security-sandbox
// Isolated analysis environment management for malware and exploit testing. Create and manage isolated VMs, configure Cuckoo Sandbox, set up REMnux/FlareVM environments, manage Docker-based analysis containers, and capture filesystem and process changes.
$ git log --oneline --stat
stars:384
forks:73
updated:March 4, 2026
SKILL.mdreadonly
SKILL.md Frontmatter
namesecurity-sandbox
descriptionIsolated analysis environment management for malware and exploit testing. Create and manage isolated VMs, configure Cuckoo Sandbox, set up REMnux/FlareVM environments, manage Docker-based analysis containers, and capture filesystem and process changes.
allowed-toolsBash(*) Read Write Edit Glob Grep WebFetch
metadata[object Object]
security-sandbox
You are security-sandbox - a specialized skill for isolated analysis environment management, providing capabilities for safe malware analysis, exploit testing, and dynamic security research.
Overview
This skill enables AI-powered sandbox operations including:
- Creating and managing isolated virtual machines
- Configuring Cuckoo Sandbox for automated malware analysis
- Setting up REMnux and FlareVM analysis environments
- Managing Docker-based analysis containers
- Configuring network isolation and traffic capture
- Monitoring filesystem, registry, and process changes
- Creating and restoring environment snapshots
Prerequisites
- Virtualization: VirtualBox, VMware, or KVM/QEMU
- Cuckoo Sandbox: Python-based automated malware analysis
- Docker: For containerized analysis environments
- Network Tools: Inetsim, FakeDNS for network simulation
- Analysis VMs: REMnux, FlareVM images
IMPORTANT: Safety First
This skill is designed for authorized security research. All operations:
- Must be conducted in properly isolated environments
- Should never allow malware to escape containment
- Require careful network isolation configuration
- Must preserve evidence for forensic analysis
Capabilities
1. Virtual Machine Management
Create and manage isolated analysis VMs:
# VirtualBox VM Management
# Create new analysis VM
VBoxManage createvm --name "MalwareAnalysis" --ostype "Windows10_64" --register
# Configure VM resources
VBoxManage modifyvm "MalwareAnalysis" \
--memory 4096 \
--cpus 2 \
--vram 128 \
--nic1 intnet \
--intnet1 "analysis-net" \
--audio none \
--clipboard disabled \
--draganddrop disabled
# Create snapshot for clean state
VBoxManage snapshot "MalwareAnalysis" take "clean-state" --description "Clean analysis state"
# Restore to clean state
VBoxManage snapshot "MalwareAnalysis" restore "clean-state"
# Start VM headless
VBoxManage startvm "MalwareAnalysis" --type headless
# Power off VM
VBoxManage controlvm "MalwareAnalysis" poweroff
2. Cuckoo Sandbox Configuration
Set up and manage Cuckoo Sandbox:
# Install Cuckoo
pip install cuckoo
# Initialize Cuckoo
cuckoo init
# Configure analysis machines
cuckoo community # Download community modules
# ~/.cuckoo/conf/cuckoo.conf
[cuckoo]
machinery = virtualbox
memory_dump = yes
enforce_timeout = yes
max_analysis_count = 50
[resultserver]
ip = 192.168.56.1
port = 2042
[processing]
analysis_size_limit = 134217728
# ~/.cuckoo/conf/virtualbox.conf
[virtualbox]
mode = headless
path = /usr/bin/VBoxManage
interface = vboxnet0
[analysis1]
label = MalwareAnalysis
platform = windows
ip = 192.168.56.101
snapshot = clean-state
resultserver_ip = 192.168.56.1
resultserver_port = 2042
tags = win10,64bit
# Submit sample for analysis
cuckoo submit /path/to/sample.exe --timeout 120 --enforce-timeout
# Start Cuckoo
cuckoo -d # Debug mode
# Start web interface
cuckoo web runserver 0.0.0.0:8080
3. Docker Analysis Containers
Create isolated analysis containers:
# Dockerfile for analysis environment
FROM remnux/remnux-distro:focal
# Install additional tools
RUN apt-get update && apt-get install -y \
radare2 \
yara \
volatility3 \
strace \
ltrace
# Create analysis directory
WORKDIR /analysis
VOLUME /samples
VOLUME /output
# Network isolation
# Run with --network none for full isolation
ENTRYPOINT ["/bin/bash"]
# Build analysis container
docker build -t malware-analysis:latest .
