This Docker container provides an environment to run APT-Hunter, a tool for hunting Advanced Persistent Threats (APT) in Windows Event Logs. The container is based on an Ubuntu image and includes all necessary dependencies to run the tool, including Python3 and the required libraries.

Usage

To run the APT-Hunter Docker container, you need to mount a directory containing your Windows Event Log files (evtx) to /data. Additionally, you may mount a directory to /output if you wish to specify a location for the report generated by APT-Hunter.

# Example: Mounting the Windows Log files to /data
docker run -it --rm -v /path/to/logfiles:/data tabledevil/apthunter

# Example: Mounting both the Windows Log files to /data and the report output to /output
docker run -it --rm -v /path/to/logfiles:/data:ro -v /path/for/report:/output tabledevil/apthunter

Once the container is running, the start.sh script will automatically check if the /data directory has been mounted, and if a writeable directory has been mounted to /output. If the necessary conditions are met, the APT-Hunter tool will be executed and the report will be saved to the specified output location. Program Usage

The APT-Hunter tool provides several options to configure the hunting process. You can view the available options by running the following command:

python3 APT-Hunter.py -h

The following are some examples of how the APT-Hunter tool can be used:

# Hunting all events in the Windows Log files
python3 APT-Hunter.py -p /opt/wineventlogs/ -o Project1 -allreport

# Hunting events in a specific time frame
python3 APT-Hunter.py -p /opt/wineventlogs/ -o Project1 -allreport -start 2022-04-03 -end 2022-04-05T20:56

# Hunting using a string or regex
python3 APT-Hunter.py -hunt "psexec" -p /opt/wineventlogs/ -o Project2

# Hunting using a file containing a list of regex
python3 APT-Hunter.py -huntfile "huntfile.txt" -p /opt/wineventlogs/ -o Project2

For more information about using APT-Hunter, refer to the tool's GitHub repository.