A forensic collection tool written in Python.

Overview

CISA logo

CHIRP

Status GitHub Issues GitHub Pull Requests License


A forensic collection tool written in Python.

Watch the video overview

πŸ“ Table of Contents

🧐 About

The CISA Hunt and Incident Response Program (CHIRP) is a tool created to dynamically query Indicators of Compromise (IoCs) on hosts with a single package, outputting data in a JSON format for further analysis in a SIEM or other tool. CHIRP does not modify any system data.

The initial IoCs are intended to search for activity detailed in CISA Alert AA21-008A that has spilled into the enterprise environment.

🏁 Getting Started

We build and release CHIRP via Releases. However, if you wish to run with Python3.6+, follow these instructions.

You can also write new indicators or plugins for CHIRP.

Prerequisites

Python 3.6 or greater is required to run CHIRP with Python. If you need help installing Python in your environment, follow the instructions here

CHIRP must be run on a live machine, but it does not have to be network connected. Currently, CHIRP must run on the drive containing winevt logs. Shortly after release, this will be updated so CHIRP can run from any drive.

Installing

python3 -m pip install -e .

In our experience, yara-python comes with some other dependencies. You MAY have to install Visual Studio C++ 14.0 and the Windows 10 SDK, this can be retrieved with Visual Studio Community

🎈 Usage

From release

.\chirp.exe

From python

python3 chirp.py

Example output

[15:32:19] [YARA] Enumerating the entire filesystem due to ['CISA Solar Fire', 'CISA Teardrop', 'CrowdStrike Rempack', 'CrowdStrike Sunspot', 'FireEye       common.py:103
           Cosmic Gale', 'FireEye Sunburst']... this is going to take a while.
           [YARA] Entered yara plugin.                                                                                                                       common.py:103
           [REGISTRY] Found 0 hit(s) for IFEO Persistence indicator.                                                                                         common.py:103
           [REGISTRY] Found 0 hit(s) for Teardrop - Registry Activity indicator.                                                                             common.py:103
           [REGISTRY] Found 0 hit(s) for Sibot - Registry indicator.
           ...
           ...
           ...
           [+] Done! Your results can be found at Z:\README\output.

⛏️ Built Using

  • Python - Language
  • Nuitka - For compilation
  • evtx2json - For event log access
  • yara-python - Parses and runs yara rules
  • rich - Makes the CLI easier on the eyes
  • psutil - Provides an easy API for many OS functions

✍️ Authors

πŸŽ‰ Acknowledgements

🀝 Contributing

We welcome contributions! Please see here for details.

πŸ“ License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

βš–οΈ Legal Disclaimer

NOTICE

This software package (β€œsoftware” or β€œcode”) was created by the United States Government and is not subject to copyright within the United States. All other rights are reserved. You may use, modify, or redistribute the code in any manner. However, you may not subsequently copyright the code as it is distributed. The United States Government makes no claim of copyright on the changes you effect, nor will it restrict your distribution of bona fide changes to the software. If you decide to update or redistribute the code, please include this notice with the code. Where relevant, we ask that you credit the Cybersecurity and Infrastructure Security Agency with the following statement: β€œOriginal code developed by the Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of Homeland Security.”

USE THIS SOFTWARE AT YOUR OWN RISK. THIS SOFTWARE COMES WITH NO WARRANTY, EITHER EXPRESS OR IMPLIED. THE UNITED STATES GOVERNMENT ASSUMES NO LIABILITY FOR THE USE OR MISUSE OF THIS SOFTWARE OR ITS DERIVATIVES.

THIS SOFTWARE IS OFFERED β€œAS-IS.” THE UNITED STATES GOVERNMENT WILL NOT INSTALL, REMOVE, OPERATE OR SUPPORT THIS SOFTWARE AT YOUR REQUEST. IF YOU ARE UNSURE OF HOW THIS SOFTWARE WILL INTERACT WITH YOUR SYSTEM, DO NOT USE IT.

Comments
  • UnicodeEncodeError on Win2016 Std

    UnicodeEncodeError on Win2016 Std

    πŸ› Summary

    Getting errors when executing scan v.1.06 on Win2016 Std. Scan appears to be frozen in place. Please see output below.