# Run isolated container (no network)
docker run -it --rm \
--network none \
--memory 4g \
--cpus 2 \
--read-only \
--tmpfs /tmp:rw,noexec,nosuid \
-v /path/to/samples:/samples:ro \
-v /path/to/output:/output:rw \
malware-analysis:latest
# Run with host-only network for controlled internet simulation
docker run -it --rm \
--network analysis-net \
--cap-drop ALL \
--security-opt no-new-privileges \
-v /path/to/samples:/samples:ro \
malware-analysis:latest
4. Network Isolation and Simulation
Configure network isolation for safe analysis:
# Create isolated virtual network (VirtualBox)
VBoxManage hostonlyif create
VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0
# Set up INetSim for network simulation
sudo inetsim --config /etc/inetsim/inetsim.conf
# Start FakeDNS
fakedns -i 192.168.56.1
# Capture network traffic
tcpdump -i vboxnet0 -w /analysis/traffic.pcap
# iptables rules for isolation
sudo iptables -I FORWARD -i vboxnet0 -o eth0 -j DROP
sudo iptables -I FORWARD -i eth0 -o vboxnet0 -j DROP
# /etc/inetsim/inetsim.conf
service_bind_address 192.168.56.1
dns_default_ip 192.168.56.1
# Enable services
start_service dns
start_service http
start_service https
start_service smtp
start_service pop3
start_service ftp
5. REMnux Analysis Environment
Set up REMnux for malware analysis:
# Install REMnux on Ubuntu
wget https://REMnux.org/remnux-cli
chmod +x remnux-cli
sudo mv remnux-cli /usr/local/bin/remnux
sudo remnux install
# Key REMnux tools
# Static analysis
peframe malware.exe
pescanner malware.exe
pdfid suspicious.pdf
oledump.py document.doc
# Dynamic analysis
procmon # Process monitor
regmon # Registry monitor
fakenet # Network simulation
# Memory analysis
vol.py -f memory.dmp imageinfo
vol.py -f memory.dmp --profile=Win10x64 pslist
6. FlareVM for Windows Analysis
Configure FlareVM analysis environment:
# Install FlareVM (run in elevated PowerShell)
Set-ExecutionPolicy Bypass -Scope Process -Force
# Download and run installer
iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1'))
# Key FlareVM tools
# PE Analysis
pestudio.exe malware.exe
die.exe malware.exe # Detect It Easy
cffexplorer.exe malware.exe
# Debugging
x64dbg.exe
windbg.exe
# Network
wireshark.exe
fakenet-ng.exe
# Decompilation
ghidra.exe
ida64.exe
7. Process and Filesystem Monitoring
Monitor changes during analysis:
