BOOK AN APPOINTMENT WITH AN IT SPECIALIST TODAY

18 Mar 2021

AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool

Original release date: March 18, 2021

Summary

This Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts:

Similar to Sparrow—which scans for signs of APT compromise within an M365 or Azure environment—CHIRP scans for signs of APT compromise within an on-premises environment.

In this release, CHIRP, by default, searches for IOCs associated with malicious activity detailed in AA20-352A and AA21-008A that has spilled into an on-premises enterprise environment.

CHIRP is freely available on the CISA GitHub Repository. Note: CISA will continue to release plugins and IOC packages for new threats via the CISA GitHub Repository.

CISA advises organizations to use CHIRP to:

  • Examine Windows event logs for artifacts associated with this activity;
  • Examine Windows Registry for evidence of intrusion;
  • Query Windows network artifacts; and
  • Apply YARA rules to detect malware, backdoors, or implants.

Network defenders should review and confirm any post-compromise threat activity detected by the tool. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP’s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s).

If an organization does not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security support. Note: Responding to confirmed positive hits is essential to evict an adversary from a compromised network.

Click here for a PDF version of this report.

Technical Details

How CHIRP Works

CHIRP is a command-line executable with a dynamic plugin and indicator system to search for signs of compromise. CHIRP has plugins to search through event logs and registry keys and run YARA rules to scan for signs of APT tactics, techniques, and procedures. CHIRP also has a YAML file that contains a list of IOCs that CISA associates with the malware and APT activity detailed in CISA Alerts AA20-352A and AA21-008A.

Currently, the tool looks for:

  • The presence of malware identified by security researchers as TEARDROP and RAINDROP;
  • Credential dumping certificate pulls;
  • Certain persistence mechanisms identified as associated with this campaign;
  • System, network, and M365 enumeration; and
  • Known observable indicators of lateral movement.

Network defenders can follow step-by-step instructions on the CISA CHIRP GitHub repository to add additional IOCs, YARA rules, or plugins to CHIRP to search for post-compromise threat activity related to the SolarWinds Orion supply chain compromise or new threat activity.

Compatibility

CHIRP currently only scans Windows operating systems.

Instructions

CHIRP is available on CISA’s GitHub repository in two forms:

  1. A compiled executable

  2. A python script

CISA recommends using the compiled version to easily scan a system for APT activity. For instructions to run, read the README.md in the CHIRP GitHub repository.

If you choose to use the native Python version, see the detailed instructions on the CHIRP GitHub repository.

Mitigations

Interpreting the Results

CHIRP provides results of its scan in JSON format. CISA encourages uploading the results into a security information and event management (SIEM) system, if available. If no SIEM system is available, results can be viewed in a compatible web browser or text editor. If CHIRP detects any post-compromise threat activity, those detections should be reviewed and confirmed. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP’s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s).

If you do not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security support. Note: Responding to confirmed positive hits is essential to evict an adversary from a compromised network.

Frequently Asked Questions

  1. What systems should CHIRP run on?

    Systems running SolarWinds Orion or believed to be involved in any resulting lateral movement.

  2. What should I do with results?

    Ingest the JSON results into a SIEM system, web browser, or text editor.

  3. Are there existing tools that CHIRP complements and/or provide the same benefit as CHIRP?
    1. Antivirus software developers may have begun to roll out detections for the SolarWinds post-compromise activity. However, those products can miss historical signs of compromise. CHIRP can provide a complementary benefit to antivirus when run.

    2. CISA previously released the Sparrow tool that scans for APT activity within M365 and Azure environments related to activity detailed in CISA Alerts AA20-352A and AA21-008A. CHIRP provides a complementary capability to Sparrow by scanning for on-premises systems for similar activity.

  4. How often should I run CHIRP?

    CHIRP can be run once or routinely. Currently, CHIRP does not provide a mechanism to run repeatedly in its native format.

  5. Do I need to configure the tool before I run it?

    No.

  6. Will CHIRP change or affect anything on the system(s) it runs on?

    No, CHIRP only scans the system(s) it runs on and makes no active changes.

  7. How long will it take to run CHIRP?

    CHIRP will complete its scan in approximately 1 to 2 hours. Duration will be dependent on the level of activity, the system, and the size of the resident data sets. CHIRP will provide periodic progress updates as it runs.

  8. If I have questions, who do I contact?  

    For general questions regarding CHIRP, please contact CISA via email at central@cisa.dhs.gov or by phone at 1-888-282-0870. For reporting indicators of potential compromise, contact us by submitting a report through our website at https://us-cert.cisa.gov/report. For all technical issues or support for CHIRP, please submit issues at the CISA CHIRP GitHub Repository

Revisions

  • March 18, 2021: Initial Publication

This product is provided subject to this Notification and this Privacy & Use policy.

More Like This

AA21-265A: Conti Ransomware

Original release date: September 22, 2021 Summary Immediate Actions You Can Take Now to Protect Against Conti Ransomware • Use multi-factor authentication. • Segment and segregate networks and functions. • Update your operating system and software. Note: This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 9. See the ATT&CK …

AA21-265A: Conti Ransomware Read More »

Read More

Are You Planning to Download Windows 11 Free Update?

Are You Planning to Download Windows 11 Free Update? Here’s a Quick Guide Microsoft’s new operating system has generated considerable interest from users and tech experts. Windows 11 brings many key new features that enhance the overall user experience. From October 5, 2021, Microsoft will roll out the update to eligible Windows 7 and 10 …

Are You Planning to Download Windows 11 Free Update? Read More »

Read More

AA21-259A: APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus

Original release date: September 16, 2021 Summary This Joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 8. See the ATT&CK for Enterprise for  referenced threat actor tactics and for techniques. This joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI), United States …

AA21-259A: APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus Read More »

Read More

If You Own These Four Small Business Cisco Routers: It’s Time to Replace Them

If You Own These Four Small Business Cisco Routers: It’s Time to Replace Them A security flaw discovered in RV110W, RV130, RV130W, and RV215W Cisco routers creates significant vulnerabilities. Traditionally, these UPnP (universal plug and play) routers would receive security updates from the vendor. However, Cisco recently announced that it has no plans to release …

If You Own These Four Small Business Cisco Routers: It’s Time to Replace Them Read More »

Read More

Do You Want to Speed Up Your Computer?

Do You Want to Speed Up Your Computer? Here are Top Tips A slow computer can undermine productivity and become a source of frustration. Fortunately, there are several ways to boost speed and overall performance, irrespective of whether your computer is relatively new or older. You can achieve the desired performance by following specific tips …

Do You Want to Speed Up Your Computer? Read More »

Read More

AA21-243A: Ransomware Awareness for Holidays and Weekends

Original release date: August 31, 2021 Summary Immediate Actions You Can Take Now to Protect Against Ransomware • Make an offline backup of your data. • Do not click on suspicious links. • If you use RDP, secure and monitor it. • Update your OS and software. • Use strong passwords. • Use multi-factor authentication. …

AA21-243A: Ransomware Awareness for Holidays and Weekends Read More »

Read More