The Cybersecurity and Infrastructure Security Agency (CISA) has released the CISA Hunt and Incident Response Program (CHIRP) tool, a Python-based forensics collection tool designed to detect malicious activity associated with the SolarWinds attacks on enterprise Windows environments.
In an official announcement, the CISA said that CHIRP is a free tool that searches for signs of APT compromise within an on-premises environment. The tool scans for IOCs associated with malicious activity detailed in the AA20-352A and AA21-008A alerts related to the SolarWinds attacks against organizations such as government agencies, critical infrastructure, and private sector organizations.
CHIRP was commissioned and built to search for indications of compromise related to SolarWinds Orion software, the network monitoring software hackers leveraged to distribute the Sunburst and SUNSPOT trojans.
CISA had previously released a similar detection tool, called Sparrow, a PowerShell-based tool that was developed to scan for compromise in the Microsoft environment. While CHIRP is similar to Sparrow, it provides complementary capabilities to Sparrow by scanning for on-premises systems for similar activity.
The CHIRP tool is now available for download off the CISA CHIRP GitHub repository.
About CHIRP tool
The CHIRP tool is a command-line executable that scans for anomalies within an on-premises environment. It examines Windows event logs for artifacts associated with AA20-352A and AA21-008A activities, as well as searches the Windows Registry for evidence of intrusion.
The CHIRP tool also allows administrators to query Windows network artifacts and apply YARA rules to detect malware, backdoors, or implants.
As CHIRP is a license-free tool, developers can take the source code and improve it further.
Currently, the tool can scan for:
- The presence of associated malware identified by security researchers as TEARDROP and RAINDROP;
- Credential dumping certificate pulls;
- Specific persistence mechanisms associated with the SolarWinds attacks;
- System, network, and M365 enumeration; and
- Known observable indicators of lateral movement.