    To reproduce

    1.Extract zip 2. Browse to chirp.exe 3. Double click chirp.exe

    Expected behavior

    Run all scans to completion

    Any helpful log output or screenshots

    10:36:43 NETWORK  Read 128 records, found 0 IoC hits.                                                        scan.py:56
    10:36:44 REGISTRY Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot                 scan.py:65
             REGISTRY Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot does not exist. registry.py:93
             REGISTRY Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF                                          scan.py:65
             REGISTRY Reading HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution scan.py:65
                      Options\
             REGISTRY Found 0 hit(s) for Sibot - Registry indicator.                                             scan.py:47
             REGISTRY Found 0 hit(s) for Teardrop - Registry Activity indicator.                                 scan.py:47
             REGISTRY Found 0 hit(s) for IFEO Persistence indicator.                                             scan.py:47
             YARA     Enumerating the entire filesystem due to ['simpleseesharp : Webshell Unclassified',        run.py:161
                      'reGeorgTunnel : Webshell Commodity', 'sportsball : Webshell', 'Detection for the use of
                      procdump to dump LSASS process memory.', 'CISA Solar Fire', 'CISA Teardrop', 'CrowdStrike
                      Rempack', 'CrowdStrike Sunspot', 'FireEye Cosmic Gale', 'FireEye Sunburst']... this is
                      going to take a while.
    10:36:44 EVENTS   Reading Windows Powershell event logs.                                                     scan.py:69
    10:36:44 EVENTS   Reading Security event logs.                                                               scan.py:69
    10:37:22 EVENTS   Reading KernelMode event logs.                                                             scan.py:69
             EVENTS   Reading Application event logs.                                                            scan.py:69
    10:39:09 YARA     Beginning processing.                                                                      run.py:109
    10:51:40 YARA     We're still working on scanning files. 50000 processed.                                    run.py:111
    10:59:54 ERROR   multiprocessing.pool.RemoteTraceback:
    """
    Traceback (most recent call last):
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\plugins\yara\run.py", line 122, in _run
    UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 33: surrogates not allowed
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\multiprocessing\pool.py", line 125, in worker
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\multiprocessing\pool.py", line 48, in mapstar
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\plugins\yara\run.py", line 132, in _run
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 2045, in error
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 1471, in error
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 1585, in _log
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 1595, in handle
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 1657, in callHandlers
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 950, in handle
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\logging.py", line 153, in emit
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\console.py", line 1506, in print
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\console.py", line 776, in __exit__
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\console.py", line 735, in _exit_buffer
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\console.py", line 1695, in _check_buffer
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\colorama\ansitowin32.py", line 41, in write
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\colorama\ansitowin32.py", line 162, in write
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\colorama\ansitowin32.py", line 187, in write_and_convert
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\colorama\ansitowin32.py", line 195, in write_plain_text
    UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 34: surrogates not allowed
    *** You may need to add PYTHONIOENCODING=utf-8 to your environment ***
    """
    
    The above exception was the direct cause of the following exception:
    
    Traceback (most recent call last):
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp.py", line 17, in <module>
        run.run()
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\run.py", line 20, in run
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\run.py", line 30, in run_plugins
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\asyncio\base_events.py", line 616, in run_until_complete
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\run.py", line 44, in _run_coroutines
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\plugins\yara\run.py", line 178, in run
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\multiprocessing\pool.py", line 448, in <genexpr>
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\multiprocessing\pool.py", line 868, in next
    UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 34: surrogates not allowed
    
    bug need info 
    opened by RITOps 32
  • CHIRP crashing on Windows Server 2008 R2 (APPCRASH, KERNELBASE.dll)

    CHIRP crashing on Windows Server 2008 R2 (APPCRASH, KERNELBASE.dll)

    πŸ› Summary

    Program crashes with exception code c0000005

    To reproduce

    Steps to reproduce the behavior:

    Download Chirp.zip from GitHub Extract all files to folder Run gci -recurse | unblock-file on extracted folder Run .\chirp.exe

    Expected behavior

    Expected program to run. Instead got "chirp.exe has stopped working" error.

    Any helpful log output or screenshots

    Problem signature: Problem Event Name: APPCRASH Application Name: chirp.exe Application Version: 0.0.0.0 Application Timestamp: 605393f8 Fault Module Name: KERNELBASE.dll Fault Module Version: 6.1.7601.24545 Fault Module Timestamp: 5e0eb6bd Exception Code: c0000005 Exception Offset: 0000000000001b44 OS Version: 6.1.7601.2.1.0.305.9 Locale ID: 3081 Additional Information 1: e040 Additional Information 2: e040c29db662d05b38ba55c14f951903 Additional Information 3: 97c4 Additional Information 4: 97c44f27c029744371d2d6b1e5a32dd4

    Paste the results here:

    
    

    Add any screenshots of the problem here.

    bug 
    opened by DASCert 18
  • [EVENTS] Read 0 logs, found 0 matches

    [EVENTS] Read 0 logs, found 0 matches

    πŸ› Summary

    From CLI output, I see this line:

    [09:33:29] [EVENTS] Read 0 logs, found 0 matches. common.py:103

    To reproduce

    Steps to reproduce the behavior:

    1. Run Executable as administrator
    2. Observe output

    Expected behavior

    [09:33:29] [EVENTS] Read NNNN logs, found x matches. common.py:103

    Any helpful log output or screenshots

    Paste the results here:

