BOOK AN APPOINTMENT WITH AN IT SPECIALIST TODAY

18 Mar 2021

AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool

Original release date: March 18, 2021

Summary

This Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts:

Similar to Sparrow—which scans for signs of APT compromise within an M365 or Azure environment—CHIRP scans for signs of APT compromise within an on-premises environment.

In this release, CHIRP, by default, searches for IOCs associated with malicious activity detailed in AA20-352A and AA21-008A that has spilled into an on-premises enterprise environment.

CHIRP is freely available on the CISA GitHub Repository. Note: CISA will continue to release plugins and IOC packages for new threats via the CISA GitHub Repository.

CISA advises organizations to use CHIRP to:

  • Examine Windows event logs for artifacts associated with this activity;
  • Examine Windows Registry for evidence of intrusion;
  • Query Windows network artifacts; and
  • Apply YARA rules to detect malware, backdoors, or implants.

Network defenders should review and confirm any post-compromise threat activity detected by the tool. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP’s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s).

If an organization does not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security support. Note: Responding to confirmed positive hits is essential to evict an adversary from a compromised network.

Click here for a PDF version of this report.

Technical Details

How CHIRP Works

CHIRP is a command-line executable with a dynamic plugin and indicator system to search for signs of compromise. CHIRP has plugins to search through event logs and registry keys and run YARA rules to scan for signs of APT tactics, techniques, and procedures. CHIRP also has a YAML file that contains a list of IOCs that CISA associates with the malware and APT activity detailed in CISA Alerts AA20-352A and AA21-008A.

Currently, the tool looks for:

  • The presence of malware identified by security researchers as TEARDROP and RAINDROP;
  • Credential dumping certificate pulls;
  • Certain persistence mechanisms identified as associated with this campaign;
  • System, network, and M365 enumeration; and
  • Known observable indicators of lateral movement.

Network defenders can follow step-by-step instructions on the CISA CHIRP GitHub repository to add additional IOCs, YARA rules, or plugins to CHIRP to search for post-compromise threat activity related to the SolarWinds Orion supply chain compromise or new threat activity.

Compatibility

CHIRP currently only scans Windows operating systems.

Instructions

CHIRP is available on CISA’s GitHub repository in two forms:

  1. A compiled executable

  2. A python script

CISA recommends using the compiled version to easily scan a system for APT activity. For instructions to run, read the README.md in the CHIRP GitHub repository.

If you choose to use the native Python version, see the detailed instructions on the CHIRP GitHub repository.

Mitigations

Interpreting the Results

CHIRP provides results of its scan in JSON format. CISA encourages uploading the results into a security information and event management (SIEM) system, if available. If no SIEM system is available, results can be viewed in a compatible web browser or text editor. If CHIRP detects any post-compromise threat activity, those detections should be reviewed and confirmed. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP’s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s).

If you do not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security support. Note: Responding to confirmed positive hits is essential to evict an adversary from a compromised network.

Frequently Asked Questions

  1. What systems should CHIRP run on?

    Systems running SolarWinds Orion or believed to be involved in any resulting lateral movement.

  2. What should I do with results?

    Ingest the JSON results into a SIEM system, web browser, or text editor.

  3. Are there existing tools that CHIRP complements and/or provide the same benefit as CHIRP?
    1. Antivirus software developers may have begun to roll out detections for the SolarWinds post-compromise activity. However, those products can miss historical signs of compromise. CHIRP can provide a complementary benefit to antivirus when run.

    2. CISA previously released the Sparrow tool that scans for APT activity within M365 and Azure environments related to activity detailed in CISA Alerts AA20-352A and AA21-008A. CHIRP provides a complementary capability to Sparrow by scanning for on-premises systems for similar activity.

  4. How often should I run CHIRP?

    CHIRP can be run once or routinely. Currently, CHIRP does not provide a mechanism to run repeatedly in its native format.

  5. Do I need to configure the tool before I run it?

    No.

  6. Will CHIRP change or affect anything on the system(s) it runs on?

    No, CHIRP only scans the system(s) it runs on and makes no active changes.

  7. How long will it take to run CHIRP?

    CHIRP will complete its scan in approximately 1 to 2 hours. Duration will be dependent on the level of activity, the system, and the size of the resident data sets. CHIRP will provide periodic progress updates as it runs.

  8. If I have questions, who do I contact?  

    For general questions regarding CHIRP, please contact CISA via email at [email protected] or by phone at 1-888-282-0870. For reporting indicators of potential compromise, contact us by submitting a report through our website at https://us-cert.cisa.gov/report. For all technical issues or support for CHIRP, please submit issues at the CISA CHIRP GitHub Repository

Revisions

  • March 18, 2021: Initial Publication

This product is provided subject to this Notification and this Privacy & Use policy.

More Like This

Apple Notes Tips

Apple Notes Tips With the dawn of the new year, January is the perfect time to get your to-do list in order. But these days, most people’s lists are complicated agendas full of work and personal items, multiple schedules, and seemingly endless tasks. To keep things straight, one thing that can help is a savvy …

Apple Notes Tips Read More »

Read More

AA22-011A: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure

Original release date: January 11, 2022 Summary Actions Critical Infrastructure Organizations Should Implement to Immediately Strengthen Their Cyber Posture. • Patch all systems. Prioritize patching known exploited vulnerabilities. • Implement multi-factor authentication. • Use antivirus software. • Develop internal contact lists and surge support. Note: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge …

AA22-011A: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure Read More »

Read More

11 Unexpected Ways to Manage Chromebook Files

11 Unexpected Ways to Manage Chromebook Files Chromebooks have been around for over a decade now, but at the beginning, they weren’t intended for file management, with the original Chromebooks not even having a Files app. Copying or moving data, finding files or wirelessly transferring and syncing files with other systems was virtually impossible. But …

11 Unexpected Ways to Manage Chromebook Files Read More »

Read More

AA21-356A: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities

Original release date: December 22, 2021 Summary The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the …

AA21-356A: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities Read More »

Read More

What Are Workers’ Rights in the Face of Employee Monitoring?

What Are Workers’ Rights in the Face of Employee Monitoring? As the use of technology in our everyday lives continues to increase, it’s no surprise that any legislation surrounding that technology is constantly lagging behind. After all, it’s usually impossible to know the potential dangers of technology until damage has been done. Fortunately, legislation usually …

What Are Workers’ Rights in the Face of Employee Monitoring? Read More »

Read More

Can Technology Reverse the Workforce – Depleting ‘Great Resignation’ of 2021?

Can Technology Reverse the Workforce – Depleting ‘Great Resignation’ of 2021? Although remote and other technology appears to be an underlying cause of the 2021 “Great Resignation,” it may also hold the key to a“Great Return.” Many believed the mass exodus from the workforce had peaked in April when a total of 24 million had …

Can Technology Reverse the Workforce – Depleting ‘Great Resignation’ of 2021? Read More »

Read More