- README, GrumpyCats/README, Whiskers/README: trim feature dumps; point at the wiki for deep docs
- Whiskers/BUILD.md: folded into Whiskers/README "Building from source"
- HolyGrail analyzer: drop 178 lines of dead code
- Patriot, blender, holygrail, manager: pyflakes-clean unused imports
- Add release-notes.md
Fibratus EDR profile (kind: fibratus). Pull-from-event-log model, same
shape DetonatorAgent's FibratusEdrPlugin.cs uses: operator configures
Fibratus on the EDR VM with alertsenders.eventlog: {enabled: true,
format: json}; rule matches land in the Application log. Whiskers gains
GET /api/alerts/fibratus/since which wevtutil-queries the log,
extracts <TimeCreated SystemTime> + <EventID> + <Data>, ships the raw
JSON blobs back. The new FibratusEdrAnalyzer mirrors Elastic's
two-phase shape — Phase 1 exec, Phase 2 polls Whiskers — and normalizes
Fibratus's actual schema (events[].proc.{name,exe,cmdline,parent_name,
parent_cmdline,ancestors} + bare tactic.id/technique.id/subtechnique.id
labels) into the saved-view renderer's dict.
Whiskers /api/info now reports telemetry_sources: ['fibratus'] when
fibratus.exe is at C:\Program Files\Fibratus\Bin\, so the
orchestrator can preflight before dispatching. wevtutil's single-quoted
attribute output is parsed correctly.
Dashboard reachability cache (services.edr_health). 30s TTL +
background poller every 15s. Per-probe timeouts dropped 4s/5s -> 2s.
First load post-boot waits at most one probe cycle; every subsequent
load <5ms (cache hit).
GrumpyCats package split: 1085-line monolith into:
grumpycat.py — orchestrator (14 lines)
cli/ — parser, handlers, runner
litterbox_client/ — base + per-domain mixins (files, analysis,
doppelganger, results, edr, reports, system)
composed into LitterBoxClient.
LitterBoxMCP.py rewires its one import. New CLI subcommand
fibratus-alerts and matching MCP tool fibratus_alerts_since pull
Fibratus alerts via a LitterBox passthrough endpoint
(/api/edr/fibratus/<profile>/alerts/since) for wire-checking the agent
without dispatching a payload.
CHANGELOG updated.
- New system dashboard at / (live scanner availability + EDR agent
reachability, refreshes every minute). Drop-zone moved to /upload.
- New GET /api/system/scanners endpoint inventories static + dynamic +
holygrail analyzers and reports whether each tool's binary exists.
- Whiskers --install / --uninstall register an ONLOGON Windows
scheduled task so the agent auto-starts at user logon (no UAC, runs
as the invoking user). Forwards non-default flags into the task.
- Whiskers --samples-dir; default drop path is now <exe_dir>/samples/
(auto-created) instead of C:\Users\Public\Downloads\.
- GrumpyCats client + MCP tools picked up the new EDR endpoints
(analyze_edr, get_edr_results/index, list_edr_profiles,
get_edr_agents_status) plus get_scanners_status; new CLI
subcommands edr-run / edr-results / edr-profiles / edr-status /
scanners.
- 'New Analysis' / 'Upload New' buttons in summary + results pages
point at /upload now that / is the dashboard.
- CHANGELOG + Whiskers/README updated for the new flags + auto-start.
- New 'All' analysis mode: client-side coordinator runs Static + every EDR
profile in parallel; Dynamic waits only for Static (EDR is on a remote
VM, no local resource contention). New /analyze/all/<target> route +
analyze_all.html + analyze-all/core.js. Done banner exposes per-result
jump links; rows linkify to their saved detail views (no auto-redirect).
- /results/edr/<profile>/<target>: saved-view route that loads the saved
JSON and renders via the same tools/edr.js module the live page uses,
so the saved view shows MITRE chips, call stack, triggering API,
memory region, expandable per-alert detail and raw _source. New
edr_info.html embeds findings as window.__edrSavedResults; new
edr-saved.js bootstraps the renderer.
- Whiskers: chunked XOR write (64 KiB working buffer) replaces the
byte-by-byte loop that was timing out the orchestrator on multi-MB
payloads. AgentClient gains a separate exec_timeout (180s) for the
multipart upload + agent-side decode path.
- file_info.html: Dynamic button uses lb-btn-primary to match Static and
EDR (drops the orphan yellow styling).
BlackSnufkin