    [09:30:18] [YARA] Enumerating the entire filesystem due to ['CISA Solar Fire', 'CISA Teardrop', common.py:103 'CrowdStrike Rempack', 'CrowdStrike Sunspot', 'FireEye Cosmic Gale', 'FireEye Sunburst']... this is going to take a while. [YARA] Entered yara plugin. common.py:103 [REGISTRY] Found 0 hit(s) for IFEO Persistence indicator. common.py:103 [REGISTRY] Found 0 hit(s) for Teardrop - Registry Activity indicator. common.py:103 [REGISTRY] Found 0 hit(s) for Sibot - Registry indicator. common.py:103 [REGISTRY] Reading HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File common.py:103 Execution Options
    [REGISTRY] Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF common.py:103 [REGISTRY] Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot does not common.py:103 exist. [REGISTRY] Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot common.py:103 [REGISTRY] Entered registry plugin. common.py:103 [NETWORK] Read 327 records, found 0 IoC hits. common.py:103 [NETWORK] Entered network plugin. common.py:103 [EVENTS] Entered events plugin. common.py:103 [09:30:36] [EVENTS] Reading KernelMode event logs. common.py:103 [EVENTS] Reading Security event logs. common.py:103 [EVENTS] Reading Windows Powershell event logs. common.py:103 [09:33:27] [YARA] Beginning processing. common.py:103 [09:33:29] [EVENTS] Read 0 logs, found 0 matches. common.py:103 [09:34:23] [YARA] We're still working on scanning files. 50000 processed. common.py:103 [09:35:17] [YARA] We're still working on scanning files. 100000 processed. common.py:103 [09:36:17] [YARA] We're still working on scanning files. 150000 processed. common.py:103 [09:36:43] [YARA] We're still working on scanning files. 200000 processed. common.py:103 [09:37:29] [YARA] We're still working on scanning files. 250000 processed. common.py:103 [09:38:07] [YARA] We're still working on scanning files. 300000 processed. common.py:103 [09:38:39] [YARA] We're still working on scanning files. 350000 processed. common.py:103 [09:39:27] [YARA] We're still working on scanning files. 400000 processed. common.py:103 [09:39:51] [YARA] We're still working on scanning files. 450000 processed. common.py:103 [09:40:17] [YARA] We're still working on scanning files. 500000 processed. common.py:103 [09:40:41] [YARA] We're still working on scanning files. 550000 processed. common.py:103 [09:41:13] [YARA] We're still working on scanning files. 600000 processed. common.py:103 [09:42:07] [YARA] We're still working on scanning files. 650000 processed. common.py:103 [09:42:47] [YARA] We're still working on scanning files. 700000 processed. common.py:103 [09:43:15] [YARA] We're still working on scanning files. 750000 processed. common.py:103 [09:43:45] [+] DONE! Your results can be found in C:\ARTemp issue \chirp\output. common.py:103 [YARA] Found 0 hit(s) for yara indicators. common.py:103 [YARA] Done. Processed 796957 files. common.py:103

    Add any screenshots of the problem here.

    bug 
    opened by rsmith16384 14
  • Application Hangs after Traceback errors

    Application Hangs after Traceback errors

    πŸ› Summary

    Traceback error comes up and app seems to freeze while trying to scan files during YARA section.

    To reproduce

    Log into Win2012R2 server as domain admin, go to chirp directory and kick off app via Powershell (admin mode) /.chirp.exe Left the process running overnight. Following day found app window with errors: Traceback errors (see attached).

    CHIRP process still in Task Manager, but stuck at 0% CPU utilization.

    This occurs on version 1.03 and 1.04 on Win2012R2

    Ran version 1.05 on Win2012R2 and getting Traceback error with Unicode errors as shown below. This is preceded by Traceback lines that are identical with each occurrence. UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 4544: invalid start byte UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 4447: invalid start byte UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 3871: invalid start byte

    Expected behavior

    Tool is expected to run to completion.

    Any helpful log output or screenshots

    Win2012R2 CHIRP Error_Hangs

    Version 1.05 PS C:\kworking\chirp> cd.. PS C:\kworking> cd chirp1.05 PS C:\kworking\chirp1.05> ./chirp.exe 16:20:23 EVENTS Reading Windows Powershell event logs. scan.py:69 16:20:24 EVENTS Reading KernelMode event logs. scan.py:69 EVENTS Reading Application event logs. scan.py:69 16:20:25 REGISTRY Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot scan.py:65 REGISTRY Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot does not exist. registry.py:93 REGISTRY Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF scan.py:65 REGISTRY Reading HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution scan.py:65 Options
    REGISTRY Found 0 hit(s) for Sibot - Registry indicator. scan.py:47 REGISTRY Found 0 hit(s) for Teardrop - Registry Activity indicator. scan.py:47 REGISTRY Found 0 hit(s) for IFEO Persistence indicator. scan.py:47 YARA Enumerating the entire filesystem due to ['simpleseesharp : Webshell Unclassified', run.py:141 'reGeorgTunnel : Webshell Commodity', 'sportsball : Webshell', 'Detection for the use of procdump to dump LSASS process memory.', 'CISA Solar Fire', 'CISA Teardrop', 'CrowdStrike Rempack', 'CrowdStrike Sunspot', 'FireEye Cosmic Gale', 'FireEye Sunburst']... this is going to take a while. 16:20:49 EVENTS Reading Security event logs. scan.py:69 16:29:26 YARA Beginning processing. run.py:100 Traceback (most recent call last): File "C:\Users<account>\AppData\Local\Temp\ONEFIL~3\chirp.py", line 17, in run.run() File "C:\Users<username>\AppData\Local\Temp\ONEFIL~3\chirp\run.py", line 20, in run File "C:\Users<username>\AppData\Local\Temp\ONEFIL~3\chirp\run.py", line 30, in run_plugins File "C:\Users<username>\AppData\Local\Temp\ONEFIL~3\asyncio\base_events.py", line 616, in run_until_complete File "C:\Users<username>\AppData\Local\Temp\ONEFIL~3\chirp\run.py", line 44, in _run_coroutines File "C:\Users<username>\AppData\Local\Temp\ONEFIL~3\chirp\plugins\network\scan.py", line 44, in run File "C:\Users<username>\AppData\Local\Temp\ONEFIL~3\chirp\plugins\network\network.py", line 37, in parse_dns UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 4544: invalid start byte 16:35:55 YARA We're still working on scanning files. 50000 processed. run.py:96 16:40:34 YARA We're still working on scanning files. 100000 processed. run.py:96 16:43:17 YARA We're still working on scanning files. 150000 processed. run.py:96 16:45:09 YARA We're still working on scanning files. 200000 processed. run.py:96

