Meerkat
Meerkat is collection of PowerShell modules designed for artifact gathering and reconnaissance of Windows-based endpoints without requiring a pre-deployed agent. Use cases include incident response triage, threat hunting, baseline monitoring, snapshot comparisons, and more.
Artifacts
| Host Info | Net Adapters | Processes* | Services | Files |
| :——————————————————————–: | :——————————————————-: | :—————————————————————-: | :————————————————————————–: | :———————————————————————: |
| Audit Policy | Windows Firewall Rules | DLLs* | Local Users | ADS |
| Disks | Ports | Strings* | Local Groups | Recycle Bin |
| Hotfixes | ARP | Handles* | Scheduled Tasks | Hosts File |
| TPM | DNS | EnvVars | Autoruns | Certificates |
| Software | Net Routes | Sessions | Bitlocker | Select Registry |
| Hardware | Shares | Domain Information | Defender | Event Logs |
| Drivers | | USBHistory | Event Logs Metadata | Events Related to Login Failures |
| | | | | Events Related to User/Group Management |
| | | | | Event Logs Metadata |
- Ingest using your SIEM of choice (Check out the SIEM Repository!)
__________________
Index
Quick Start
Requirements
- Requires Powershell 5.0 or above on the “scanning” device.
- Requires Powershell 3.0 or higher on target systems. You can make this further backward compatible to PowerShell 2.0 by replacing instances of “Get-CIMinstance” with “Get-WMIObject”
- Requires WinRM access.
Install with Git
In a Command or PowerShell console, type the following…
git clone "https://github.com/TonyPhipps/Meerkat" "C:\Program Files\WindowsPowerShell\Modules\Meerkat"
To update…
cd C:\Program Files\WindowsPowerShell\Modules\Meerkat
git pull
Install with PowerShell
Copy/paste this into a PowerShell console
$Modules = "C:\Program Files\WindowsPowerShell\Modules\"
New-Item -ItemType Directory $Modules\Meerkat\ -force
Invoke-WebRequest https://github.com/TonyPhipps/Meerkat/archive/master.zip -OutFile $Modules\master.zip
Expand-Archive $Modules\master.zip -DestinationPath $Modules
Copy-Item $Modules\Meerkat-master\* $Modules\Meerkat\ -Force -Recurse
Remove-Item $Modules\Meerkat-master -Recurse -Force
To update, simply run the same block of commands again.
Functions can also be used by opening the .psm1 file and copy-pasting its entire contents into a PowerSell console.
Run Meerkat
This command will output results to C:\Users\YourName\Meerkat\
NOTE: The following modules will not return results if not ran with Administrative privileges
- AuditPolicy
- Drivers
- EventsLoginFailures
- Hotfixes
- RegistryMRU
- Registry
- Processes
- RecycleBin
Analysis
Analysis methodologies and techniques are provided in the Wiki pages.
Troubleshooting
Installing a Powershell Module
If your system does not automatically load modules in your user profile, you may need to import the module manually.
Import-Module C:\Program Files\WindowsPowerShell\Modules\Meerkat\Meerkat.psm1
It is recommended that the following approach be taken to assist in locating where the actual issue resides.
TEST 1 – DOES MEERKAT WORK LOCALLY?
- Test Meerkat against the local system
TEST 2 – DOES REMOTE SCANNING WORK?
Note: Perform this test with an account that has local admin rights on the target system.
- Test Meerkat against a remote Windows system
- Invoke-Meerkat -Computer RemoteName
TEST 3 – CAN YOU CREATE THE SCHEDULE TASK AND MSA?
- Remove any existing Scheduled Tasks related to Meerkat
- Remove any MSA’s related to Meerkat
- Configure the Schedule-Meerkat.ps1 file, then run it.
TEST 4 – DOES MEERKAT-TASK.PS1 WORK?
Note: Perform this test with an account that has local admin rights on the target system.
- Configure the Meerkat-Task.ps1 file with # OPTION 1 (local host)
- Run the script manually.
TEST 5 – DOES THE SCHEDULED TASK AND THE MSA WORK?
- Run the Meerkat-Task.ps1 script via Scheduled Tasks.
If this fails:
- Ensure WinRM is enabled on remote host
- Ensure the MSA has local admin rights on remote host
TEST 6 – DOES THE MEERKAT-TASK.PS1 WORK REMOTELY?
- Configure the Meerkat-Daily-Task.ps1 file with # OPTION 3 (remote host, Daily)
- Specify a remote host in hosts.txt
- Run the script manually with an account with local admin on the remote system.
TEST 7 – DOES THE MSA HAVE PROPER PERMISSIONS ON REMOTE HOSTS?
- Configure the Meerkat-Task.ps1 file with # OPTION 3 (remote host, Daily)
- Specify a remote host in hosts.txt
- Run the Meerkat-Task.ps1 script via Scheduled Tasks.
TEST 8 – DOES EVERYTHING NOW WORK?
- Configure the Meerkat-Task.ps1 file with # OPTION 2 (fully automated domain scan)
- Run the script manually with an account with local admin on the remote system.
- Run the Meerkat-Task.ps1 script via Scheduled Tasks.
Adding a New Module
- Create the new .psm1 file, preferrably from copying an existing module with similar enough logic and using it as a starting point.
- Update the module name
- Using find and replace, replace all instances of the template’s name
- Update the Synopsis, Description, Parameters, Examples, and Notes sections
- Replace the process{} logic with the new logic. Ensure it returns an array of matching PowerShell objects.
- Save the module with an appropriate name.
- Add the new module name to Meerkat.psd1. This can be done manually or by running /Utilities/Generate-ModuleManifest.ps1
- Add the new module to the table in this README.md
- Add to the Artifacts table.
- Add the new module to Invoke-Meerkat.psm1
- Add to the Paramater m/mod/modules, including both the ValidateSet and the $Modules array itself.
- In begin{}, add to $ModuleCommandArray
- In begin{}, add to
if ($All) {}
code block
- If the module takes more than a few seconds, also add to
if ($Quick) {
code block. This prevents it from running when the user invokes -Fast
Screenshots
Output of Command “Invoke-Meerkat”
Output Files
Similar Projects
- https://github.com/travisfoley/dfirtriage
- https://github.com/Invoke-IR/PowerForensics
- https://github.com/PowerShellMafia/CimSweep
- https://www.crowdstrike.com/resources/community-tools/crowdresponse/
- https://github.com/gfoss/PSRecon/
- https://github.com/n3l5/irCRpull
- https://github.com/davehull/Kansa/
- https://github.com/WiredPulse/PoSh-R2
- https://github.com/google/grr
- https://github.com/diogo-fernan/ir-rescue
- https://github.com/SekoiaLab/Fastir_Collector
- https://github.com/AlmCo/Panorama
- https://github.com/certsocietegenerale/FIR
- https://github.com/securycore/Get-Baseline
- https://github.com/Infocyte/PSHunt
- https://github.com/giMini/NOAH
- https://github.com/A-mIn3/WINspect
- https://learn.duffandphelps.com/kape
- https://www.brimorlabs.com/tools/
What makes Meerkat stand out?
- Lightweight. Fits on a floppy disk!
- Very little footprint/impact on targets.
- Leverages Powershell & WMI/CIM.
- Coding style encourages proper code review, learning, and “borrowing.”
- No DLLs or compiled components.
- Standardized output - defaults to .csv, and can easily support json, xml, etc.