws-mcp-server |
| Docker MCP | Container management | Docker CLI integration |

## Analysis Environment Profiles

```yaml
environment_profiles:
  malware_analysis:
    vm_type: windows10
    memory: 4096
    cpus: 2
    network: isolated
    snapshots: true
    tools:
      - procmon
      - fakenet
      - x64dbg
      - pestudio

  exploit_testing:
    vm_type: ubuntu
    memory: 2048
    cpus: 2
    network: host-only
    snapshots: true
    tools:
      - gdb
      - pwntools
      - radare2

  web_analysis:
    container: remnux
    memory: 2048
    network: simulated
    tools:
      - burp
      - mitmproxy
      - chrome-sandbox
```

## Process Integration

This skill integrates with the following processes:
- `malware-analysis.js` - Automated malware analysis
- `exploit-development.js` - Exploit testing environments
- `security-research-lab-setup.js` - Lab environment creation
- `dynamic-analysis-runtime-testing.js` - Runtime analysis

## Output Format

When executing operations, provide structured output:

```json
{
  "environment": {
    "type": "virtualbox",
    "vm_name": "MalwareAnalysis",
    "snapshot": "clean-state",
    "network": "isolated"
  },
  "analysis": {
    "sample_hash": "abc123...",
    "duration": 120,
    "status": "completed"
  },
  "findings": {
    "network_activity": ["185.123.45.67:443"],
    "file_operations": ["C:\\Windows\\Temp\\dropper.exe"],
    "registry_changes": ["HKCU\\Software\\Microsoft\\Windows\\Run"],
    "processes_created": ["cmd.exe", "powershell.exe"]
  },
  "artifacts": {
    "pcap": "/output/traffic.pcap",
    "memory_dump": "/output/memory.dmp",
    "screenshots": ["/output/screen_001.png"]
  }
}
```

## Error Handling

- Verify VM/container health before analysis
- Implement timeout mechanisms for hung analyses
- Preserve partial results on failure
- Log all environment state changes
- Validate network isolation before sample execution

## Constraints

- Never analyze malware on production systems
- Always verify network isolation before execution
- Maintain evidence chain of custody
- Document all environment configurations
- Keep malware samples in encrypted storage
- Follow organizational malware handling policies

Overview

This skill provides isolated analysis environment management for safe malware analysis, exploit testing, and dynamic security research. It automates creation and control of VMs and containers, configures Cuckoo, REMnux and FlareVM toolsets, and captures filesystem, registry, process and network artifacts. The focus is practical orchestration: snapshots, network isolation, traffic capture, and resumable pipelines for repeatable analysis.

How this skill works

The skill creates and manages virtualization resources (VirtualBox, VMware, KVM/QEMU) and container images (Docker) with predefined environment profiles. It configures Cuckoo for automated submissions, provisions REMnux and FlareVM tooling, and enforces network isolation with host-only networks, INetSim/FakeDNS and iptables rules. During execution it captures artifacts (pcaps, memory dumps, screenshots, file/registry changes), manages snapshots and checkpoints, and outputs structured analysis reports.

When to use it

  • Performing dynamic malware analysis in a confined lab
  • Testing exploits or proof-of-concept code without risking production systems
  • Automating bulk submissions to Cuckoo or a containerized pipeline
  • Capturing forensic artifacts (pcap, memory, dropped files) for triage
  • Creating repeatable analysis environments with snapshots and checkpoints

Best practices

  • Always validate strict network isolation before executing samples
  • Use snapshots or checkpoints to restore clean states between runs
  • Run analysis on dedicated hosts or air-gapped infrastructure only
  • Limit container capabilities (no-new-privileges, cap-drop, read-only fs)
  • Preserve evidence chain: encrypted storage and detailed logs for each run

Example use cases

  • Create a Windows analysis VM, take a clean snapshot, run a sample via Cuckoo, then restore the snapshot automatically
  • Build a REMnux Docker image with additional tooling, run static scans and capture strings and YARA hits
  • Deploy FlareVM on an isolated host for interactive debugging with x64dbg and Wireshark
  • Run a headless exploit test in a QEMU VM with iptables rules and tcpdump capturing network activity
  • Automate a pipeline that calculates hashes, submits to Cuckoo, collects pcaps and memory dumps, and generates JSON reports

FAQ

Is this safe to run on a production network?

No. Always run analyses in isolated or air-gapped environments and verify network isolation before execution.

What virtualization and tooling prerequisites are required?

You need virtualization (VirtualBox/VMware/KVM), Docker for containers, Cuckoo for automation, and optional tools like INetSim, REMnux or FlareVM images.