    This is another Win2012R2 server, with CHIRP v1.05 - UnicodeError 0xff in position 4447 error. 11:05:40 EVENTS Reading KernelMode event logs. scan.py:69 EVENTS Reading Application event logs. scan.py:69 11:05:41 REGISTRY Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wind scan.py:65 ows\CurrentVersion\sibot REGISTRY Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wind registry.py:93 ows\CurrentVersion\sibot does not exist. REGISTRY Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF scan.py:65 REGISTRY Reading scan.py:65 HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    REGISTRY Found 0 hit(s) for Sibot - Registry indicator. scan.py:47 REGISTRY Found 0 hit(s) for Teardrop - Registry Activity scan.py:47 indicator. REGISTRY Found 0 hit(s) for IFEO Persistence indicator. scan.py:47 YARA Enumerating the entire filesystem due to run.py:141 ['simpleseesharp : Webshell Unclassified', 'reGeorgTunnel : Webshell Commodity', 'sportsball : Webshell', 'Detection for the use of procdump to dump LSASS process memory.', 'CISA Solar Fire', 'CISA Teardrop', 'CrowdStrike Rempack', 'CrowdStrike Sunspot', 'FireEye Cosmic Gale', 'FireEye Sunburst']... this is going to take a while. 11:09:35 YARA Beginning processing. run.py:100 Traceback (most recent call last): File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\chirp.py", line 17, in run.run() File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\chirp\run.py", line 20, in r un File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\chirp\run.py", line 30, in r un_plugins File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\asyncio\base_events.py", lin e 616, in run_until_complete File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\chirp\run.py", line 44, in _ run_coroutines File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\chirp\plugins\network\scan.p y", line 44, in run File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\chirp\plugins\network\networ k.py", line 37, in parse_dns UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 4447: inval id start byte 11:11:52 EVENTS Reading Windows Powershell event logs. scan.py:69 11:12:14 EVENTS Reading Security event logs. scan.py:69

    Add any screenshots of the problem here.

    bug 
    opened by RITOps 7
  • v1.0.2b - 'mountvol' is not recognized as an internal or external command, operable program or batch file.

    v1.0.2b - 'mountvol' is not recognized as an internal or external command, operable program or batch file.

    πŸ› Summary

    What's wrong? Please be specific.

    When running the python code, this error is immediately displayed and appears to affect subsequent operations (scan appears to hang):

    C:\ARTemp\chirp\LATEST\CHIRP-main>C:\Users\rsmit\AppData\Local\Programs\Python\Python39-32\python.exe chirp.py 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ Traceback (most recent call last) ────────────────────────────────┐ β”‚ C:\ARTemp\chirp\LATEST\CHIRP-main\chirp.py:16 in 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. β”‚ 'mountvol' is not recognized as an internal or external command, operable program or batch file. β”‚ β”‚'mountvol' is not recognized as an internal or external command, operable program or batch file.

