LitterBox
SandBox for Red Team
{% if is_process_analysis %}Process Analysis{% else %}File Analysis{% endif %} Report
{{ subject_name }}
{% if is_process_analysis %} PID {{ pid }} {% if dynamic_results and dynamic_results.moneta and dynamic_results.moneta.findings and dynamic_results.moneta.findings.process_info %} · {{ dynamic_results.moneta.findings.process_info.arch or 'unknown arch' }} {% endif %} {% else %} {{ file_info.detected_type.family|upper if file_info and file_info.detected_type else 'FILE' }} {% if file_info and file_info.detected_type and file_info.detected_type.arch %} · {{ file_info.detected_type.arch }}{% endif %} {% if file_info %} · {{ format_size(file_info.size) }}{% endif %} {% endif %}
{% if is_driver_report %}
{% set bf = byovd_results.findings %}
{% set bd = bf.detailed_analysis or {} %}
{% set bs = bf.summary or {} %}
BYOVD Potential
{% else %}
Detection Assessment
{% endif %}
{{ byovd_score if byovd_score is not none else 0 }}/100
{{ byovd_label or 'Unknown' }}
{{ risk_score|round|int if risk_score is not none else 0 }}/100
{{ risk_level or 'Unknown' }}
{% if is_driver_report %}
{% set bd = byovd_results.findings.detailed_analysis or {} %}
{% set bs = byovd_results.findings.summary or {} %}
{% set is_lol = bd.is_loldriver or bs.is_loldriver %}
{% set is_w10 = bd.is_win10_blocked or bs.is_win10_blocked %}
{% set is_w11 = bd.is_win11_blocked or bs.is_win11_blocked %}
{% set crit_count = (bd.critical_imports or '').split(',') | reject('equalto', '') | list | length %}
LOLDrivers {{ 'Listed' if is_lol else 'Not listed' }}
Win10 {{ 'Blocked' if is_w10 else 'Allowed' }}
Win11 {{ 'Blocked' if is_w11 else 'Allowed' }}
Critical Imports {{ crit_count }}
{% else %}
{% set detection_pairs = [
('YARA', detections.yara if detections else 0),
('PE-Sieve', detections.pesieve if detections else 0),
('Moneta', detections.moneta if detections else 0),
('Patriot', detections.patriot if detections else 0),
('HSB', detections.hsb if detections else 0)
] %}
{% for label, count in detection_pairs %}
{{ label }} {{ count or 0 }}
{% endfor %}
{% endif %}
HolyGrail BYOVD Analysis {% if is_holygrail %} Holy Grail {% elif is_lol or is_w10 or is_w11 %} Known / Blocked {% elif has_danger %} Potentially Interesting {% else %} Low BYOVD Potential {% endif %}
Driver Imports · LoLDrivers list · Microsoft Driver Block Policy.
- Driver
- {{ bd.original_filename or bd.name or '—' }}
- Architecture
- {{ bd.architecture or '—' }}
- File Version
- {{ bd.file_version or '—' }}
- Compile Time
- {{ bd.compile_time or byovd_results.compile_time or '—' }}
- SHA-256
- {{ bd.sha256 or '—' }}
- LOLDrivers
- {% if is_lol %} Listed {% else %} Not listed {% endif %}
- Windows 10 Block Policy
- {% if is_w10 %} Blocked {% if bd.win10_block_reason %} · {{ bd.win10_block_reason }}{% endif %} {% else %} Not blocked {% endif %}
- Windows 11 Block Policy
- {% if is_w11 %} Blocked {% if bd.win11_block_reason %} · {{ bd.win11_block_reason }}{% endif %} {% else %} Not blocked {% endif %}
- Terminate-Process Primitive
- {% if has_term %}Present{% else %}Absent{% endif %}
- User-mode IOCTL Comms
- {% if has_comms %}Present{% else %}Absent{% endif %}
Critical Imports ({{ crit_list|length }})
Privileged kernel primitives commonly exploited in BYOVD attacks.
{% for imp in crit_list %}
{% set name = imp.strip() %}
{{ name }}
{% endfor %}
{% endif %}
Triggering Indicators {{ risk_factors|length }} indicator{{ 's' if risk_factors|length != 1 else '' }}
Indicators that contributed to the overall detection score.
-
{% for factor in risk_factors %}
- {{ factor }} {% endfor %}
File Information
Identifiers, size, and entropy of the analysed sample.
