tabledevil
7ad1cc8465
APT-Hunter is unmaintained and breaks on modern dependency versions. Workarounds: - Pin ubuntu:22.04 (Python 3.10) — base for venv install. - Pin netaddr<1.0 — 1.x removed IPAddress.is_private(). - Add flatten_json (missing from upstream requirements.txt). - Patch EvtxDetection.py via sed: strip ' UTC' suffix from timestamps before parse() since dateutil rejects 'Z UTC' (Microsoft EVTX bug). start.sh: pre-mkdir the nested output/ dir APT-Hunter expects. test_smoke.sh: glob the actually-produced /output/apthunter_<ts>/output/ nested layout. Default SUBSET=DeepBlueCLI documented; YamatoSecurity is a working alternative and avoids the few corpora that hit other parser bugs. Validated end-to-end on amd64 Linux: 5/5 PASS on YamatoSecurity (16 EVTX), 1753 detections, 24K xlsx + 84K TimeSketch CSV produced. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
10 lines
384 B
Bash
Executable File
10 lines
384 B
Bash
Executable File
#!/bin/bash
|
|
# Pull the upstream EVTX sample bundle (Yamato Security's curated bundle of
|
|
# DeepBlueCLI, EVTX-ATTACK-SAMPLES, EVTX-to-MITRE-Attack, plus their own).
|
|
set -e
|
|
cd "$(dirname "$0")"
|
|
mkdir -p test-data
|
|
[ -d test-data/sample-evtx ] || \
|
|
git clone --depth=1 https://github.com/Yamato-Security/hayabusa-sample-evtx.git test-data/sample-evtx
|
|
echo "ready: test-data/sample-evtx"
|