Meerkat

Meerkat is collection of PowerShell modules designed for artifact gathering and reconnaisance of Windows-based endpoints without requiring a pre-deployed agent. Use cases include incident response triage, threat hunting, baseline monitoring, snapshot comparisons, and more.

Artifacts

Host Info	Net Adapters	Processes*	Services	Files
Audit Policy	Windows Firewall Rules	DLLs*	Local Users	ADS
Disks	Ports	Strings*	Local Groups	Recycle Bin
Hotfixes	ARP	Handles*	Scheduled Tasks	Hosts File
TPM	DNS	EnvVars	Autoruns	Certificates
Software	Net Routes	Sessions	Bitlocker	Select Registry
Hardware	Shares		Defender	Event Logs
Drivers				Events Related to Login Failures
USBHistory				Events Related to User/Group Management
				Event Logs Metadata

Ingest using your SIEM of choice (Check out the SIEM Repository!)

Quick Start

Requirements

Requires Powershell 5.0 or above on the "scanning" device.
Requires Powershell 3.0 or higher on target systems. You can make this further backward compatible to PowerShell 2.0 by replacing instances of "Get-CIMinstance" with "Get-WMIObject"
Requires WinRM access.

Install with Git

In a Command or PowerShell console, type the following...

git clone "https://github.com/TonyPhipps/Meerkat" "C:\Program Files\WindowsPowerShell\Modules\Meerkat"

To update...

cd C:\Program Files\WindowsPowerShell\Modules\Meerkat
git pull

Install with PowerShell

Copy/paste this into a PowerShell console

$Modules = "C:\Program Files\WindowsPowerShell\Modules\"
New-Item -ItemType Directory $Modules\Meerkat\ -force
Invoke-WebRequest https://github.com/TonyPhipps/Meerkat/archive/master.zip -OutFile $Modules\master.zip
Expand-Archive $Modules\master.zip -DestinationPath $Modules
Copy-Item $Modules\Meerkat-master\* $Modules\Meerkat\ -Force -Recurse
Remove-Item  $Modules\Meerkat-master -Recurse -Force

To update, simply run the same block of commands again.

Functions can also be used by opening the .psm1 file and copy-pasting its entire contents into a PowerSell console.

Run Meerkat

This command will output results to C:\Users\YourName\Meerkat\

Invoke-Meerkat

Analysis

Analysis methodologies and techniques are provided in the Wiki pages.

Troubleshooting

Installing a Powershell Module

If your system does not automatically load modules in your user profile, you may need to import the module manually.

Import-Module C:\Program Files\WindowsPowerShell\Modules\Meerkat\Meerkat.psm1

Adding a New Module

Create the new .psm1 file, preferrably from copying an existing module with similar enough logic and using it as a starting point.
- Update the module name
- Using find and replace, replace all instances of the template's name
- Update the Synopsis, Description, Parameters, Examples, and Notes sections
- Replace the process{} logic with the new logic. Ensure it returns an array of matching PowerShell objects.
- Save the module with an appropriate name.
Add the new module name to Meerkat.psd1. This can be done manually or by running /Utilities/Generate-ModuleManifest.ps1
Add the new module to the table in this README.md
- Add to the Artifacts table.
Add the new module to Invoke-Meerkat.psm1
- Add to the Paramater m/mod/modules, including both the ValidateSet and the $Modules array itself.
- In begin{}, add to $ModuleCommandArray
- In begin{}, add to if ($All) {} code block
- If the module takes more than a few seconds, also add to if ($Quick) { code block. This prevents it from running when the user invokes -Fast

Screenshots

Output of Command "Invoke-Meerkat"

Output Files

Similar Projects

What makes Meerkat stand out?

Lightweight. Fits on a floppy disk!
Very little footprint/impact on targets.
Leverages Powershell & WMI/CIM.
Coding style encourages proper code review, learning, and "borrowing."
No DLLs or compiled components.
Standardized output - defaults to .csv, and can easily support json, xml, etc.

animatco/Meerkat