TonyPhipps / Meerkat
Licence: gpl-3.0
A collection of PowerShell modules designed for artifact gathering and reconnaisance of Windows-based endpoints.
Stars: ✭ 284
Programming Languages
powershell
5483 projects
Projects that are alternatives of or similar to Meerkat
Siem
SIEM Tactics, Techiques, and Procedures
Stars: ✭ 157 (-44.72%)
Mutual labels: analysis, baseline, response, monitor, log, recon, forensics, threat-hunting, scan, siem, threat
WELA
WELA (Windows Event Log Analyzer): The Swiss Army knife for Windows Event Logs! ゑ羅(ウェラ)
Stars: ✭ 442 (+55.63%)
Mutual labels: log, analysis, threat, forensics, response
LogESP
Open Source SIEM (Security Information and Event Management system).
Stars: ✭ 162 (-42.96%)
Mutual labels: log, forensics, siem
hayabusa
Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
Stars: ✭ 908 (+219.72%)
Mutual labels: threat, forensics, response
siemstress
Very basic CLI SIEM (Security Information and Event Management system).
Stars: ✭ 24 (-91.55%)
Mutual labels: log, forensics, siem
Teler
Real-time HTTP Intrusion Detection
Stars: ✭ 1,248 (+339.44%)
Mutual labels: log, threat-hunting, threat
DomainCAT
Domain Connectivity Analysis Tools to analyze aggregate connectivity patterns across a set of domains during security investigations
Stars: ✭ 34 (-88.03%)
Mutual labels: analysis, threat-hunting
SysmonResources
Consolidation of various resources related to Microsoft Sysmon & sample data/log
Stars: ✭ 64 (-77.46%)
Mutual labels: threat, threat-hunting
Azure-Sentinel-4-SecOps
Microsoft Sentinel SOC Operations
Stars: ✭ 140 (-50.7%)
Mutual labels: threat-hunting, siem
traffic analyser
Retrieve useful information from apache/nginx access logs to help troubleshoot traffic related problems
Stars: ✭ 44 (-84.51%)
Mutual labels: log, analysis
SWELF
Simple Windows Event Log Forwarder (SWELF). Its easy to use/simply works Log Forwarder and EVTX Parser. Almost in full release here at https://github.com/ceramicskate0/SWELF/releases/latest.
Stars: ✭ 23 (-91.9%)
Mutual labels: analysis, siem
tugarecon
Pentest: Subdomains enumeration tool for penetration testers.
Stars: ✭ 142 (-50%)
Mutual labels: scan, recon
MindMaps
#ThreatHunting #DFIR #Malware #Detection Mind Maps
Stars: ✭ 224 (-21.13%)
Mutual labels: forensics, threat-hunting
smram parse
System Management RAM analysis tool
Stars: ✭ 50 (-82.39%)
Mutual labels: analysis, forensics
detection-rules
Threat Detection & Anomaly Detection rules for popular open-source components
Stars: ✭ 34 (-88.03%)
Mutual labels: threat-hunting, siem
Judge-Jury-and-Executable
A file system forensics analysis scanner and threat hunting tool. Scans file systems at the MFT and OS level and stores data in SQL, SQLite or CSV. Threats and data can be probed harnessing the power and syntax of SQL.
Stars: ✭ 66 (-76.76%)
Mutual labels: forensics, threat-hunting
blue-teaming-with-kql
Repository with Sample KQL Query examples for Threat Hunting
Stars: ✭ 102 (-64.08%)
Mutual labels: threat-hunting, siem
Meerkat
Meerkat is collection of PowerShell modules designed for artifact gathering and reconnaisance of Windows-based endpoints without requiring a pre-deployed agent. Use cases include incident response triage, threat hunting, baseline monitoring, snapshot comparisons, and more.
Artifacts and Wiki Articles
| Host Info | Processes* | Services | Autoruns | Drivers |
|---|---|---|---|---|
| ARP | DLLs* | EnvVars | Hosts File | ADS |
| DNS | Strings* | Users & Groups | Ports | Select Registry |
| Hotfixes | Handles* | Software | Hardware | Event Logs |
| Net Adapters | Net Routes | Sessions | [Shares] | Certificates |
| Scheduled Tasks | TPM | Bitlocker | Recycle Bin | Files |
- Ingest using your SIEM of choice (Check out the SIEM Repository!)
Index
Quick Start
Requirements
- Requires Powershell 5.0 or above on the "scanning" device.
- Requires Powershell 3.0 or higher on target systems. You can make this further backward compatible to PowerShell 2.0 by replacing instances of "Get-CIMinstance" with "Get-WMIObject"
- Requires WinRM access.
Install with Git
In a Command or PowerShell console, type the following...
git clone "https://github.com/TonyPhipps/Meerkat" "C:\Program Files\WindowsPowerShell\Modules\Meerkat"
To update...
cd C:\Program Files\WindowsPowerShell\Modules\Meerkat
git pull
Install with PowerShell
Copy/paste this into a PowerShell console
$Modules = "C:\Program Files\WindowsPowerShell\Modules\"
New-Item -ItemType Directory $Modules\Meerkat\ -force
Invoke-WebRequest https://github.com/TonyPhipps/Meerkat/archive/master.zip -OutFile $Modules\master.zip
Expand-Archive $Modules\master.zip -DestinationPath $Modules
Copy-Item $Modules\Meerkat-master\* $Modules\Meerkat\ -Force -Recurse
Remove-Item $Modules\Meerkat-master -Recurse -Force
To update, simply run the same block of commands again.
Functions can also be used by opening the .psm1 file and copy-pasting its entire contents into a PowerSell console.
Run Meerkat
This command will output results to C:\Users\YourName\Meerkat\
Invoke-Meerkat
Analysis
Analysis methodologies and techniques are provided in the Wiki pages.
Troubleshooting
Installing a Powershell Module
If your system does not automatically load modules in your user profile, you may need to import the module manually.
Import-Module C:\Program Files\WindowsPowerShell\Modules\Meerkat\Meerkat.psm1
Screenshots
Output of Command "Invoke-Meerkat"
Output Files
Similar Projects
- https://github.com/travisfoley/dfirtriage
- https://github.com/Invoke-IR/PowerForensics
- https://github.com/PowerShellMafia/CimSweep
- https://www.crowdstrike.com/resources/community-tools/crowdresponse/
- https://github.com/gfoss/PSRecon/
- https://github.com/n3l5/irCRpull
- https://github.com/davehull/Kansa/
- https://github.com/WiredPulse/PoSh-R2
- https://github.com/google/grr
- https://github.com/diogo-fernan/ir-rescue
- https://github.com/SekoiaLab/Fastir_Collector
- https://github.com/AlmCo/Panorama
- https://github.com/certsocietegenerale/FIR
- https://github.com/securycore/Get-Baseline
- https://github.com/Infocyte/PSHunt
- https://github.com/giMini/NOAH
- https://github.com/A-mIn3/WINspect
- https://learn.duffandphelps.com/kape
- https://www.brimorlabs.com/tools/
What makes Meerkat stand out?
- Lightweight. Fits on a floppy disk!
- Very little footprint/impact on targets.
- Leverages Powershell & WMI/CIM.
- Coding style encourages proper code review, learning, and "borrowing."
- No DLLs or compiled components.
- Standardized output - defaults to .csv, and can easily support json, xml, etc.
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].