    β”‚ 13 if name == "main": β”‚ β”‚ 14 β”‚ try: β”‚ β”‚ 15 β”‚ β”‚ freeze_support() β”‚ β”‚ > 16 β”‚ β”‚ run.run() β”‚ β”‚ 17 β”‚ β”‚ time.sleep(2) β”‚ β”‚ 18 β”‚ β”‚ CONSOLE( β”‚ β”‚ 19 β”‚ β”‚ β”‚ "[green][+][/green] DONE! Your results can be found in {}. Press any key to β”‚ β”‚ β”‚ β”‚ C:\ARTemp\chirp\LATEST\CHIRP-main\chirp\run.py:19 in run β”‚ β”‚ β”‚ β”‚ 16 β”‚ if not os.path.exists(OUTPUT_DIR): β”‚ β”‚ 17 β”‚ β”‚ os.mkdir(OUTPUT_DIR) β”‚ β”‚ 18 β”‚ plugins = loader.load() β”‚ β”‚ > 19 β”‚ run_plugins(plugins) β”‚ β”‚ 20 β”‚ β”‚ 21 β”‚ β”‚ 22 def run_plugins(plugins: Dict[str, Callable]) -> None: β”‚ β”‚ β”‚ 'mountvol' is not recognized as an internal or external command, operable program or batch file. β”‚ C:\ARTemp\chirp\LATEST\CHIRP-main\chirp\run.py:29 in run_plugins β”‚ β”‚ β”‚ β”‚ 26 β”‚ 'mountvol' is not recognized as an internal or external command, operable program or batch file. :type plugins: Dict[str, Callable] β”‚ β”‚ 27 β”‚ """ β”‚ β”‚ 28 β”‚ _loop = asyncio.get_event_loop() β”‚ β”‚ > 29 β”‚ _loop.run_until_complete(_run_coroutines(plugins)) β”‚ β”‚ 30 β”‚ β”‚ 31 β”‚ β”‚ 32 async def _run_coroutines(plugins: Dict[str, Callable]) -> None: β”‚ β”‚ β”‚ β”‚ C:\Users\rsmit\AppData\Local\Programs\Python\Python39-32\lib\asyncio\base_events.py'mountvol' is not recognized as an internal or external command, operable program or batch file. :642 in β”‚ β”‚ run_until_complete β”‚ β”‚ β”‚ β”‚ 639 β”‚ β”‚ if not future.done(): β”‚ β”‚ 640 β”‚ β”‚ β”‚ raise RuntimeError('Event loop stopped before Future completed.') β”‚ β”‚ 641 β”‚ β”‚ β”‚ 'mountvol' is not recognized as an internal or external command, operable program or batch file. β”‚ > 642 β”‚ β”‚ return future.result() β”‚ β”‚ 643 β”‚ β”‚ β”‚ 644 β”‚ def stop(self): β”‚ β”‚ 645 β”‚ β”‚ """Stop running the event loop. β”‚ β”‚ β”‚ β”‚ C:\ARTemp\chirp\LATEST\CHIRP-main\chirp\run.py:43 in _run_coroutines β”‚ β”‚ β”‚ β”‚ 40 β”‚ β”‚ β”‚ load.from_yaml(get_indicators()), list(plugins.keys()) β”‚ β”‚ 41 β”‚ β”‚ ) β”‚ β”‚ 42 β”‚ ) β”‚ β”‚ > 43 β”‚ await asyncio.gather( β”‚ β”‚ 44 β”‚ β”‚ *[ β”‚ β”‚ 45 β”‚ β”‚ β”‚ entrypoint( β”‚ β”‚ 46 β”‚ β”‚ β”‚ β”‚ [ β”‚ β”‚ β”‚ β”‚ C:\ARTemp\chirp\LATEST\CHIRP-main\chirp\plugins\events\scan.py:129 in run β”‚ β”‚ β”‚ β”‚ 126 β”‚ async with aiomp.Pool() as pool: β”‚ β”‚ 127 β”‚ β”‚ try: β”‚ β”‚ 128 β”‚ β”‚ β”‚ async for i in pool.map(_run, tuple(run_args)): β”‚ β”‚ > 129 β”‚ β”‚ β”‚ β”‚ _rep = i[0] β”‚ β”‚ 130 β”‚ β”‚ β”‚ β”‚ num_logs += i[1] β”‚ β”‚ 131 β”‚ β”‚ β”‚ β”‚ for k, v in _rep.items(): β”‚ β”‚ 132 β”‚ β”‚ β”‚ β”‚ β”‚ try: β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ TypeError: 'NoneType' object is not subscriptable [07:36:38] [!] We can't find windows event logs at their standard path. common.py:104 [EVENTS] Entered events plugin. common.py:104 [NETWORK] Entered network plugin. common.py:104 [NETWORK] Read 163 records, found 0 IoC hits. common.py:104 [REGISTRY] Entered registry plugin. common.py:104 [REGISTRY] Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot common.py:104 [REGISTRY] Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot does not common.py:104 exist. [REGISTRY] Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF common.py:104 [REGISTRY] Reading HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File common.py:104 Execution Options
    [REGISTRY] Found 0 hit(s) for Sibot - Registry indicator. common.py:104 [REGISTRY] Found 0 hit(s) for Teardrop - Registry Activity indicator. common.py:104 [REGISTRY] Found 0 hit(s) for IFEO Persistence indicator. common.py:104 [YARA] Entered yara plugin. common.py:104 [YARA] Enumerating the entire filesystem due to ['CISA Solar Fire', 'CISA Teardrop', common.py:104 'CrowdStrike Rempack', 'CrowdStrike Sunspot', 'FireEye Cosmic Gale', 'FireEye Sunburst']... this is going to take a while. [07:36:40] [!] We can't find windows event logs at their standard path. common.py:104 [07:36:40] [!] We can't find windows event logs at their standard path. common.py:104 [07:36:40] [!] We can't find windows event logs at their standard path. common.py:104 [YARA] Beginning processing. common.py:104 [07:36:40] [!] We can't find windows event logs at their standard path. common.py:104 [07:36:40] [[07:36:40]! ] We can't find windows event logs at their standard path. [common.py!:104 ] We can't find windows event logs at their standard path. common.py:104 [07:36:40] [!] We can't find windows event logs at their standard path. common.py:104 [07:36:40] [!] We can't find windows event logs at their standard path. common.py:104

    To reproduce

    Download latest code Install with python.exe -m pip install -e . Run with python.exe chirp.py Observe output

    Expected behavior

    No mountvol error

    Any helpful log output or screenshots

    Paste the results here:

    mountvol

    Add any screenshots of the problem here.

    bug need info 
    opened by rsmith16384 7
  • Exception Processing Message

    Exception Processing Message

    πŸ› Summary

    When running chirp.exe with defaults this error comes up multiple times even when hitting continue.

