{"id":13764552,"url":"https://github.com/richiercyrus/Venator","last_synced_at":"2025-05-10T19:31:31.177Z","repository":{"id":152408354,"uuid":"167731829","full_name":"richiercyrus/Venator","owner":"richiercyrus","description":"[⛔️ Deprecated] Venator is a python tool used to gather data for proactive detection of malicious activity on macOS devices.","archived":true,"fork":false,"pushed_at":"2020-07-01T14:11:34.000Z","size":1621,"stargazers_count":176,"open_issues_count":1,"forks_count":30,"subscribers_count":10,"default_branch":"master","last_synced_at":"2024-11-17T00:33:41.019Z","etag":null,"topics":["deprecated","detection","macos","python"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/richiercyrus.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2019-01-26T19:48:30.000Z","updated_at":"2024-10-10T19:27:50.000Z","dependencies_parsed_at":null,"dependency_job_id":"f709a3fe-024b-4e8b-b616-028b67c00835","html_url":"https://github.com/richiercyrus/Venator","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/richiercyrus%2FVenator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/richiercyrus%2FVenator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/richiercyrus%2FVenator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/richiercyrus%2FVenator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/richiercyrus","download_url":"https://codeload.github.com/richiercyrus/Venator/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253470925,"owners_count":21913760,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["deprecated","detection","macos","python"],"created_at":"2024-08-03T16:00:22.659Z","updated_at":"2025-05-10T19:31:30.832Z","avatar_url":"https://github.com/richiercyrus.png","language":"Python","readme":"**Venator is no longer supported/maintained, please consider using [Venator-Swift](https://github.com/richiercyrus/Venator-Swift) instead.**\n\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"https://github.com/richiercyrus/Venator/blob/master/images/venator4%20copy.png\"\u003e\n\u003c/p\u003e\n\nVenator is a python tool used for gathering data for the purpose of proactive macOS detection. Support for High Sierra \u0026 Mojave using native macOS python version (2.7.x). Happy Hunting!\n\nAccompanying blog post: https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56\n\n***You may need to specify `/usr/bin/python` at command line instead of \"python.\" if you have alternative versions of python installed.**\n\n![](https://github.com/richiercyrus/Venator/blob/master/images/Screen%20Shot%202019-04-26%20at%203.51.35%20PM.png)\n\nS3 upload functionality is live: `python Venator.py -a \u003cBUCKET_NAME\u003e:\u003cAWS_KEY_ID\u003e:\u003cAWS_KEY_SECRET\u003e:\u003cAWS_REGION\u003e`\n\n**The script needs root permissions to run, or else you will get the error message below.**\n![](https://github.com/richiercyrus/Venator/blob/development/images/Screen%20Shot%202019-03-30%20at%201.59.31%20PM.png)\n\n\n\nBelow are the Venator modules and the data each module contains. Once the script is complete, you will be provide a JSON file for futher analysis/ingestion into a SIEM solution. You can search for data by module in the following way within the JSON file:\n`module:\u003cname of module\u003e`\n\n`system_info`:\n* hostname\n* kernel\n* kernel_release\n\n`launch_agents`:\n* label\n* program\n* program_arguments\n* signing_info\n* hash\n* executable\n* plist_hash\n* path\n* runAtLoad\n* hostname\n\n`launch_daemons`:\n* label\n* program\n* program_arguments\n* signing_info\n* hash\n* executable\n* plist_hash\n* path\n* runAtLoad\n* hostname\n\n`users`:\n* users\n* hostname\n\n`safari_extensions`:\n* extension name\n* apple_signed\n* developer_identifier\n* extension_path\n* hostname\n\n`chrome_extensions`:\n* extension_directory_name\n* extension_update_url\n* extension_name\n* hostname\n\n`chrome_downloads`:\n* hash\n* opened\n* start_time\n* current_path\n* target_path\n* state\n* tab_url\n* tab_referrer_url\n* site_url\n* referrer\n* mime_type\n* original_mime_type\n* total_bytes\n* danger_type\n* by_ext_id\n* by_ext_name\n\n`firefox_extensions`: \n* extension_id\n* extension_update_url\n* extension_options_url\n* extension_install_date\n* extension_last_updated\n* extension_source_uri\n* extension_name\n* extension_description\n* extension_creator\n* extension_homepage_url\n* hostname\n\n`install_history`:\n* install_date\n* display_name\n* package_identifier\n* hostname\n\n`cron_jobs`:\n* user\n* crontab\n* hostname\n\n`emond_rules`:\n* rule\n* path\n* hostname\n\n`environment_variables`:\n* hostname\n* variable:value\n\n`periodic_scripts`:\n* hostname\n* periodic_script:\"content of script\"\n\n`current_connections`:\n* process_name\n* process_id\n* user\n* TCP_UDP\n* connection_flow\n* hostname\n\n`sip_status`:\n* sip_status\n* hostname\n\n`gatekeeper_status`:\n* gatekeeper_status\n* hostname\n\n`login_items`:\n* hostname\n* application\n* executable\n* application_hash\n* signature\n\n`applications`:\n* hostname\n* application\n* executable\n* application_hash\n* signature\n\n`event_taps`:\n* eventTapID\n* tapping_process_id\n* tapping_process_name\n* tapped_process_id\n* enabled\n* hostname\n\n`bash_history`:\n* user\n* bash_commands\n* hostname\n\n`shell_startup`:\n* user\n* hostname\n* shell_startup_filename\n* shell_startup_data\n\nIf the script is run with the '-v' flag, then the hash will be sent to VirusTotal for comparison with their database. This uses their Public API but still requires the use of an API key. You can obtain one from their site, and include it in the Venator command line (or script if appropriate):\n\n```text\nsudo VTKEY=\u003cYOUR API KEY HERE\u003e /usr/bin/python2.7 Venator.py -v\n```\n\nThe calls to VirusTotal do add some running time due to public API key throttling.\n\nWhen ran with this option a new stanza will appear where appropriate: `virustotal_result`, with possible values ```This file is OK.```, ```This file has no VirusTotal entry.``` or ```POSITIVE VT SCAN - See link_to_virustotal_entry```.\n","funding_links":[],"categories":["Digital Forensics / Incident Response (DFIR)"],"sub_categories":["[venator](https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56)"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frichiercyrus%2FVenator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frichiercyrus%2FVenator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frichiercyrus%2FVenator/lists"}