Author: @rrcyrus

Major Contributor: @Airzero24

Venator-Swift is a Swift tool used for gathering data for the purpose of proactive macOS detection. Support for 10.13 and above. Happy Hunting!

Accompanying blog post: https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56

The tool needs root permissions to run, or else you will get the error message below.

Venator-Swift has a number of different features including the ability to upload host data to an Amazon S3 Bucket and enrich data using Virustotal.

• By default, the resulting file will created in the /tmp directory. You can specify an alternate path by using the -o flag.
• When uploading to S3 -r or --region refers to the region your bucket is in. Regions that are supported are specified here.
• To obtain a Virustotal API key to be used with Venator-Swift, refer to the following documentation: https://developers.virustotal.com/reference
• You can also specify modules you would like to run as opposed to the default action (which is to run all modules). A list of modules are below:

launchagents
launchdaemons
sip
gatekeeper
cronjobs
apps
bashhistory
zshhistory
loginitems
firefoxExtension
chromeExtension
installhistory
periodicscripts
connections
startupscripts
eventtap
kext

A notarized and signed version of Venator-Swift can be found under Releases. The installation package will place Venator in /usr/local/bin/. Alternatively, you can expand the package with the pkgutil command.