Meerkat is collection of PowerShell modules designed for artifact gathering and reconnaissance of Windows-based endpoints without requiring a pre-deployed agent. Use cases include incident response triage, threat hunting, baseline monitoring, snapshot comparisons, and more.
Host Info | Net Adapters | Processes* | Services | Files |
---|---|---|---|---|
Audit Policy | Windows Firewall Rules | DLLs* | Local Users | ADS |
Disks | Ports | Strings* | Local Groups | Recycle Bin |
Hotfixes | ARP | Handles* | Scheduled Tasks | Hosts File |
TPM | DNS | EnvVars | Autoruns | Certificates |
Software | Net Routes | Sessions | Bitlocker | Select Registry |
Hardware | Shares | Domain Information | Defender | Event Logs |
Drivers | USBHistory | Event Logs Metadata | Events Related to Login Failures | |
Events Related to User/Group Management | ||||
Event Logs Metadata |
- Ingest using your SIEM of choice (Check out the SIEM Repository!)
- Requires Powershell 5.0 or above on the "scanning" device.
- Requires Powershell 3.0 or higher on target systems. You can make this further backward compatible to PowerShell 2.0 by replacing instances of "Get-CIMinstance" with "Get-WMIObject"
- Requires WinRM access.
Install with Git
In a Command or PowerShell console, type the following...
git clone "https://github.com/TonyPhipps/Meerkat" "C:\Program Files\WindowsPowerShell\Modules\Meerkat"
To update...
cd C:\Program Files\WindowsPowerShell\Modules\Meerkat
git pull
Copy/paste this into a PowerShell console
$Modules = "C:\Program Files\WindowsPowerShell\Modules\"
New-Item -ItemType Directory $Modules\Meerkat\ -force
Invoke-WebRequest https://github.com/TonyPhipps/Meerkat/archive/master.zip -OutFile $Modules\master.zip
Expand-Archive $Modules\master.zip -DestinationPath $Modules
Copy-Item $Modules\Meerkat-master\* $Modules\Meerkat\ -Force -Recurse
Remove-Item $Modules\Meerkat-master -Recurse -Force
To update, simply run the same block of commands again.
Functions can also be used by opening the .psm1 file and copy-pasting its entire contents into a PowerSell console.
This command will output results to C:\Users\YourName\Meerkat\
Invoke-Meerkat
NOTE: The following modules will not return results if not ran with Administrative privileges
- AuditPolicy
- Drivers
- EventsLoginFailures
- Hotfixes
- RegistryMRU
- Registry
- Processes
- RecycleBin
Analysis methodologies and techniques are provided in the Wiki pages.
Installing a Powershell Module
If your system does not automatically load modules in your user profile, you may need to import the module manually.
Import-Module C:\Program Files\WindowsPowerShell\Modules\Meerkat\Meerkat.psm1
It is recommended that the following approach be taken to assist in locating where the actual issue resides.
- Test Meerkat against the local system
- Invoke-Meerkat
Note: Perform this test with an account that has local admin rights on the target system.
- Test Meerkat against a remote Windows system
- Invoke-Meerkat -Computer RemoteName
- Remove any existing Scheduled Tasks related to Meerkat
- Remove any MSA’s related to Meerkat
- Configure the Schedule-Meerkat.ps1 file, then run it.
Note: Perform this test with an account that has local admin rights on the target system.
- Configure the Meerkat-Task.ps1 file with # OPTION 1 (local host)
- Run the script manually.
- Run the Meerkat-Task.ps1 script via Scheduled Tasks.
If this fails:
- Ensure WinRM is enabled on remote host
- Ensure the MSA has local admin rights on remote host
- Configure the Meerkat-Daily-Task.ps1 file with # OPTION 3 (remote host, Daily)
- Specify a remote host in hosts.txt
- Run the script manually with an account with local admin on the remote system.
- Configure the Meerkat-Task.ps1 file with # OPTION 3 (remote host, Daily)
- Specify a remote host in hosts.txt
- Run the Meerkat-Task.ps1 script via Scheduled Tasks.
- Configure the Meerkat-Task.ps1 file with # OPTION 2 (fully automated domain scan)
- Run the script manually with an account with local admin on the remote system.
- Run the Meerkat-Task.ps1 script via Scheduled Tasks.
- Create the new .psm1 file, preferrably from copying an existing module with similar enough logic and using it as a starting point.
- Update the module name
- Using find and replace, replace all instances of the template's name
- Update the Synopsis, Description, Parameters, Examples, and Notes sections
- Replace the process{} logic with the new logic. Ensure it returns an array of matching PowerShell objects.
- Save the module with an appropriate name.
- Add the new module name to Meerkat.psd1. This can be done manually or by running /Utilities/Generate-ModuleManifest.ps1
- Add the new module to the table in this README.md
- Add to the Artifacts table.
- Add the new module to Invoke-Meerkat.psm1
- Add to the Paramater m/mod/modules, including both the ValidateSet and the $Modules array itself.
- In begin{}, add to $ModuleCommandArray
- In begin{}, add to
if ($All) {}
code block - If the module takes more than a few seconds, also add to
if ($Quick) {
code block. This prevents it from running when the user invokes -Fast
Output of Command "Invoke-Meerkat"
Output Files
- https://github.com/travisfoley/dfirtriage
- https://github.com/Invoke-IR/PowerForensics
- https://github.com/PowerShellMafia/CimSweep
- https://www.crowdstrike.com/resources/community-tools/crowdresponse/
- https://github.com/gfoss/PSRecon/
- https://github.com/n3l5/irCRpull
- https://github.com/davehull/Kansa/
- https://github.com/WiredPulse/PoSh-R2
- https://github.com/google/grr
- https://github.com/diogo-fernan/ir-rescue
- https://github.com/SekoiaLab/Fastir_Collector
- https://github.com/AlmCo/Panorama
- https://github.com/certsocietegenerale/FIR
- https://github.com/securycore/Get-Baseline
- https://github.com/Infocyte/PSHunt
- https://github.com/giMini/NOAH
- https://github.com/A-mIn3/WINspect
- https://learn.duffandphelps.com/kape
- https://www.brimorlabs.com/tools/
What makes Meerkat stand out?
- Lightweight. Fits on a floppy disk!
- Very little footprint/impact on targets.
- Leverages Powershell & WMI/CIM.
- Coding style encourages proper code review, learning, and "borrowing."
- No DLLs or compiled components.
- Standardized output - defaults to .csv, and can easily support json, xml, etc.