π
Table of Contents
-
π Table of Contents -
π§ About -
π Getting Started -
π Usage -
βοΈ Built Using -
βοΈ Authors -
π Acknowledgements -
π€ Contributing -
π License -
βοΈ Legal Disclaimer
π§
About
The CISA Hunt and Incident Response Program (CHIRP) is a tool created to dynamically query Indicators of Compromise (IoCs) on hosts with a single package, outputting data in a JSON format for further analysis in a SIEM or other tool. CHIRP does not modify any system data.
The initial IoCs are intended to search for activity detailed in CISA Alert AA21-008A that has spilled into the enterprise environment.
π
Getting Started
We build and release CHIRP via Releases
. However, if you wish to run with Python3.6+, follow these instructions.
You can also write new indicators or plugins for CHIRP.
Prerequisites
Python 3.6 or greater is required to run CHIRP with Python. If you need help installing Python in your environment, follow the instructions here
CHIRP must be run on a live machine, but it does not have to be network connected. Currently, CHIRP must run on the drive containing winevt logs. Shortly after release, this will be updated so CHIRP can run from any drive.
Installing
python3 -m pip install -e .
In our experience, yara-python comes with some other dependencies. You MAY have to install Visual Studio C++ 14.0 and the Windows 10 SDK, this can be retrieved with Visual Studio Community
π
Usage
release
From.\chirp.exe
From python
python3 chirp.py
Example output
[15:32:19] [YARA] Enumerating the entire filesystem due to ['CISA Solar Fire', 'CISA Teardrop', 'CrowdStrike Rempack', 'CrowdStrike Sunspot', 'FireEye common.py:103
Cosmic Gale', 'FireEye Sunburst']... this is going to take a while.
[YARA] Entered yara plugin. common.py:103
[REGISTRY] Found 0 hit(s) for IFEO Persistence indicator. common.py:103
[REGISTRY] Found 0 hit(s) for Teardrop - Registry Activity indicator. common.py:103
[REGISTRY] Found 0 hit(s) for Sibot - Registry indicator.
...
...
...
[+] Done! Your results can be found at Z:\README\output.
βοΈ
Built Using
- Python - Language
- Nuitka - For compilation
- evtx2json - For event log access
- yara-python - Parses and runs yara rules
- rich - Makes the CLI easier on the eyes
- psutil - Provides an easy API for many OS functions
βοΈ
Authors
π
Acknowledgements
- Denise Keating
- Liana Parakesyan
- Richard Kenny
- Megan Nadeau
- Ewa Dadok
- David Zito
- Chris Brown
- Julian Blanco, LTJG USCG
- Caleb Stewart, LT USCG
π€
Contributing
We welcome contributions! Please see here for details.
π
License
This project is in the worldwide public domain.
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.
βοΈ
Legal Disclaimer
NOTICE
This software package (βsoftwareβ or βcodeβ) was created by the United States Government and is not subject to copyright within the United States. All other rights are reserved. You may use, modify, or redistribute the code in any manner. However, you may not subsequently copyright the code as it is distributed. The United States Government makes no claim of copyright on the changes you effect, nor will it restrict your distribution of bona fide changes to the software. If you decide to update or redistribute the code, please include this notice with the code. Where relevant, we ask that you credit the Cybersecurity and Infrastructure Security Agency with the following statement: βOriginal code developed by the Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of Homeland Security.β
USE THIS SOFTWARE AT YOUR OWN RISK. THIS SOFTWARE COMES WITH NO WARRANTY, EITHER EXPRESS OR IMPLIED. THE UNITED STATES GOVERNMENT ASSUMES NO LIABILITY FOR THE USE OR MISUSE OF THIS SOFTWARE OR ITS DERIVATIVES.
THIS SOFTWARE IS OFFERED βAS-IS.β THE UNITED STATES GOVERNMENT WILL NOT INSTALL, REMOVE, OPERATE OR SUPPORT THIS SOFTWARE AT YOUR REQUEST. IF YOU ARE UNSURE OF HOW THIS SOFTWARE WILL INTERACT WITH YOUR SYSTEM, DO NOT USE IT.