Detecting macOS Compromise with Venator

Presented at Objective by the Sea version 2.0 (2019), June 1, 2019, 2:55 p.m. (30 minutes)

Various solutions exist to detect malicious activity on macOS. However, they are not intended for enterprise use or involve installation of an agent. This session will introduce and demonstrate how to detect malicious macOS activity using the tool Venator. Venator is a python based macOS tool designed to provide defenders with the data to proactively identify malicious macOS activity at scale. This data can then be imported into a SIEM for the purpose of building robust analytics during hunting engagements.

Presenters:

• Richie Cyrus - Senior Consultant at SpecterOps
  Richie Cyrus is a Senior Consultant at SpecterOps, with experience in incident response, digital forensics, network forensics, and security operations within the Fortune 500 & Federal Government. He specializes in detection of advanced adversaries with a focus in MacOS and Linux environments. Richie currently maintains a DFIR focused blog at https://medium.com/securityneversleeps.

Links:

• https://objectivebythesea.org/v2/talks.html#cyrus
• https://objectivebythesea.org/v2/talks/OBTS_v2_Cyrus.pdf

Similar Presentations:

• Objective by the Sea version 5.0 (2022) / Process Injection: Breaking all macOS Security Layers with a Single Vulnerability
• ShellCon 2019 / Threat Hunting in MacOS with Open Source Tools
• DEF CON 30 (2022) / Process injection: breaking all macOS security layers with a single vulnerability