T

tabledevil 7ad1cc8465 Pin ubuntu:22.04, work around upstream rot, smoke test

APT-Hunter is unmaintained and breaks on modern dependency versions.
Workarounds:
- Pin ubuntu:22.04 (Python 3.10) — base for venv install.
- Pin netaddr<1.0 — 1.x removed IPAddress.is_private().
- Add flatten_json (missing from upstream requirements.txt).
- Patch EvtxDetection.py via sed: strip ' UTC' suffix from timestamps
  before parse() since dateutil rejects 'Z UTC' (Microsoft EVTX bug).

start.sh: pre-mkdir the nested output/ dir APT-Hunter expects.
test_smoke.sh: glob the actually-produced /output/apthunter_<ts>/output/
nested layout. Default SUBSET=DeepBlueCLI documented; YamatoSecurity is a
working alternative and avoids the few corpora that hit other parser bugs.

Validated end-to-end on amd64 Linux: 5/5 PASS on YamatoSecurity (16 EVTX),
1753 detections, 24K xlsx + 84K TimeSketch CSV produced.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-07 19:20:19 +02:00

.gitignore

Pin ubuntu:22.04, work around upstream rot, smoke test

2026-05-07 19:20:19 +02:00

build.sh

Fixed Bug in build script

2023-02-02 14:08:08 +01:00

Dockerfile

Pin ubuntu:22.04, work around upstream rot, smoke test

2026-05-07 19:20:19 +02:00

fetch-test-data.sh

Pin ubuntu:22.04, work around upstream rot, smoke test

2026-05-07 19:20:19 +02:00

get-latest-tag.sh

Added tag-script

2022-05-20 13:41:17 +02:00

readme.md

Added Draft for documentation

2023-02-02 14:12:09 +01:00

start.sh

Pin ubuntu:22.04, work around upstream rot, smoke test

2026-05-07 19:20:19 +02:00

test_smoke.sh

Pin ubuntu:22.04, work around upstream rot, smoke test

2026-05-07 19:20:19 +02:00

readme.md

APT-Hunter Docker Container

This Docker container provides an environment to run APT-Hunter, a tool for hunting Advanced Persistent Threats (APT) in Windows Event Logs. The container is based on an Ubuntu image and includes all necessary dependencies to run the tool, including Python3 and the required libraries.

Usage

To run the APT-Hunter Docker container, you need to mount a directory containing your Windows Event Log files (evtx) to /data. Additionally, you may mount a directory to /output if you wish to specify a location for the report generated by APT-Hunter.

# Example: Mounting the Windows Log files to /data
docker run -it --rm -v /path/to/logfiles:/data tabledevil/apthunter

# Example: Mounting both the Windows Log files to /data and the report output to /output
docker run -it --rm -v /path/to/logfiles:/data:ro -v /path/for/report:/output tabledevil/apthunter

Once the container is running, the start.sh script will automatically check if the /data directory has been mounted, and if a writeable directory has been mounted to /output. If the necessary conditions are met, the APT-Hunter tool will be executed and the report will be saved to the specified output location. Program Usage

The APT-Hunter tool provides several options to configure the hunting process. You can view the available options by running the following command:

python3 APT-Hunter.py -h

The following are some examples of how the APT-Hunter tool can be used:

# Hunting all events in the Windows Log files
python3 APT-Hunter.py -p /opt/wineventlogs/ -o Project1 -allreport

# Hunting events in a specific time frame
python3 APT-Hunter.py -p /opt/wineventlogs/ -o Project1 -allreport -start 2022-04-03 -end 2022-04-05T20:56

# Hunting using a string or regex
python3 APT-Hunter.py -hunt "psexec" -p /opt/wineventlogs/ -o Project2

# Hunting using a file containing a list of regex
python3 APT-Hunter.py -huntfile "huntfile.txt" -p /opt/wineventlogs/ -o Project2

For more information about using APT-Hunter, refer to the tool's GitHub repository.