ReddRadar
Agent skill
security-sandbox
Isolated analysis environment management for malware and exploit testing. Create and manage isolated VMs, configure Cuckoo Sandbox, set up REMnux/FlareVM environments, manage Docker-based analysis containers, and capture filesystem and process changes.
Install this agent skill to your Project
npx add-skill https://github.com/a5c-ai/babysitter/tree/main/library/specializations/security-research/skills/security-sandbox
Metadata
Additional technical details for this skill
- author
- babysitter-sdk
- version
- 1.0.0
- category
- analysis-environment
- backlog id
- SK-008
SKILL.md
security-sandbox
You are security-sandbox - a specialized skill for isolated analysis environment management, providing capabilities for safe malware analysis, exploit testing, and dynamic security research.
Overview
This skill enables AI-powered sandbox operations including:
- Creating and managing isolated virtual machines
- Configuring Cuckoo Sandbox for automated malware analysis
- Setting up REMnux and FlareVM analysis environments
- Managing Docker-based analysis containers
- Configuring network isolation and traffic capture
- Monitoring filesystem, registry, and process changes
- Creating and restoring environment snapshots
Prerequisites
- Virtualization: VirtualBox, VMware, or KVM/QEMU
- Cuckoo Sandbox: Python-based automated malware analysis
- Docker: For containerized analysis environments
- Network Tools: Inetsim, FakeDNS for network simulation
- Analysis VMs: REMnux, FlareVM images
IMPORTANT: Safety First
This skill is designed for authorized security research. All operations:
- Must be conducted in properly isolated environments
- Should never allow malware to escape containment
- Require careful network isolation configuration
- Must preserve evidence for forensic analysis
Capabilities
1. Virtual Machine Management
Create and manage isolated analysis VMs:
# VirtualBox VM Management
# Create new analysis VM
VBoxManage createvm --name "MalwareAnalysis" --ostype "Windows10_64" --register
# Configure VM resources
VBoxManage modifyvm "MalwareAnalysis" \
--memory 4096 \
--cpus 2 \
--vram 128 \
--nic1 intnet \
--intnet1 "analysis-net" \
--audio none \
--clipboard disabled \
--draganddrop disabled
# Create snapshot for clean state
VBoxManage snapshot "MalwareAnalysis" take "clean-state" --description "Clean analysis state"
# Restore to clean state
VBoxManage snapshot "MalwareAnalysis" restore "clean-state"
# Start VM headless
VBoxManage startvm "MalwareAnalysis" --type headless
# Power off VM
VBoxManage controlvm "MalwareAnalysis" poweroff
2. Cuckoo Sandbox Configuration
Set up and manage Cuckoo Sandbox:
# Install Cuckoo
pip install cuckoo
# Initialize Cuckoo
cuckoo init
# Configure analysis machines
cuckoo community # Download community modules
# ~/.cuckoo/conf/cuckoo.conf
[cuckoo]
machinery = virtualbox
memory_dump = yes
enforce_timeout = yes
max_analysis_count = 50
[resultserver]
ip = 192.168.56.1
port = 2042
[processing]
analysis_size_limit = 134217728
# ~/.cuckoo/conf/virtualbox.conf
[virtualbox]
mode = headless
path = /usr/bin/VBoxManage
interface = vboxnet0
[analysis1]
label = MalwareAnalysis
platform = windows
ip = 192.168.56.101
snapshot = clean-state
resultserver_ip = 192.168.56.1
resultserver_port = 2042
tags = win10,64bit
# Submit sample for analysis
cuckoo submit /path/to/sample.exe --timeout 120 --enforce-timeout
# Start Cuckoo
cuckoo -d # Debug mode
# Start web interface
cuckoo web runserver 0.0.0.0:8080
3. Docker Analysis Containers
Create isolated analysis containers:
# Dockerfile for analysis environment
FROM remnux/remnux-distro:focal
# Install additional tools
RUN apt-get update && apt-get install -y \
radare2 \
yara \
volatility3 \
strace \
ltrace
# Create analysis directory
WORKDIR /analysis
VOLUME /samples
VOLUME /output
# Network isolation
# Run with --network none for full isolation
ENTRYPOINT ["/bin/bash"]
# Build analysis container
docker build -t malware-analysis:latest .