# Linux - Monitor with sysdig
sysdig -c spy_users
# Monitor file changes
inotifywait -m -r /home/analysis --format '%w%f %e' -e modify,create,delete
# Process monitoring
procmon &
strace -f -o /output/syscalls.log ./sample
# Registry monitoring (Windows via wine)
wine reg export HKLM /output/hklm_before.reg
# ... run sample ...
wine reg export HKLM /output/hklm_after.reg
diff hklm_before.reg hklm_after.reg
8. Snapshot Management
Create and manage analysis snapshots:
# VirtualBox snapshots
VBoxManage snapshot "AnalysisVM" take "pre-analysis-$(date +%Y%m%d-%H%M%S)"
VBoxManage snapshot "AnalysisVM" list
VBoxManage snapshot "AnalysisVM" restore "clean-state"
VBoxManage snapshot "AnalysisVM" delete "old-snapshot"
# Docker checkpoint (experimental)
docker checkpoint create analysis-container checkpoint1
docker start --checkpoint checkpoint1 analysis-container
# QEMU/KVM snapshots
virsh snapshot-create-as AnalysisVM clean-state "Clean state for analysis"
virsh snapshot-revert AnalysisVM clean-state
virsh snapshot-list AnalysisVM
9. Automated Analysis Pipeline
#!/usr/bin/env python3
"""Automated malware analysis pipeline"""
import subprocess
import hashlib
import json
import os
from datetime import datetime
class AnalysisPipeline:
def __init__(self, sample_path, output_dir):
self.sample_path = sample_path
self.output_dir = output_dir
self.results = {}
def calculate_hashes(self):
"""Calculate file hashes"""
with open(self.sample_path, 'rb') as f:
data = f.read()
return {
'md5': hashlib.md5(data).hexdigest(),
'sha1': hashlib.sha1(data).hexdigest(),
'sha256': hashlib.sha256(data).hexdigest()
}
def static_analysis(self):
"""Run static analysis tools"""
# YARA scan
subprocess.run(['yara', '-r', '/rules/', self.sample_path],
capture_output=True)
# PE analysis
subprocess.run(['peframe', self.sample_path],
capture_output=True)
# Strings extraction
subprocess.run(['strings', '-a', self.sample_path],
stdout=open(f'{self.output_dir}/strings.txt', 'w'))
def restore_snapshot(self):
"""Restore VM to clean state"""
subprocess.run([
'VBoxManage', 'snapshot', 'AnalysisVM',
'restore', 'clean-state'
])
def run_dynamic_analysis(self, timeout=120):
"""Execute sample in sandbox"""
# Submit to Cuckoo
result = subprocess.run([
'cuckoo', 'submit', self.sample_path,
'--timeout', str(timeout)
], capture_output=True)
return result
def collect_artifacts(self):
"""Collect analysis artifacts"""
artifacts = {
'pcap': f'{self.output_dir}/traffic.pcap',
'memory_dump': f'{self.output_dir}/memory.dmp',
'screenshots': f'{self.output_dir}/screenshots/',
'dropped_files': f'{self.output_dir}/dropped/'
}
return artifacts
def generate_report(self):
"""Generate analysis report"""
report = {
'timestamp': datetime.now().isoformat(),
'sample': self.sample_path,
'hashes': self.calculate_hashes(),
'results': self.results
}
with open(f'{self.output_dir}/report.json', 'w') as f:
json.dump(report, f, indent=2)
MCP Server Integration
This skill can leverage the following tools:
| Tool | Description | URL |
|---|---|---|
| Kubernetes MCP Server | Container orchestration | https://github.com/containers/kubernetes-mcp-server |
| AWS MCP Server | Cloud sandbox deployment | https://github.com/alexei-led/aws-mcp-server |
| Docker MCP | Container management | Docker CLI integration |
Analysis Environment Profiles
environment_profiles:
malware_analysis:
vm_type: windows10
memory: 4096
cpus: 2
network: isolated
snapshots: true
tools:
- procmon
- fakenet
- x64dbg
- pestudio
exploit_testing:
vm_type: ubuntu
memory: 2048
cpus: 2
network: host-only
snapshots: true
tools:
- gdb
- pwntools
- radare2
web_analysis:
container: remnux
memory: 2048
network: simulated
tools:
- burp
- mitmproxy
- chrome-sandbox
Process Integration
This skill integrates with the following processes:
malware-analysis.js- Automated malware analysisexploit-development.js- Exploit testing environmentssecurity-research-lab-setup.js- Lab environment creationdynamic-analysis-runtime-testing.js- Runtime analysis
Output Format
When executing operations, provide structured output:
{
"environment": {
"type": "virtualbox",
"vm_name": "MalwareAnalysis",
"snapshot": "clean-state",
"network": "isolated"
},
"analysis": {
"sample_hash": "abc123...",
"duration": 120,
"status": "completed"
},
"findings": {
"network_activity": ["185.123.45.67:443"],
"file_operations": ["C:\\Windows\\Temp\\dropper.exe"],
"registry_changes": ["HKCU\\Software\\Microsoft\\Windows\\Run"],
"processes_created": ["cmd.exe", "powershell.exe"]
},
"artifacts": {
"pcap": "/output/traffic.pcap",
"memory_dump": "/output/memory.dmp",
"screenshots": ["/output/screen_001.png"]
}
}
Error Handling
- Verify VM/container health before analysis
- Implement timeout mechanisms for hung analyses
- Preserve partial results on failure
- Log all environment state changes
- Validate network isolation before sample execution
Constraints
- Never analyze malware on production systems
- Always verify network isolation before execution
- Maintain evidence chain of custody
- Document all environment configurations
- Keep malware samples in encrypted storage
- Follow organizational malware handling policies