APT-Hunter is unmaintained and breaks on modern dependency versions.
Workarounds:
- Pin ubuntu:22.04 (Python 3.10) — base for venv install.
- Pin netaddr<1.0 — 1.x removed IPAddress.is_private().
- Add flatten_json (missing from upstream requirements.txt).
- Patch EvtxDetection.py via sed: strip ' UTC' suffix from timestamps
before parse() since dateutil rejects 'Z UTC' (Microsoft EVTX bug).
start.sh: pre-mkdir the nested output/ dir APT-Hunter expects.
test_smoke.sh: glob the actually-produced /output/apthunter_<ts>/output/
nested layout. Default SUBSET=DeepBlueCLI documented; YamatoSecurity is a
working alternative and avoids the few corpora that hit other parser bugs.
Validated end-to-end on amd64 Linux: 5/5 PASS on YamatoSecurity (16 EVTX),
1753 detections, 24K xlsx + 84K TimeSketch CSV produced.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
tabledevil