Author: @rrcyrus
Major Contributor: @Airzero24
Venator-Swift is a Swift tool used for gathering data for the purpose of proactive macOS detection. Support for 10.13 and above. Happy Hunting!
Accompanying blog post: https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56
The tool needs root permissions to run, or else you will get the error message below.
Venator-Swift has a number of different features including the ability to upload host data to an Amazon S3 Bucket and enrich data using Virustotal.
- By default, the resulting file will created in the
/tmpdirectory. You can specify an alternate path by using the-oflag. - When uploading to S3
-ror--regionrefers to the region your bucket is in. Regions that are supported are specified here. - To obtain a Virustotal API key to be used with Venator-Swift, refer to the following documentation: https://developers.virustotal.com/reference
- You can also specify modules you would like to run as opposed to the default action (which is to run all modules). A list of modules are below:
launchagents
launchdaemons
sip
gatekeeper
cronjobs
apps
bashhistory
zshhistory
loginitems
firefoxExtension
chromeExtension
installhistory
periodicscripts
connections
startupscripts
eventtap
kext
A notarized and signed version of Venator-Swift can be found under Releases. The installation package will place Venator in /usr/local/bin/. Alternatively, you can expand the package with the pkgutil command.