Skip to content
This repository has been archived by the owner on Jul 1, 2020. It is now read-only.
/ Venator Public archive

[⛔️ Deprecated] Venator is a python tool used to gather data for proactive detection of malicious activity on macOS devices.

License

Notifications You must be signed in to change notification settings

richiercyrus/Venator

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

99 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Venator is no longer supported/maintained, please consider using Venator-Swift instead.

Venator is a python tool used for gathering data for the purpose of proactive macOS detection. Support for High Sierra & Mojave using native macOS python version (2.7.x). Happy Hunting!

Accompanying blog post: https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56

*You may need to specify /usr/bin/python at command line instead of "python." if you have alternative versions of python installed.

S3 upload functionality is live: python Venator.py -a <BUCKET_NAME>:<AWS_KEY_ID>:<AWS_KEY_SECRET>:<AWS_REGION>

The script needs root permissions to run, or else you will get the error message below.

Below are the Venator modules and the data each module contains. Once the script is complete, you will be provide a JSON file for futher analysis/ingestion into a SIEM solution. You can search for data by module in the following way within the JSON file: module:<name of module>

system_info:

  • hostname
  • kernel
  • kernel_release

launch_agents:

  • label
  • program
  • program_arguments
  • signing_info
  • hash
  • executable
  • plist_hash
  • path
  • runAtLoad
  • hostname

launch_daemons:

  • label
  • program
  • program_arguments
  • signing_info
  • hash
  • executable
  • plist_hash
  • path
  • runAtLoad
  • hostname

users:

  • users
  • hostname

safari_extensions:

  • extension name
  • apple_signed
  • developer_identifier
  • extension_path
  • hostname

chrome_extensions:

  • extension_directory_name
  • extension_update_url
  • extension_name
  • hostname

chrome_downloads:

  • hash
  • opened
  • start_time
  • current_path
  • target_path
  • state
  • tab_url
  • tab_referrer_url
  • site_url
  • referrer
  • mime_type
  • original_mime_type
  • total_bytes
  • danger_type
  • by_ext_id
  • by_ext_name

firefox_extensions:

  • extension_id
  • extension_update_url
  • extension_options_url
  • extension_install_date
  • extension_last_updated
  • extension_source_uri
  • extension_name
  • extension_description
  • extension_creator
  • extension_homepage_url
  • hostname

install_history:

  • install_date
  • display_name
  • package_identifier
  • hostname

cron_jobs:

  • user
  • crontab
  • hostname

emond_rules:

  • rule
  • path
  • hostname

environment_variables:

  • hostname
  • variable:value

periodic_scripts:

  • hostname
  • periodic_script:"content of script"

current_connections:

  • process_name
  • process_id
  • user
  • TCP_UDP
  • connection_flow
  • hostname

sip_status:

  • sip_status
  • hostname

gatekeeper_status:

  • gatekeeper_status
  • hostname

login_items:

  • hostname
  • application
  • executable
  • application_hash
  • signature

applications:

  • hostname
  • application
  • executable
  • application_hash
  • signature

event_taps:

  • eventTapID
  • tapping_process_id
  • tapping_process_name
  • tapped_process_id
  • enabled
  • hostname

bash_history:

  • user
  • bash_commands
  • hostname

shell_startup:

  • user
  • hostname
  • shell_startup_filename
  • shell_startup_data

If the script is run with the '-v' flag, then the hash will be sent to VirusTotal for comparison with their database. This uses their Public API but still requires the use of an API key. You can obtain one from their site, and include it in the Venator command line (or script if appropriate):

sudo VTKEY=<YOUR API KEY HERE> /usr/bin/python2.7 Venator.py -v

The calls to VirusTotal do add some running time due to public API key throttling.

When ran with this option a new stanza will appear where appropriate: virustotal_result, with possible values This file is OK., This file has no VirusTotal entry. or POSITIVE VT SCAN - See link_to_virustotal_entry.

About

[⛔️ Deprecated] Venator is a python tool used to gather data for proactive detection of malicious activity on macOS devices.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages