Meerkat

Meerkat is collection of PowerShell modules designed for artifact gathering and reconnaisance of Windows-based endpoints without requiring a pre-deployed agent. Use cases include incident response triage, threat hunting, baseline monitoring, snapshot comparisons, and more.

Artifacts and Wiki Articles

• Ingest using your SIEM of choice (Check out the SIEM Repository!)

Index

• Quick Start
• Usage
• Analysis
• Troubleshooting
• Screenshots
• Similar Projects

Quick Start

Requirements

• Requires Powershell 5.0 or above on the "scanning" device.
• Requires Powershell 3.0 or higher on target systems. You can make this further backward compatible to PowerShell 2.0 by replacing instances of "Get-CIMinstance" with "Get-WMIObject"
• Requires WinRM access.

Install with Git

In a Command or PowerShell console, type the following...

git clone "https://github.com/TonyPhipps/Meerkat" "C:\Program Files\WindowsPowerShell\Modules\Meerkat"

To update...

cd C:\Program Files\WindowsPowerShell\Modules\Meerkat
git pull

Install with PowerShell

Copy/paste this into a PowerShell console

$Modules = "C:\Program Files\WindowsPowerShell\Modules\"
New-Item -ItemType Directory $Modules\Meerkat\ -force
Invoke-WebRequest https://github.com/TonyPhipps/Meerkat/archive/master.zip -OutFile $Modules\master.zip
Expand-Archive $Modules\master.zip -DestinationPath $Modules
Copy-Item $Modules\Meerkat-master\* $Modules\Meerkat\ -Force -Recurse
Remove-Item  $Modules\Meerkat-master -Recurse -Force

To update, simply run the same block of commands again.

Functions can also be used by opening the .psm1 file and copy-pasting its entire contents into a PowerSell console.

Run Meerkat

This command will output results to C:\Users\YourName\Meerkat\

Invoke-Meerkat

Analysis

Analysis methodologies and techniques are provided in the Wiki pages.

Troubleshooting

Installing a Powershell Module

If your system does not automatically load modules in your user profile, you may need to import the module manually.

Import-Module C:\Program Files\WindowsPowerShell\Modules\Meerkat\Meerkat.psm1

Screenshots

Output of Command "Invoke-Meerkat"

Output Files

Similar Projects

• https://github.com/travisfoley/dfirtriage
• https://github.com/Invoke-IR/PowerForensics
• https://github.com/PowerShellMafia/CimSweep
• https://www.crowdstrike.com/resources/community-tools/crowdresponse/
• https://github.com/gfoss/PSRecon/
• https://github.com/n3l5/irCRpull
• https://github.com/davehull/Kansa/
• https://github.com/WiredPulse/PoSh-R2
• https://github.com/google/grr
• https://github.com/diogo-fernan/ir-rescue
• https://github.com/SekoiaLab/Fastir_Collector
• https://github.com/AlmCo/Panorama
• https://github.com/certsocietegenerale/FIR
• https://github.com/securycore/Get-Baseline
• https://github.com/Infocyte/PSHunt
• https://github.com/giMini/NOAH
• https://github.com/A-mIn3/WINspect
• https://learn.duffandphelps.com/kape
• https://www.brimorlabs.com/tools/

What makes Meerkat stand out?

• Lightweight. Fits on a floppy disk!
• Very little footprint/impact on targets.
• Leverages Powershell & WMI/CIM.
• Coding style encourages proper code review, learning, and "borrowing."
• No DLLs or compiled components.
• Standardized output - defaults to .csv, and can easily support json, xml, etc.