# Run isolated container (no network)
docker run -it --rm \
--network none \
--memory 4g \
--cpus 2 \
--read-only \
--tmpfs /tmp:rw,noexec,nosuid \
-v /path/to/samples:/samples:ro \
-v /path/to/output:/output:rw \
malware-analysis:latest
# Run with host-only network for controlled internet simulation
docker run -it --rm \
--network analysis-net \
--cap-drop ALL \
--security-opt no-new-privileges \
-v /path/to/samples:/samples:ro \
malware-analysis:latest
4. Network Isolation and Simulation
Configure network isolation for safe analysis:
# Create isolated virtual network (VirtualBox)
VBoxManage hostonlyif create
VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0
# Set up INetSim for network simulation
sudo inetsim --config /etc/inetsim/inetsim.conf
# Start FakeDNS
fakedns -i 192.168.56.1
# Capture network traffic
tcpdump -i vboxnet0 -w /analysis/traffic.pcap
# iptables rules for isolation
sudo iptables -I FORWARD -i vboxnet0 -o eth0 -j DROP
sudo iptables -I FORWARD -i eth0 -o vboxnet0 -j DROP
# /etc/inetsim/inetsim.conf
service_bind_address 192.168.56.1
dns_default_ip 192.168.56.1
# Enable services
start_service dns
start_service http
start_service https
start_service smtp
start_service pop3
start_service ftp
5. REMnux Analysis Environment
Set up REMnux for malware analysis:
# Install REMnux on Ubuntu
wget https://REMnux.org/remnux-cli
chmod +x remnux-cli
sudo mv remnux-cli /usr/local/bin/remnux
sudo remnux install
# Key REMnux tools
# Static analysis
peframe malware.exe
pescanner malware.exe
pdfid suspicious.pdf
oledump.py document.doc
# Dynamic analysis
procmon # Process monitor
regmon # Registry monitor
fakenet # Network simulation
# Memory analysis
vol.py -f memory.dmp imageinfo
vol.py -f memory.dmp --profile=Win10x64 pslist
6. FlareVM for Windows Analysis
Configure FlareVM analysis environment:
# Install FlareVM (run in elevated PowerShell)
Set-ExecutionPolicy Bypass -Scope Process -Force
# Download and run installer
iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1'))
# Key FlareVM tools
# PE Analysis
pestudio.exe malware.exe
die.exe malware.exe # Detect It Easy
cffexplorer.exe malware.exe
# Debugging
x64dbg.exe
windbg.exe
# Network
wireshark.exe
fakenet-ng.exe
# Decompilation
ghidra.exe
ida64.exe
7. Process and Filesystem Monitoring
Monitor changes during analysis:
# Linux - Monitor with sysdig
sysdig -c spy_users
# Monitor file changes
inotifywait -m -r /home/analysis --format '%w%f %e' -e modify,create,delete
# Process monitoring
procmon &
strace -f -o /output/syscalls.log ./sample
# Registry monitoring (Windows via wine)
wine reg export HKLM /output/hklm_before.reg
# ... run sample ...
wine reg export HKLM /output/hklm_after.reg
diff hklm_before.reg hklm_after.reg
8. Snapshot Management
Create and manage analysis snapshots:
# VirtualBox snapshots
VBoxManage snapshot "AnalysisVM" take "pre-analysis-$(date +%Y%m%d-%H%M%S)"
VBoxManage snapshot "AnalysisVM" list
VBoxManage snapshot "AnalysisVM" restore "clean-state"
VBoxManage snapshot "AnalysisVM" delete "old-snapshot"
# Docker checkpoint (experimental)
docker checkpoint create analysis-container checkpoint1
docker start --checkpoint checkpoint1 analysis-container
# QEMU/KVM snapshots
virsh snapshot-create-as AnalysisVM clean-state "Clean state for analysis"
virsh snapshot-revert AnalysisVM clean-state
virsh snapshot-list AnalysisVM
9. Automated Analysis Pipeline
#!/usr/bin/env python3
"""Automated malware analysis pipeline"""
import subprocess
import hashlib
import json
import os
from datetime import datetime
class AnalysisPipeline:
def __init__(self, sample_path, output_dir):
self.sample_path = sample_path
self.output_dir = output_dir
self.results = {}
def calculate_hashes(self):
"""Calculate file hashes"""
with open(self.sample_path, 'rb') as f:
data = f.read()
return {
'md5': hashlib.md5(data).hexdigest(),
'sha1': hashlib.sha1(data).hexdigest(),
'sha256': hashlib.sha256(data).hexdigest()
}
def static_analysis(self):
"""Run static analysis tools"""
# YARA scan
subprocess.run(['yara', '-r', '/rules/', self.sample_path],
capture_output=True)
# PE analysis
subprocess.run(['peframe', self.sample_path],
capture_output=True)
# Strings extraction
subprocess.run(['strings', '-a', self.sample_path],
stdout=open(f'{self.output_dir}/strings.txt', 'w'))
def restore_snapshot(self):
"""Restore VM to clean state"""
subprocess.run([
'VBoxManage', 'snapshot', 'AnalysisVM',
'restore', 'clean-state'
])
def run_dynamic_analysis(self, timeout=120):
"""Execute sample in sandbox"""