- Original name
- {{ file_info.original_name or 'Unknown' }}
- Type
- {{ file_info.detected_type.family|upper if file_info.detected_type else 'Unknown' }} {% if file_info.detected_type and file_info.detected_type.type %} / {{ file_info.detected_type.type }}{% endif %} {% if file_info.detected_type and file_info.detected_type.arch %} ({{ file_info.detected_type.arch }}){% endif %}
- Size
- {{ format_size(file_info.size) }} ({{ file_info.size }} bytes)
- MIME
- {{ file_info.mime_type or 'application/octet-stream' }}
- Uploaded
- {{ file_info.upload_time or '—' }}
- Entropy
- {{ file_info.entropy }} {% if file_info.entropy_analysis and file_info.entropy_analysis.detection_risk %} {{ file_info.entropy_analysis.detection_risk }} entropy {% endif %}
MD5 {{ file_info.md5 or '—' }}
SHA256 {{ file_info.sha256 or '—' }}
PE Header
- File type
- {{ pe.file_type or '—' }}
- Machine
- {{ pe.machine_type or '—' }}
- Subsystem
- {{ pe.subsystem or '—' }}
- Compile time
- {{ pe.compile_time or '—' }}
- Entry point
- {{ pe.entry_point or '—' }} {% if pe.build_with %}
- Built with
- {{ pe.build_with }} {% endif %} {% if pe.checksum_info %}
- Checksum
- {{ pe.checksum_info.stored_checksum or '—' }} {% if not pe.checksum_info.is_valid %} mismatch {% else %} valid {% endif %} {% endif %}
Sensitive Imports ({{ pe.suspicious_imports|length }})
| DLL | Function | Category | Note |
|---|---|---|---|
| {{ imp.dll }} | {{ imp.function }} | {{ imp.category }} | {{ imp.note|truncate(120, true) }} |
… and {{ pe.suspicious_imports|length - 30 }} more (click to expand)
| DLL | Function | Category | Note |
|---|---|---|---|
| {{ imp.dll }} | {{ imp.function }} | {{ imp.category }} | {{ imp.note|truncate(120, true) }} |
Process Information
Live process attributes captured at scan time.
- Process
- {{ p.name }}
- PID
- {{ p.pid }}
- Architecture
- {{ p.arch }}
- Path
- {{ p.path }}
Static Analysis
Pre-execution scan results.
{# YARA #} {% set yara = static_results.yara %}YARA
{% if yara and yara.matches %}
{{ yara.matches|length }} rule match{{ 'es' if yara.matches|length != 1 else '' }}
{% else %}
No rules matched
{% endif %}
{% if yara and yara.scan_info and yara.scan_info.rules_file %}
{% endif %}
{% if yara and yara.matches %}
-
{% for m in yara.matches[:10] %}
- {{ m.rule }} {% if m.metadata and m.metadata.severity is defined %} {% endif %} {% if m.strings %} {% endif %} {% endfor %}
… and {{ yara.matches|length - 10 }} more (click to expand)
-
{% for m in yara.matches[10:] %}
- {{ m.rule }} {% if m.metadata and m.metadata.severity is defined %} {% endif %} {% if m.strings %} {% endif %} {% endfor %}
CheckPLZ
{% if cp and cp.findings and cp.findings.initial_threat %}
Signature triggered
{{ cp.findings.initial_threat }}
{% else %}
No signatures triggered
{% endif %}
{% if cp and cp.findings and cp.findings.scan_results and cp.findings.scan_results.hex_dump %}
{{ cp.findings.scan_results.hex_dump }}
{% endif %}
Strings
{% if st and st.findings %}
{% set sus_count = (st.findings.found_suspicious_strings or [])|length + (st.findings.found_suspicious_functions or [])|length %}
{% if sus_count > 0 %}
{{ sus_count }} notable
{% endif %}
{% endif %}
{% if st and st.findings %}
{% set f = st.findings %}
{% set buckets = [
('Notable strings', f.found_suspicious_strings),
('Notable functions', f.found_suspicious_functions),
('URLs', f.found_url),
('IP addresses', f.found_ip),
('Domains', f.found_domains),
('Email addresses', f.found_emails),
('Network indicators', f.found_network_indicators),
('Registry keys', f.found_registry_keys),
('File operations', f.found_file_operations),
('File paths', f.found_path),
('Files referenced', f.found_file),
('DLLs', f.found_dll),
('Functions', f.found_functions),
('Commands', f.found_commands),
('Error messages', f.found_error_messages),
('Interesting strings', f.found_interesting_strings)
] %}
{% set ns = namespace(any=false) %}
{% for label, items in buckets %}{% if items %}{% set ns.any = true %}{% endif %}{% endfor %}
{% if ns.any %}
| Category | Count |
|---|---|
| {{ label }} | {{ items|length }} |
{{ label }} ({{ items|length }})
{% for item in items[:100] %}{{ item }}
{% endfor %}
{% if items|length > 100 %}
… and {{ items|length - 100 }} more (click to expand)
{% for item in items[100:] %}{{ item }}
{% endfor %}
No notable strings observed
{% endif %}
{% endif %}
Dynamic Analysis
Runtime behaviour observed during execution.
