irt/docker_apthunter
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
7ad1cc84656c28486c0f35145eda2b805178b685
docker_apthunter/start.sh
T
tabledevil 7ad1cc8465 Pin ubuntu:22.04, work around upstream rot, smoke test 
APT-Hunter is unmaintained and breaks on modern dependency versions.
Workarounds:
- Pin ubuntu:22.04 (Python 3.10) — base for venv install.
- Pin netaddr<1.0 — 1.x removed IPAddress.is_private().
- Add flatten_json (missing from upstream requirements.txt).
- Patch EvtxDetection.py via sed: strip ' UTC' suffix from timestamps
  before parse() since dateutil rejects 'Z UTC' (Microsoft EVTX bug).

start.sh: pre-mkdir the nested output/ dir APT-Hunter expects.
test_smoke.sh: glob the actually-produced /output/apthunter_<ts>/output/
nested layout. Default SUBSET=DeepBlueCLI documented; YamatoSecurity is a
working alternative and avoids the few corpora that hit other parser bugs.

Validated end-to-end on amd64 Linux: 5/5 PASS on YamatoSecurity (16 EVTX),
1753 detections, 24K xlsx + 84K TimeSketch CSV produced.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 19:20:19 +02:00

45 lines
1.6 KiB
Bash
Raw Blame History

#!/bin/bash
#check if folder was mounted under /data
if [[ ! -d /data ]] ; then
echo "[!] No Folder was mounted to /data"
echo "[=] Make sure a folder containig the Windows Logs (evtx) is mounted. Example:"
echo "[=]"
echo "[>] # docker run -it --rm -v /path/to/logfiles:/data tabledevil/apthunter"
exit 1
fi
#check which destination is writeable /data or /output
if [[ ! -f /output/notmounted ]] && [[ -w /output ]] ; then
echo "[!] Output folder was mounted and is writeable"
echo "[>] Using /output as destination for report"
output="/output"
else
if [[ -w /data ]] ; then
echo "[!] Mounted folder /data can be written"
echo "[>] Using /data as destination for report"
output="/data"
else
echo "[!] No writeable output folder available"
echo "[=] Make sure either the folder mounted under /data is writable ..."
echo "[>] # docker run -it --rm -v /path/to/logfiles:/data tabledevil/apthunter"
echo "[=] ... or mount a writable folder to /output"
echo "[>] # docker run -it --rm -v /path/to/logfiles:/data:ro -v /path/for/report:/output tabledevil/apthunter"
exit 1
fi
fi
#base command for apthunter (uses the venv pip-installed deps)
cmd=(/opt/apthunter/bin/python /APT-Hunter/APT-Hunter.py -p /data)
#set output-destination — APT-Hunter creates a subdir 'output/' under -o,
#and refuses to create the parent. Pre-mkdir.
output="${output}/apthunter_$(date +%s)"
mkdir -p "${output}/output"
echo "output is goint to : ${output}"
cmd+=(-o "${output}")
#run the apthunter command
"${cmd[@]}"
Reference in New Issue View Git Blame Copy Permalink