Meerkat

Meerkat Logo

Meerkat is collection of PowerShell modules designed for artifact gathering and reconnaissance of Windows-based endpoints without requiring a pre-deployed agent. Use cases include incident response triage, threat hunting, baseline monitoring, snapshot comparisons, and more.

Artifacts

Host Info	Net Adapters	Processes*	Services	Files
Audit Policy	Windows Firewall Rules	DLLs*	Local Users	ADS
Disks	Ports	Strings*	Local Groups	Recycle Bin
Hotfixes	ARP	Handles*	Scheduled Tasks	Hosts File
TPM	DNS	EnvVars	Autoruns	Certificates
Software	Net Routes	Sessions	Bitlocker	Select Registry
Hardware	Shares	Domain Information	Defender	Event Logs
Drivers		USBHistory	Event Logs Metadata	Events Related to Login Failures
				Events Related to User/Group Management
				Event Logs Metadata

Ingest using your SIEM of choice (Check out the SIEM Repository!)

Quick Start

Requirements

Requires Powershell 5.0 or above on the "scanning" device.
Requires Powershell 3.0 or higher on target systems. You can make this further backward compatible to PowerShell 2.0 by replacing instances of "Get-CIMinstance" with "Get-WMIObject"
Requires WinRM access.

Install with Git

In a Command or PowerShell console, type the following...

git clone "https://github.com/TonyPhipps/Meerkat" "C:\Program Files\WindowsPowerShell\Modules\Meerkat"

To update...

cd C:\Program Files\WindowsPowerShell\Modules\Meerkat
git pull

Install with PowerShell

Copy/paste this into a PowerShell console

$Modules = "C:\Program Files\WindowsPowerShell\Modules\"
New-Item -ItemType Directory $Modules\Meerkat\ -force
Invoke-WebRequest https://github.com/TonyPhipps/Meerkat/archive/master.zip -OutFile $Modules\master.zip
Expand-Archive $Modules\master.zip -DestinationPath $Modules
Copy-Item $Modules\Meerkat-master\* $Modules\Meerkat\ -Force -Recurse
Remove-Item  $Modules\Meerkat-master -Recurse -Force

To update, simply run the same block of commands again.

Functions can also be used by opening the .psm1 file and copy-pasting its entire contents into a PowerSell console.

Run Meerkat

This command will output results to C:\Users\YourName\Meerkat\

Invoke-Meerkat

NOTE: The following modules will not return results if not ran with Administrative privileges

AuditPolicy
Drivers
EventsLoginFailures
Hotfixes
RegistryMRU
Registry
Processes
RecycleBin

Analysis

Analysis methodologies and techniques are provided in the Wiki pages.

Troubleshooting

Installing a Powershell Module

If your system does not automatically load modules in your user profile, you may need to import the module manually.

Import-Module C:\Program Files\WindowsPowerShell\Modules\Meerkat\Meerkat.psm1

It is recommended that the following approach be taken to assist in locating where the actual issue resides.

TEST 1 – DOES MEERKAT WORK LOCALLY?

Test Meerkat against the local system
- Invoke-Meerkat

TEST 2 – DOES REMOTE SCANNING WORK?

Note: Perform this test with an account that has local admin rights on the target system.

Test Meerkat against a remote Windows system
- Invoke-Meerkat -Computer RemoteName

TEST 3 – CAN YOU CREATE THE SCHEDULE TASK AND MSA?

Remove any existing Scheduled Tasks related to Meerkat
Remove any MSA’s related to Meerkat
Configure the Schedule-Meerkat.ps1 file, then run it.

TEST 4 – DOES MEERKAT-TASK.PS1 WORK?

Note: Perform this test with an account that has local admin rights on the target system.

Configure the Meerkat-Task.ps1 file with # OPTION 1 (local host)
Run the script manually.

TEST 5 – DOES THE SCHEDULED TASK AND THE MSA WORK?

Run the Meerkat-Task.ps1 script via Scheduled Tasks.

If this fails:

Ensure WinRM is enabled on remote host
Ensure the MSA has local admin rights on remote host

TEST 6 – DOES THE MEERKAT-TASK.PS1 WORK REMOTELY?

Configure the Meerkat-Daily-Task.ps1 file with # OPTION 3 (remote host, Daily)
- Specify a remote host in hosts.txt
- Run the script manually with an account with local admin on the remote system.

TEST 7 – DOES THE MSA HAVE PROPER PERMISSIONS ON REMOTE HOSTS?

Configure the Meerkat-Task.ps1 file with # OPTION 3 (remote host, Daily)
- Specify a remote host in hosts.txt
- Run the Meerkat-Task.ps1 script via Scheduled Tasks.

TEST 8 – DOES EVERYTHING NOW WORK?

Configure the Meerkat-Task.ps1 file with # OPTION 2 (fully automated domain scan)
- Run the script manually with an account with local admin on the remote system.
- Run the Meerkat-Task.ps1 script via Scheduled Tasks.

Adding a New Module

Create the new .psm1 file, preferrably from copying an existing module with similar enough logic and using it as a starting point.
- Update the module name
- Using find and replace, replace all instances of the template's name
- Update the Synopsis, Description, Parameters, Examples, and Notes sections
- Replace the process{} logic with the new logic. Ensure it returns an array of matching PowerShell objects.
- Save the module with an appropriate name.
Add the new module name to Meerkat.psd1. This can be done manually or by running /Utilities/Generate-ModuleManifest.ps1
Add the new module to the table in this README.md
- Add to the Artifacts table.
Add the new module to Invoke-Meerkat.psm1
- Add to the Paramater m/mod/modules, including both the ValidateSet and the $Modules array itself.
- In begin{}, add to $ModuleCommandArray
- In begin{}, add to if ($All) {} code block
- If the module takes more than a few seconds, also add to if ($Quick) { code block. This prevents it from running when the user invokes -Fast