{# YARA dynamic #} {% set yara = dynamic_results.yara %}YARA
{% if yara and yara.matches %}
{{ yara.matches|length }} rule match{{ 'es' if yara.matches|length != 1 else '' }}
{% else %}
No rules matched
{% endif %}
{% if yara and yara.matches %}
-
{% for m in yara.matches[:10] %}
- {{ m.rule }} {% if m.metadata and m.metadata.severity is defined %}{% endif %} {% endfor %}
PE-Sieve
{% set sus = (ps.findings.total_suspicious if ps and ps.findings else 0)|int %}
{% endif %}
{% if sus > 0 %}
{{ sus }} memory modification{{ 's' if sus != 1 else '' }}
{% else %}
No memory anomalies
{% endif %}
{% if ps and ps.findings and sus > 0 %}
{% set pe_keys = [('Hooked','hooked'),('Replaced','replaced'),('Hdrs Modified','hdrs_modified'),('IAT Hooks','iat_hooks'),('Implanted','implanted'),('Implanted PE','implanted_pe'),('Implanted shc','implanted_shc')] %}
| Indicator | Count |
|---|---|
| {{ label }} | {{ ps.findings[key] }} |
Moneta
{% if mo_ns.total > 0 %}
{{ mo_ns.total }} memory anomal{{ 'ies' if mo_ns.total != 1 else 'y' }}
{% else %}
No memory anomalies
{% endif %}
{% if mo and mo.findings and mo.findings.total_regions %}
{% endif %}
{% if mo and mo.findings and mo_ns.total > 0 %}
| Indicator | Count |
|---|---|
| {{ label }} | {{ mo.findings[key] }} |
Patriot
{% set pa_findings = (pa.findings.findings if pa and pa.findings else []) or [] %}
{% if pa_findings|length > 15 %}
{% endif %}
{% endif %}
{% if pa_findings %}
{{ pa_findings|length }} indicator{{ 's' if pa_findings|length != 1 else '' }}
{% else %}
No indicators observed
{% endif %}
{% if pa_findings %}
| Type | Level | Details |
|---|---|---|
| {{ f.type or '—' }} | {% set lvl = (f.level or '')|lower %} {{ f.level or '—' }} | {{ (f.details or '')|truncate(120, true) }} |
… and {{ pa_findings|length - 15 }} more (click to expand)
| Type | Level | Details |
|---|---|---|
| {{ f.type or '—' }} | {% set lvl = (f.level or '')|lower %} {{ f.level or '—' }} | {{ (f.details or '')|truncate(120, true) }} |
HSB
{% set hb_total = (hb.findings.summary.total_findings if hb and hb.findings and hb.findings.summary else 0)|int %}
{% if hb_total > 0 %}
{{ hb_total }} sleeping-beacon finding{{ 's' if hb_total != 1 else '' }}
{% else %}
No sleeping-beacon behaviour
{% endif %}
{% if hb and hb.findings and hb.findings.summary and hb.findings.summary.scanned_threads %}
{% endif %}
RedEdr
{% if ns.threat_hit %}
Defender flagged the binary at runtime
{% endif %}
{% if re_defender %}
Defender Events ({{ re_defender|length }})
| Provider | Event | Scan Target | Verdict |
|---|---|---|---|
| {{ d.provider or '—' }} | {{ d.event or '—' }} | {{ (d.scan_target or '—')|truncate(80, true) }} | {% if d.verdict %}{{ d.verdict }}{% else %}—{% endif %} |
… and {{ re_defender|length - 15 }} more (click to expand)
| Provider | Event | Scan Target | Verdict |
|---|---|---|---|
| {{ d.provider or '—' }} | {{ d.event or '—' }} | {{ (d.scan_target or '—')|truncate(80, true) }} | {% if d.verdict %}{{ d.verdict }}{% else %}—{% endif %} |
Process Tree
{{ (re_proc.image_path or re_proc.commandline or 'Target')|trim }} (PID {{ re_proc.pid or '?' }})
{% for c in re_children %} └─ {{ c.image_name or 'Unknown' }} (PID {{ c.pid or '?' }}{% if c.parent_pid %}, parent {{ c.parent_pid }}{% endif %})
{% endfor %}
{% endif %}
{% if re_net %}
Network Activity ({{ re_net|length }})
| Proto | Local | Remote | Op | Size |
|---|---|---|---|---|
| {{ n.proto or '?' }} | {{ n.local_addr or '—' }}{% if n.local_port %}:{{ n.local_port }}{% endif %} | {{ n.remote_addr or '—' }}{% if n.remote_port %}:{{ n.remote_port }}{% endif %} | {{ n.operation or '—' }} | {{ n.size if n.size is not none else '—' }} |
… and {{ re_net|length - 25 }} more (click to expand)
| Proto | Local | Remote | Op | Size |
