Venator – macOS恶意活动检测工具
- 发表于
- 安全工具
Venator
Venator 是一个用于主动检测并收集macOS数据的 python 工具,获得数据后供分析哪些是恶意活动,macOS几乎很少有类似的工具。使用原生 macOS python 版本(2.7. x)开发,支持 High Sierra 和 Mojave。
Venator安装使用
|
1 2 |
$ git clone https://github.com/richiercyrus/Venator.git $ Venator.py -h |
注意:该脚本需要root权限才能运行。
相关介绍:https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56
下面是 Venator 模块和每个模块包含的数据。 一旦脚本运行结束将提供一个 JSON 文件,以便进一步分析。 您可以通过以下方式在 JSON 文件中按模块搜索相关信息: module:<name of module>
system_info:
- hostname
- kernel
- kernel_release
launch_agents:
- label
- program
- program_arguments
- signing_info
- hash
- executable
- plist_hash
- path
- runAtLoad
- hostname
launch_daemons:
- label
- program
- program_arguments
- signing_info
- hash
- executable
- plist_hash
- path
- runAtLoad
- hostname
users:用户
- users
- hostname
safari_extensions:
- extension name
- apple_signed
- developer_identifier
- extension_path
- hostname
chrome_extensions:
- extension_directory_name
- extension_update_url
- extension_name
- hostname
firefox_extensions:
- extension_id
- extension_update_url
- extension_options_url
- extension_install_date
- extension_last_updated
- extension_source_uri
- extension_name
- extension_description
- extension_creator
- extension_homepage_url
- hostname
install_history:
- install_date
- display_name
- package_identifier
- hostname
cron_jobs:定时任务
- user
- crontab
- hostname
emond_rules:
- rule
- path
- hostname
environment_variables:
- hostname
- variable:value
periodic_scripts:
- hostname
- periodic_script:"content of script"
current_connections:
- process_name
- process_id
- user
- TCP_UDP
- connection_flow
- hostname
sip_status:
- sip_status
- hostname
gatekeeper_status:
- gatekeeper_status
- hostname
login_items:
- hostname
- application
- executable
- application_hash
- signature
applications:
- hostname
- application
- executable
- application_hash
- signature
event_taps:
- eventTapID
- tapping_process_id
- tapping_process_name
- tapped_process_id
- enabled
- hostname
bash_history:
- user
- bash_commands
- hostname
shell_startup:
- user
- hostname
- shell_startup_filename
- shell_startup_data