    I ran chirp.exe from the extract folder of chirp running from C:\chirp\

    Screenshot from 2021-04-08 19-02-49

    bug need info 
    opened by bneu78 6
  • Files not found after scans

    Files not found after scans

    πŸ› Summary

    Program scans files then appears to hang (already addressed in issue #8). After pressing one or more keys, "Traceback" is produced with multiple "[Errno 2] No such file or directory" and references to %temp%\onefile_dddd_ddd ...ddd

    To reproduce

    Program was run on virtual Server 2012 User logged in using RDP Powershell run as admin cd to Location of downloaded files: C:\Support\Chirp

    Expected behavior

    Expected program to end normally and produce report

    Any helpful log output or screenshots

    Output hard to read with current colours so ..

    C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp.py:14 in

    [Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp.py'

    C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py:19 in run

    [Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py'

    C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py:29 in run_plugins

    [Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py'

    C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\asyncio\base_events.py:642 in run_until_complete

    [Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\asyncio\base_events.py'

    C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py:43 in _run_coroutines

    [Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py'

    C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\scan.py:128 in run

    [Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\scan.py'

    C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\aiomultiprocess\pool.py:145 in results_generator

    [Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\aiomultiprocess\pool.py'

    C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\aiomultiprocess\pool.py:308 in results

    [Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\aiomultiprocess\pool.py'

    ProxyException: Traceback (most recent call last): File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\aiomultiprocess\pool.py", line 110, in run File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\scan.py", line 73, in _run File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\events.py", line 98, in gather File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\events.py", line 67, in process_files File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\evtx2json.py", line 160, in iter_evtx2xml File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\Evtx\Evtx.py", line 66, in enter FileNotFoundError: [Errno 2] No such file or directory: 'C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx'

    image

    
    

    Add any screenshots of the problem here.

    bug 
    opened by DASCert 4
  • Non-zero Exit on IOC's Discovered in Non-interactive Mode

    Non-zero Exit on IOC's Discovered in Non-interactive Mode

    Non-zero Exit on IOC's Discovered in Non-interactive Mode

    πŸ—£ Description

    Seeks IOC detection count from run and exits with non-zero status in non-interactive mode, retaining existing functionality in interactive mode. Addresses #31

    πŸ’­ Motivation and context

    Common tooling in automatic workflows involves using non-zero exit codes to enable decision making after process completion. Using additional exit codes enhances CISA CHIRP's ability to be used within these contexts.

    πŸ§ͺ Testing

    Used pre-commit to ensure proper conformance with linting and style.

    Used the following against the code related to this PR to test various scenarios:

    # non-interactive mode with non-zero exit (CHIRP self-detects IOC's when targeting itself)
    python chirp.py -p yara -t c:\\chirp\\** -o chirp_result -l debug --non-interactive
    
    # non-interactive mode with zero exit (no detections)
    python chirp.py -p yara -t c:\\no_ioc_dir\\** -o chirp_result -l debug --non-interactive
    
    # interactive mode with zero exit after prompt
    python chirp.py -p yara -t c:\\no_ioc_dir\\** -o chirp_result -l debug
    

    βœ… Checklist

    • [x] This PR has an informative and human-readable title.
    • [x] Changes are limited to a single goal - eschew scope creep!
    • [x] All future TODOs are captured in issues, which are referenced in code comments.
    • [ ] All relevant type-of-change labels have been added.
    • [x] I have read the CONTRIBUTING document.
    • [x] These code changes follow cisagov code standards.
    • [x] All relevant repo and/or project documentation has been updated to reflect the changes in this PR.
    • [] Tests have been added and/or modified to cover the changes in this PR.
    • [x] All new and existing tests pass.
    improvement 
    opened by d33bs 3
  • Non-zero Exit on IOC's Discovered in Non-interactive Mode

    Non-zero Exit on IOC's Discovered in Non-interactive Mode

    πŸ’‘ Summary

    Use non-zero exit when IOC's are discovered in non-interactive mode to enhance automatic workflows.

    Motivation and context

    Common tooling in automatic workflows involves using non-zero exit codes to enable decision making after process completion. Using additional exit codes would enhance CISA CHIRP's ability to be used within these contexts.

    Implementation notes

    CISA CHIRP would run plugins to completion and use reports to determine whether IOC's discovered is greater than 0. If any IOC's were discovered from the reports, we'd exit with a non-zero sys.exit(1) (see below).

