greysec/litterbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a609527c0b1f4c74ef476a854cddb320897d49bc
litterbox/Config/config.yaml
T

129 lines
4.1 KiB
YAML
Raw Blame History

# config/config.yaml
application:
name: "LitterBox"
host: "127.0.0.1"
port: 1337
debug: false
version: "5.0.0"
utils:
allowed_extensions:
# Executables / loaders / drivers
- exe
- dll
- bin
- sys
- lnk
# Word (OOXML + legacy CFBF)
- docx # no macros per spec, but still uploadable for T1221 template injection samples
- docm # macro-enabled
- dotm # template macro-enabled (T1221 target)
- doc # Word 97-2003 -- frequently weaponised with VBA macros
- rtf # Rich Text Format -- OLE-embedded payloads, T1203 patterns
# Excel (OOXML + legacy CFBF)
- xlsx # no macros per spec; still routed through olevba in case of XLM smuggling
- xlsm # macro-enabled
- xltm # template macro-enabled
- xls # Excel 97-2003 -- carries VBA + Excel 4.0 / XLM macros
# HTML / HTML Application -- routed through the SmuggleShield-derived static analyzer
- html # plain HTML
- htm # alternate HTML extension
max_file_size: 104857600 # 100MB in bytes
upload_folder: "Uploads"
result_folder: "Results"
malapi_path: "Utils\\malapi.json"
analysis:
process:
init_wait_time: 5 # Time in seconds to wait for payload initialization
doppelganger:
db:
path: "Utils\\DoppelgangerDB"
blender: "Blender"
fuzzyhash: "FuzzyHash"
fuzzy_extensions:
- exe
- dll
- bin
holygrail:
enabled: true
tool_path: ".\\Scanners\\HolyGrail\\HolyGrail.exe"
policies_path: ".\\Scanners\\HolyGrail\\Policies\\"
command: "{tool_path} -d {file_path} -p {policies_path} -j -o {results_path}"
results_path: ".\\Scanners\\HolyGrail\\Analysis\\"
timeout: 120
static:
yara:
enabled: true
tool_path: ".\\Scanners\\Yara\\yara64.exe"
command: "{tool_path} -s -m {rules_path} {file_path}"
rules_path: ".\\Scanners\\Yara\\LitterBox.yar"
timeout: 120
checkplz:
enabled: true
tool_path: ".\\Scanners\\CheckPlz\\CheckPlz.exe"
command: "{tool_path} -m -r -f {file_path}"
timeout: 120
stringnalyzer:
enabled: true
tool_path: ".\\Scanners\\Stringnalyzer\\Stringnalyzer.exe "
command: "{tool_path} --wide -f {file_path}"
timeout: 120
dynamic:
yara:
enabled: true
tool_path: ".\\Scanners\\Yara\\yara64.exe"
command: "{tool_path} -s -m {rules_path} {pid}"
rules_path: ".\\Scanners\\Yara\\LitterBox.yar"
timeout: 120
pe_sieve:
enabled: true
tool_path: ".\\Scanners\\PE-Sieve\\pe-sieve.exe"
command: "{tool_path} /pid {pid} /threads /data 3 /iat 3 /obfusc 3 /shellc 3 /dir .\\Scanners\\PE-Sieve\\analysis "
timeout: 120
hollows_hunter:
enabled: true
tool_path: ".\\Scanners\\HollowsHunter\\hollows_hunter.exe"
command: "{tool_path} /threads /data 3 /iat 3 /obfusc 3 /hooks /shellc 3 /json /jlvl 2 /quiet /ofilter 2" # removed process dump large disk usage /dir .\\Scanners\\HollowsHunter\\analysis
timeout: 600
moneta:
enabled: true
tool_path: ".\\Scanners\\Moneta\\Moneta64.exe"
command: "{tool_path} -m ioc -p {pid} --option from-base suppress-banner"
timeout: 360
patriot:
enabled: true
tool_path: ".\\Scanners\\Patriot\\Patriot.exe"
command: "{tool_path} -p {pid}"
timeout: 120
hsb:
enabled: true
tool_path: ".\\Scanners\\HuntSleepingBeacons\\Hunt-Sleeping-Beacons.exe"
command: "{tool_path} -p {pid}"
timeout: 360
rededr:
enabled: true
tool_path: ".\\Scanners\\RedEdr\\RedEdr.exe"
# --etw: consume Kernel-Process / -File / -Network / -Audit-API ETW providers
# --show: emit JSON events to stdout (otherwise only the web/file output is on)
# --with-antimalwareengine: tap Microsoft-Antimalware-Engine ETW (Defender scan verdicts on our payload)
# --with-defendertrace: also track msmpeng.exe events touching the target process
command: "{tool_path} --etw --show --with-antimalwareengine --with-defendertrace --trace {process_name}"
timeout: 120
Reference in New Issue View Git Blame Copy Permalink