|---|---|---|---|---|
| {{ n.proto or '?' }} | {{ n.local_addr or '—' }}{% if n.local_port %}:{{ n.local_port }}{% endif %} | {{ n.remote_addr or '—' }}{% if n.remote_port %}:{{ n.remote_port }}{% endif %} | {{ n.operation or '—' }} | {{ n.size if n.size is not none else '—' }} |
File Operations ({{ re_files|length }})
| Path | Operation | Thread |
|---|---|---|
| {{ (f.path or '—')|truncate(120, true) }} | {{ f.operation or '—' }} | {{ f.thread_id if f.thread_id is not none else '—' }} |
… and {{ re_files|length - 25 }} more (click to expand)
| Path | Operation | Thread |
|---|---|---|
| {{ (f.path or '—')|truncate(120, true) }} | {{ f.operation or '—' }} | {{ f.thread_id if f.thread_id is not none else '—' }} |
Audit-API Calls ({{ re_audit|length }})
| API | Target PID | Target TID | Caller PID/TID |
|---|---|---|---|
| {{ a.api or '—' }} | {{ a.target_pid if a.target_pid is not none else '—' }} | {{ a.target_tid if a.target_tid is not none else '—' }} | {{ a.caller_pid if a.caller_pid is not none else '—' }} / {{ a.caller_tid if a.caller_tid is not none else '—' }} |
… and {{ re_audit|length - 25 }} more (click to expand)
| API | Target PID | Target TID | Caller PID/TID |
|---|---|---|---|
| {{ a.api or '—' }} | {{ a.target_pid if a.target_pid is not none else '—' }} | {{ a.target_tid if a.target_tid is not none else '—' }} | {{ a.caller_pid if a.caller_pid is not none else '—' }} / {{ a.caller_tid if a.caller_tid is not none else '—' }} |
Process I/O
{% if po.output_truncated %}truncated{% endif %}
{% if po.stdout %}
stdout
{{ po.stdout|truncate(4000, true) }}
stderr
{{ po.stderr|truncate(4000, true) }}
EDR Analysis
Payload dispatched to one or more EDR-instrumented hosts. Alerts are pulled from the EDR backend, filtered by the agent's hostname and the run window.
{% for profile_name, edr in edr_results.items() %} {% set edr_status = edr.status or 'unknown' %} {% set edr_alerts = edr.alerts or [] %} {% set edr_summary = edr.summary or {} %} {% set edr_exec = edr.execution or {} %} {% set edr_agent = edr.agent_info or {} %} {% set edr_display = edr.display_name or profile_name %} {% set high_count = edr_summary.high_severity_alerts if edr_summary.high_severity_alerts is defined else (edr_alerts|selectattr('severity', 'in', ['high', 'critical'])|list|length) %} {% set is_threat = (high_count or 0) > 0 or edr_status == 'blocked_by_av' %}{{ edr_display }}
{% if is_threat %}
{% if edr_status == 'blocked_by_av' %}
Blocked by AV before execution
{% else %}
{{ high_count }} high/critical alert{{ 's' if high_count != 1 else '' }}
{% endif %}
{% elif edr_alerts %}
{{ edr_alerts|length }} alert{{ 's' if edr_alerts|length != 1 else '' }} raised
{% elif edr_status == 'completed' %}
No alerts raised
{% else %}
{{ edr_status|replace('_', ' ')|title }}
{% endif %}
{% if edr_status in ('agent_unreachable', 'error', 'partial') %}
{{ edr_status|replace('_', ' ')|title }}: {{ edr.error or edr.sub_status or 'No additional detail.' }}
{% endif %} {% if edr_alerts %}Detection Alerts ({{ edr_alerts|length }})
| Severity | Rule | Rule ID | Detected |
|---|---|---|---|
| {{ sev|upper }} | {{ a.title or 'Unknown alert' }} | {{ a.rule_id or '—' }} | {{ a.detected_at or '—' }} |
… and {{ edr_alerts|length - 25 }} more (click to expand)
| Severity | Rule | Rule ID | Detected |
|---|---|---|---|
| {{ sev|upper }} | {{ a.title or 'Unknown alert' }} | {{ a.rule_id or '—' }} | {{ a.detected_at or '—' }} |
Execution Output
{% if edr_exec.message %}{{ edr_exec.message }}
{% endif %} {% if edr_exec.stdout %} stdout (PID {{ edr_exec.pid or '?' }}, exit {{ edr_exec.exit_code if edr_exec.exit_code is not none else '?' }})
{{ edr_exec.stdout|truncate(4000, true) }}
stderr
{{ edr_exec.stderr|truncate(4000, true) }}