    Use the following exit codes for status indications (i.e. sys.exit(number)):

    • 0 == successful completion, no IOC's detected
    • 1 == successful completion, IOC's detected
    • 2 == unsuccessful completion (errors, unexpectedly incomplete run, etc)

    Avoiding specifics about IOC's detected in logs may be beneficial (as otherwise public- or near-public display of this information may be a vulnerability or liability). Propose using generic log message (or no log message at all, solely relying on exit code) to indicate IOC's were discovered but remove specific mention of which ones. Open to thoughts or suggestions here!

    Acceptance criteria

    • [ ] CISA CHIRP runs all specified plugins through to report completion
    • [ ] Successful run with no IOC's detected from reports emits exit code 0
    • [ ] Successful run with IOC's detected from reports emits exit code 1
    • [ ] Unsuccessful run (errors, unexpectedly incomplete, etc) emits exit code 2
    improvement 
    opened by d33bs 3
  • Remove

    Remove "Press any key to exit" / make runtime fully non-interactive

    πŸ’‘ Summary

    Remove the "Press any key to exit" interactive prompt that occurs / add parameter to make the runtime of the EXE fully non-interactive.

    [08:22:51] [+] DONE! Your results can be found in D:\output. Press any key to exit. common.py:104

    Motivation and context

    Why does this work belong in this project?

    This would be useful because it would vastly increase the scope of audience that is able to consume this tool. RMM tools used by MSPs do not cope with programs that require keyboard input, have interactive prompts, and and have GUI-based pop-ups. If you want this tool to be used by the world, the tool must be able to run from 0 to 100 without stopping for input.

    Implementation notes

    Just remove any keyboard inputs OR add a parameter switch, i.e. "chirp.exe" -noprompt, to suppress all input prompts.

    Acceptance criteria

    How do we know when this work is done?

    When "chirp.exe" can be executed without having to "press any key to exit" and it finishes running on its own (self-terminates/process end).

    improvement 
    opened by BlueToast 3
  • Add Malicious IP Addresses Associated with CISA Alert - AA21-062A

    Add Malicious IP Addresses Associated with CISA Alert - AA21-062A

    πŸ—£ Description

    Added malicious IP addresses associated with CISA Alert - AA21-062A

    https://us-cert.cisa.gov/ncas/alerts/aa21-062a

    πŸ’­ Motivation and context

    I've started to use this tool with clients to detect any network activity related to the recent Exchange vulnerabilities. Figured others might want to do the same.

    opened by greyl0cke 3
  • Do you have any tips for running chirp via SCCM?

    Do you have any tips for running chirp via SCCM?

    Do you have any tips for running chirp via SCCM?

    It seems like it doesn’t run properly from an SMB share and also there doesn’t seem to be a way to capture the console output (even with a >)

    This isn't a bug per-se. Probably I'm just not using the console redirection, powershell scripting, or other context/environment aspects correctly, but the naive implementation isn't working.

    (run from sccm scripts->) cmd.exe /c "\SHARE\chirp\chirp.exe -o \SHARE\chirpout\test"

    opened by apowelliaea 0
  • CHIRP scanning it's own files and reporting as hits

    CHIRP scanning it's own files and reporting as hits

    πŸ› Summary

    Seems like CHIRP tool scanning it's own resources and showing them as hit counts in final scan output.

    To reproduce

    Steps to reproduce the behavior:

    1. Download version 1.0.7 from the repository.
    2. Unzip it on your machine.
    3. Run the scan with defaults.
    4. Check the results - Yara indicator will show '1' Hit.

    Expected behavior

    What did you expect to happen that didn't?

    CHIRP tool might scan it's resources. However, it should be excluded from the output and final scan results.

    Any helpful log output or screenshots

    Paste the results here:

    image

    Add any screenshots of the problem here.

    opened by Kamalesh-Veluri 0
  • Crowdstrike yaml rules create a false positive when the tool has been ran twice.

    Crowdstrike yaml rules create a false positive when the tool has been ran twice.

    πŸ› Summary

    What's wrong? Please be specific.

    To reproduce

    Steps to reproduce the behavior:

    1. Run the CHIRP tool on a server
    2. Look at the results, they should show zero results or matches
    3. Run the CHIRP tool again
    4. The CHIRP Results show a false positive based on yaml rules

    Expected behavior

    What did you expect to happen that didn't? No detected results when using the tool multiple times

    Any helpful log output or screenshots

    Paste the results here:

