Skip to content
Venator is a python tool used to gather data for proactive detection of malicious activity on macOS devices.
Branch: master
Clone or download
Latest commit a1b6286 May 31, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
images Add files via upload Jun 1, 2019
.DS_Store Additional changes to fields and README. Apr 1, 2019
LICENSE Create LICENSE Apr 24, 2019
README.md Update README.md Jun 1, 2019
Venator.py Fix for issue #14 May 16, 2019

README.md

Venator is a python tool used for gathering data for the purpose of proactive macOS detection. Support for High Sierra & Mojave using native macOS python version (2.7.x). Happy Hunting!

Accompanying blog post: https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56

*You may need to specify /usr/bin/python at command line instead of "python." if you have alternative versions of python installed.

*Of note, S3 funtionality will be part of a upcoming release.

The script needs root permissions to run, or else you will get the error message below.

Below are the Venator modules and the data each module contains. Once the script is complete, you will be provide a JSON file for futher analysis/ingestion into a SIEM solution. You can search for data by module in the following way within the JSON file: module:<name of module>

system_info:

  • hostname
  • kernel
  • kernel_release

launch_agents:

  • label
  • program
  • program_arguments
  • signing_info
  • hash
  • executable
  • plist_hash
  • path
  • runAtLoad
  • hostname

launch_daemons:

  • label
  • program
  • program_arguments
  • signing_info
  • hash
  • executable
  • plist_hash
  • path
  • runAtLoad
  • hostname

users:

  • users
  • hostname

safari_extensions:

  • extension name
  • apple_signed
  • developer_identifier
  • extension_path
  • hostname

chrome_extensions:

  • extension_directory_name
  • extension_update_url
  • extension_name
  • hostname

firefox_extensions:

  • extension_id
  • extension_update_url
  • extension_options_url
  • extension_install_date
  • extension_last_updated
  • extension_source_uri
  • extension_name
  • extension_description
  • extension_creator
  • extension_homepage_url
  • hostname

install_history:

  • install_date
  • display_name
  • package_identifier
  • hostname

cron_jobs:

  • user
  • crontab
  • hostname

emond_rules:

  • rule
  • path
  • hostname

environment_variables:

  • hostname
  • variable:value

periodic_scripts:

  • hostname
  • periodic_script:"content of script"

current_connections:

  • process_name
  • process_id
  • user
  • TCP_UDP
  • connection_flow
  • hostname

sip_status:

  • sip_status
  • hostname

gatekeeper_status:

  • gatekeeper_status
  • hostname

login_items:

  • hostname
  • application
  • executable
  • application_hash
  • signature

applications:

  • hostname
  • application
  • executable
  • application_hash
  • signature

event_taps:

  • eventTapID
  • tapping_process_id
  • tapping_process_name
  • tapped_process_id
  • enabled
  • hostname

bash_history:

  • user
  • bash_commands
  • hostname

shell_startup:

  • user
  • hostname
  • shell_startup_filename
  • shell_startup_data
You can’t perform that action at this time.