Venator
Venator 是一个用于主动检测并收集macOS数据的 python 工具,获得数据后供分析哪些是恶意活动,macOS几乎很少有类似的工具。使用原生 macOS python 版本(2.7. x)开发,支持 High Sierra 和 Mojave。
Venator安装使用
$ git clone https://github.com/richiercyrus/Venator.git
$ Venator.py -h
注意:该脚本需要root权限才能运行。
相关介绍:https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56
下面是 Venator 模块和每个模块包含的数据。一旦脚本运行结束将提供一个 JSON 文件,以便进一步分析。您可以通过以下方式在 JSON 文件中按模块搜索相关信息:
system_info:
hostname
kernel
kernel_release
launch_agents:
label
program
program_arguments
signing_info
hash
executable
plist_hash
path
runAtLoad
hostname
launch_daemons:
label
program
program_arguments
signing_info
hash
executable
plist_hash
path
runAtLoad
hostname
users:用户
users
hostname
safari_extensions:
extension name
apple_signed
developer_identifier
extension_path
hostname
chrome_extensions:
extension_directory_name
extension_update_url
extension_name
hostname
firefox_extensions:
extension_id
extension_update_url
extension_options_url
extension_install_date
extension_last_updated
extension_source_uri
extension_name
extension_description
extension_creator
extension_homepage_url
hostname
install_history:
install_date
display_name
package_identifier
hostname
cron_jobs:定时任务
user
crontab
hostname
emond_rules:
rule
path
hostname
environment_variables:
hostname
variable:value
periodic_scripts:
hostname
periodic_script:"content of script"
current_connections:
process_name
process_id
user
TCP_UDP
connection_flow
hostname
sip_status:
sip_status
hostname
gatekeeper_status:
gatekeeper_status
hostname
login_items:
hostname
application
executable
application_hash
signature
applications:
hostname
application
executable
application_hash
signature
event_taps:
eventTapID
tapping_process_id
tapping_process_name
tapped_process_id
enabled
hostname
bash_history:
user
bash_commands
hostname
shell_startup:
user
hostname
shell_startup_filename
shell_startup_data