Awesome Open Source
Awesome Open Source

Meerkat

Meerkat Logo

Meerkat is collection of PowerShell modules designed for artifact gathering and reconnaisance of Windows-based endpoints without requiring a pre-deployed agent. Use cases include incident response triage, threat hunting, baseline monitoring, snapshot comparisons, and more.

Artifacts and Wiki Articles

Host Info Processes* Services Autoruns Drivers
ARP DLLs* EnvVars Hosts File ADS
DNS Strings* Users & Groups Ports Select Registry
Hotfixes Handles* Software Hardware Event Logs
Net Adapters Net Routes Sessions [Shares] Certificates
Scheduled Tasks TPM Bitlocker Recycle Bin Files
  • Ingest using your SIEM of choice (Check out the SIEM Repository!)

Index


Quick Start

Requirements

  • Requires Powershell 5.0 or above on the "scanning" device.
  • Requires Powershell 3.0 or higher on target systems. You can make this further backward compatible to PowerShell 2.0 by replacing instances of "Get-CIMinstance" with "Get-WMIObject"
  • Requires WinRM access.

Install with Git

In a Command or PowerShell console, type the following...

git clone "https://github.com/TonyPhipps/Meerkat" "C:\Program Files\WindowsPowerShell\Modules\Meerkat"

To update...

cd C:\Program Files\WindowsPowerShell\Modules\Meerkat
git pull

Install with PowerShell

Copy/paste this into a PowerShell console

$Modules = "C:\Program Files\WindowsPowerShell\Modules\"
New-Item -ItemType Directory $Modules\Meerkat\ -force
Invoke-WebRequest https://github.com/TonyPhipps/Meerkat/archive/master.zip -OutFile $Modules\master.zip
Expand-Archive $Modules\master.zip -DestinationPath $Modules
Copy-Item $Modules\Meerkat-master\* $Modules\Meerkat\ -Force -Recurse
Remove-Item  $Modules\Meerkat-master -Recurse -Force

To update, simply run the same block of commands again.

Functions can also be used by opening the .psm1 file and copy-pasting its entire contents into a PowerSell console.

Run Meerkat

This command will output results to C:\Users\YourName\Meerkat\

Invoke-Meerkat

Analysis

Analysis methodologies and techniques are provided in the Wiki pages.

Troubleshooting

Installing a Powershell Module

If your system does not automatically load modules in your user profile, you may need to import the module manually.

Import-Module C:\Program Files\WindowsPowerShell\Modules\Meerkat\Meerkat.psm1

Screenshots

Output of Command "Invoke-Meerkat"

Output of Command "Invoke-Meerkat"

Output Files

Output Files

Similar Projects

What makes Meerkat stand out?

  • Lightweight. Fits on a floppy disk!
  • Very little footprint/impact on targets.
  • Leverages Powershell & WMI/CIM.
  • Coding style encourages proper code review, learning, and "borrowing."
  • No DLLs or compiled components.
  • Standardized output - defaults to .csv, and can easily support json, xml, etc.

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
security (1,880
powershell (1,323
analysis (219
monitor (165
log (142
recon (91
forensics (72
threat-hunting (67
scan (41
response (29
siem (27
baseline (24
soc (19
threat (18
team (17