Venator

Venator 是一个用于主动检测并收集macOS数据的 python 工具，获得数据后供分析哪些是恶意活动，macOS几乎很少有类似的工具。使用原生 macOS python 版本(2.7. x)开发，支持 High Sierra 和 Mojave。

Venator安装使用

$ git clone https://github.com/richiercyrus/Venator.git
$ Venator.py -h

注意：该脚本需要root权限才能运行。

相关介绍：https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56

下面是 Venator 模块和每个模块包含的数据。一旦脚本运行结束将提供一个 JSON 文件，以便进一步分析。您可以通过以下方式在 JSON 文件中按模块搜索相关信息:

system_info:

hostname

kernel

kernel_release

launch_agents:

label

program

program_arguments

signing_info

hash

executable

plist_hash

path

runAtLoad

hostname

launch_daemons:

label

program

program_arguments

signing_info

hash

executable

plist_hash

path

runAtLoad

hostname

users:用户

users

hostname

safari_extensions:

extension name

apple_signed

developer_identifier

extension_path

hostname

chrome_extensions:

extension_directory_name

extension_update_url

extension_name

hostname

firefox_extensions:

extension_id

extension_update_url

extension_options_url

extension_install_date

extension_last_updated

extension_source_uri

extension_name

extension_description

extension_creator

extension_homepage_url

hostname

install_history:

install_date

display_name

package_identifier

hostname

cron_jobs:定时任务

user

crontab

hostname

emond_rules:

rule

path

hostname

environment_variables:

hostname

variable:value

periodic_scripts:

hostname

periodic_script:"content of script"

current_connections:

process_name

process_id

user

TCP_UDP

connection_flow

hostname

sip_status:

sip_status

hostname

gatekeeper_status:

gatekeeper_status

hostname

login_items:

hostname

application

executable

application_hash

signature

applications:

hostname

application

executable

application_hash

signature

event_taps:

eventTapID

tapping_process_id

tapping_process_name

tapped_process_id

enabled

hostname

bash_history:

user

bash_commands

hostname

shell_startup:

user

hostname

shell_startup_filename

shell_startup_data