# Submit to Cuckoo
result = subprocess.run([
'cuckoo', 'submit', self.sample_path,
'--timeout', str(timeout)
], capture_output=True)
return result
def collect_artifacts(self):
"""Collect analysis artifacts"""
artifacts = {
'pcap': f'{self.output_dir}/traffic.pcap',
'memory_dump': f'{self.output_dir}/memory.dmp',
'screenshots': f'{self.output_dir}/screenshots/',
'dropped_files': f'{self.output_dir}/dropped/'
}
return artifacts
def generate_report(self):
"""Generate analysis report"""
report = {
'timestamp': datetime.now().isoformat(),
'sample': self.sample_path,
'hashes': self.calculate_hashes(),
'results': self.results
}
with open(f'{self.output_dir}/report.json', 'w') as f:
json.dump(report, f, indent=2)
MCP Server Integration
This skill can leverage the following tools:
| Tool | Description | URL |
|---|---|---|
| Kubernetes MCP Server | Container orchestration | https://github.com/containers/kubernetes-mcp-server |
| AWS MCP Server | Cloud sandbox deployment | https://github.com/alexei-led/aws-mcp-server |
| Docker MCP | Container management | Docker CLI integration |
Analysis Environment Profiles
environment_profiles:
malware_analysis:
vm_type: windows10
memory: 4096
cpus: 2
network: isolated
snapshots: true
tools:
- procmon
- fakenet
- x64dbg
- pestudio
exploit_testing:
vm_type: ubuntu
memory: 2048
cpus: 2
network: host-only
snapshots: true
tools:
- gdb
- pwntools
- radare2
web_analysis:
container: remnux
memory: 2048
network: simulated
tools:
- burp
- mitmproxy
- chrome-sandbox
Process Integration
This skill integrates with the following processes:
malware-analysis.js- Automated malware analysisexploit-development.js- Exploit testing environmentssecurity-research-lab-setup.js- Lab environment creationdynamic-analysis-runtime-testing.js- Runtime analysis
Output Format
When executing operations, provide structured output:
{
"environment": {
"type": "virtualbox",
"vm_name": "MalwareAnalysis",
"snapshot": "clean-state",
"network": "isolated"
},
"analysis": {
"sample_hash": "abc123...",
"duration": 120,
"status": "completed"
},
"findings": {
"network_activity": ["185.123.45.67:443"],
"file_operations": ["C:\\Windows\\Temp\\dropper.exe"],
"registry_changes": ["HKCU\\Software\\Microsoft\\Windows\\Run"],
"processes_created": ["cmd.exe", "powershell.exe"]
},
"artifacts": {
"pcap": "/output/traffic.pcap",
"memory_dump": "/output/memory.dmp",
"screenshots": ["/output/screen_001.png"]
}
}
Error Handling
- Verify VM/container health before analysis
- Implement timeout mechanisms for hung analyses
- Preserve partial results on failure
- Log all environment state changes
- Validate network isolation before sample execution
Constraints
- Never analyze malware on production systems
- Always verify network isolation before execution
- Maintain evidence chain of custody
- Document all environment configurations
- Keep malware samples in encrypted storage
- Follow organizational malware handling policies
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
a5c-ai/babysitter
gsd-tools
Central utility skill for GSD operations. Provides config parsing, slug generation, timestamps, path operations, and orchestrates calls to other specialized skills. Acts as the unified entry point that the original gsd-tools.cjs provided via its lib/ modules (commands, config, core, init).
a5c-ai/babysitter
model-profile-resolution
Resolve model profile (quality/balanced/budget) at orchestration start and map agents to specific models. Enables cost/quality tradeoffs by selecting appropriate AI models for each agent role.
a5c-ai/babysitter
verification-suite
Plan structure validation, phase completeness checks, reference integrity verification, and artifact existence confirmation. Provides the structured verification layer ensuring GSD artifacts are well-formed and complete.
a5c-ai/babysitter
state-management
STATE.md reading, writing, and field-level updates. Provides cross-session state persistence via .planning/STATE.md with structured fields for current task, completed phases, blockers, decisions, and quick tasks.
a5c-ai/babysitter
git-integration
Git commit patterns, formats, and conventions for GSD methodology. Provides atomic commits per task, structured commit messages, planning file commits, branch management, and milestone tag operations.
a5c-ai/babysitter
frontmatter-parsing
YAML frontmatter parsing and manipulation for .planning/ documents. Provides read, write, update, query, and validation operations on frontmatter blocks in GSD markdown artifacts.
Didn't find tool you were looking for?