Zero-dependency PowerShell endpoint posture agent for Windows. Hardening checks · IIS discovery · software inventory · heartbeat to your gateway.
A read-only Windows endpoint agent for security posture monitoring. No Python, no Node, no .NET. Runs on PowerShell 5.1+ which ships natively with Windows 10, Windows 11, and Windows Server 2016+.
This is the agent that powers Motrix, but you can use it standalone with any HTTP gateway that speaks the documented heartbeat protocol.
| Module | What it reports |
|---|---|
| System Info | hostname, FQDN, domain, OS, build, CPU, memory |
| IIS Discovery | sites, bindings, app pools, .NET versions |
| Config Audit | Windows config baseline |
| Windows Hardening | 15 checks — UAC, SMB v1, RDP NLA, Firewall, BitLocker, AutoLogon, etc. |
| Local Port Scan | listening TCP/UDP ports + owning process |
| Software Inventory | installed apps from registry uninstall keys (32 + 64 bit) |
| Heartbeat | every 30s with status + pending command response |
It is read-only telemetry. No credential harvesting, no remote-host enumeration, no lateral movement primitives.
One-liner from an admin PowerShell:
Set-ExecutionPolicy Bypass -Scope Process -Force
$env:MTX_AGENT_TOKEN = "your-token"
$env:MTX_AGENT_URL = "https://your-gateway.example.com" # optional, defaults to motrix.fordrax.com
iwr https://raw.githubusercontent.com/ferdinand7721/motrix-windows-agent/main/install.ps1 -UseBasicParsing | iexOr download the binary release (recommended for production):
$url = "https://github.com/ferdinand7721/motrix-windows-agent/releases/latest/download/motrix-agent-windows-amd64.exe"
Invoke-WebRequest $url -OutFile "C:\Program Files\Motrix\motrix-agent.exe"curl -fsSL https://raw.githubusercontent.com/ferdinand7721/motrix-windows-agent/main/install.sh \
| MTX_AGENT_TOKEN=your-token sudo -E bashThe agent reads from environment variables or a config.env next to the script:
| Variable | Default | Description |
|---|---|---|
MTX_AGENT_TOKEN |
(required) | Enrollment token from your gateway |
MTX_AGENT_URL |
https://motrix.fordrax.com |
Gateway base URL |
MTX_HEARTBEAT_SEC |
30 |
Heartbeat interval in seconds |
config.env example:
MTX_AGENT_TOKEN=mtxa_abc123def456
MTX_AGENT_URL=https://gateway.your-soc.com
MTX_HEARTBEAT_SEC=60
The agent calls POST /api/agent/heartbeat with:
{
"token": "mtxa_...",
"hostname": "DESKTOP-ABC",
"fqdn": "DESKTOP-ABC.corp.example.com",
"os": "Windows 11 Pro 22H2",
"version": "3.0.0",
"capabilities": ["iis_discovery", "config_audit", "windows_hardening", "port_scan", "software_inventory"],
"metadata": { ... }
}The gateway responds with:
{
"ok": true,
"agent_id": "uuid",
"commands": [
{ "id": "uuid", "type": "scan", "params": { ... } }
]
}Implement your own gateway against this protocol — see the example minimal Node/Express server in examples/gateway.ts (coming soon).
| # | Check | Pass criteria |
|---|---|---|
| 1 | UAC enabled | EnableLUA = 1 |
| 2 | UAC prompt for admin | ConsentPromptBehaviorAdmin >= 2 |
| 3 | SMB v1 disabled | feature absent |
| 4 | SMB signing required | server policy enforced |
| 5 | RDP NLA required | UserAuthentication = 1 |
| 6 | RDP encryption level high | MinEncryptionLevel >= 3 |
| 7 | Windows Firewall — Domain ON | profile enabled |
| 8 | Windows Firewall — Private ON | profile enabled |
| 9 | Windows Firewall — Public ON | profile enabled |
| 10 | BitLocker on system drive | encrypted |
| 11 | Windows Defender real-time enabled | service running + RT on |
| 12 | LLMNR disabled | policy set |
| 13 | NetBIOS over TCP/IP disabled | per-interface |
| 14 | AutoLogon disabled | no DefaultPassword registry value |
| 15 | PowerShell ScriptBlock logging enabled | policy set |
Each check returns pass | fail | not-applicable with raw evidence.
motrix_agent.ps1 # main agent (Windows-native, PowerShell 5.1+)
motrix_agent.py # alternate Python implementation (Linux/macOS)
motrix-tray.ps1 # optional Windows system-tray notifier
install.ps1 # Windows installer (creates scheduled task)
install.sh # Linux installer (creates systemd unit)
install-cortex.ps1 # Windows installer wired to the Cortex gateway variant
install-cortex.sh # Linux equivalent
uninstall.ps1 # Windows clean-up
uninstall.sh # Linux clean-up
The pre-compiled Windows/Linux binaries on the Releases page are built from a separate Go source tree (not in this repo). They implement the same protocol as the PowerShell/Python scripts but with a smaller footprint and no scripting runtime requirement on the host.
If you only need the scripts, you do not need the binaries — they are optional convenience.
Each release includes SHA-256 hashes in the release notes. Verify before running in production:
Get-FileHash motrix-agent-windows-amd64.exe -Algorithm SHA256sha256sum motrix-agent-linux-amd64This agent is defensive read-only telemetry. See SECURITY.md for the full model and what is in/out of scope. Run it only on systems you own or are authorized to monitor.
MIT — see LICENSE.
Built by Fordrax Solutions · Mexico.