    "CrowdStrike Sunspot": { "description": ""Identifies Sunspot backdoor dropper utilizing unique strings in key encryption material, mutexes, and logging."\n", "confidence": 10, "matches": [ { "meta": "{'copyright': '(c) 2021 CrowdStrike Inc.', 'description': 'Detects mutex names in SUNSPOT', 'version': '202101081448', 'last_modified': '2021-01-08', 'actor': 'StellarParticle', 'malware_family': 'SUNSPOT'}", "namespace": "CrowdStrike Sunspot", "rule": "CrowdStrike_SUNSPOT_02", "strings": "[(1155, '$mutex_01', b'{12d61a41-4b74-7610-a4d8-3028d2f56395}'), (1227, '$mutex_02', b'{56331e4d-76a3-0390-a7ee-567adf5836b7}')]", "tags": "['artifact', 'stellarparticle', 'sunspot']", "file": "C:\$Recycle.Bin\S-1-5-21-1078081533-1897051121-xxxxxx-19038\xxxxx\crowdstrike_sunspot.yaml" }, { "meta": "{'copyright': '(c) 2021 CrowdStrike Inc.', 'description': 'Detects mutex names in SUNSPOT', 'version': '202101081448', 'last_modified': '2021-01-08', 'actor': 'StellarParticle', 'malware_family': 'SUNSPOT'}", "namespace": "CrowdStrike Sunspot", "rule": "CrowdStrike_SUNSPOT_02", "strings": "[(514, '$mutex_01', b'{12d61a41-4b74-7610-a4d8-3028d2f56395}'), (578, '$mutex_02', b'{56331e4d-76a3-0390-a7ee-567adf5836b7}')]", "tags": "['artifact', 'stellarparticle', 'sunspot']", "file": "C:\Users\xxxxx\Desktop\Results\output\yara.json" } ] } }

    
    Add any screenshots of the problem here.
    
    opened by capricewag 0
  • Seems CHIRP is Visual Studio dependent.

    Seems CHIRP is Visual Studio dependent.

    πŸ› Summary

    Requires visual studio to run, not all systems can have that on the system.

    To reproduce

    Steps to reproduce the behavior:

    1. Tried to run on WinSrv2016 without Visual Studio and failed to run.
    2. Ran on a system with Visual studio and was successful.

    Expected behavior

    I was expecting the CHIRP.exe tool to run.

    Any helpful log output or screenshots

    Paste the results here:

    
    

    Add any screenshots of the problem here.

    wontfix 
    opened by avaxa21 7
  • Create PYPI Package with Modified Name to Avoid Typosquatting and Enable Wide Distribution

    Create PYPI Package with Modified Name to Avoid Typosquatting and Enable Wide Distribution

    πŸ’‘ Summary

    "chirp" is already registered as a package name on PYPI, meaning someone may erroneously believe they're installing CISA's CHIRP but end up with https://pypi.org/project/chirp/ instead. In general, this may make this project vulnerable to typosquatting (https://en.wikipedia.org/wiki/Typosquatting). CISA could deploy a PYPI package as "cisa-chirp" to differentiate from other packages and protect against typosquatting (in addition to general confusion with other packages).

    This seems to have been brought up and closed, but I'd like to resurface as an idea for consideration. Reference: https://github.com/cisagov/CHIRP/issues/19

    Motivation and context

    In general, the package and project name similarities may make this project vulnerable to typosquatting (https://en.wikipedia.org/wiki/Typosquatting). Making a PYPI package available with another name and documenting it would be beneficial in securing the project and enable wide distribution via command line: "pip install <package name>".

    Implementation notes

    Propose including authority in the package name itself, for instance "cisa-chirp", to differentiate and provide trust in the package via PYPI.

    Acceptance criteria

    How do we know when this work is done?

    • [ ] Issuing the command "pip install <modified package name>" installs CISA's CHIRP project and enables it to be used on client machine.
    evaluating 
    opened by d33bs 2
  • Process Memory Plugin

    Process Memory Plugin

    πŸ’‘ Summary

    A plugin to inspect process memory would be helpful to detect a variety of injections including Cobalt Strike beacons and the like.

    Motivation and context

    Bad guys like cobalt strike and in-memory implants

    Implementation notes

    Passing the pid to the python yara bindings and having a set of rules specific to the module would be helpful, with the option to leverage pe-sieve. Maybe a config to limit the processes,

    Acceptance criteria

    functioning plugin

    improvement version bump 
    opened by kfaber 0
Releases(v1.0.7)
Owner
Cybersecurity and Infrastructure Security Agency
Commit today, secure tomorrow.
Cybersecurity and Infrastructure Security Agency
Detection tool of malware(s) by checksum (useful for forensic)

?? malware_checker.py Detection tool of malware(s) by checksum (useful for forensic) ?? Dependencies installation $ pip3 install -r requirements.txt

Fayred 1 Jan 30, 2022
Tool to scan for RouterOS (Mikrotik) forensic artifacts and vulnerabilities.

RouterOS Scanner Forensics tool for Mikrotik devices. Search for suspicious properties and weak security points that need to be fixed on the router. T

Microsoft 792 Oct 1, 2022
Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service

Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service. This tool can help a digital forensic investigator to know the context, origin of specific files during a digital forensic investigation.

hashlookup 87 Sep 15, 2022
Osint-Tool - Information collection tool in python

Osint-Tool Herramienta para la recolecciΓ³n de informaciΓ³n Pronto mΓ‘s opciones In

null 3 Apr 9, 2022
A Fast Broken Link Hijacker Tool written in Python

Broken Link Hijacker BrokenLinkHijacker(BLH) is a Fast Broken Link Hijacker Tool written in Python.

Mayank Pandey 70 Sep 28, 2022
Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

Pupy Installation Installation instructions are on the wiki, in addition to all other documentation. For maximum compatibility, it is recommended to u

null 7.2k Sep 29, 2022
NExfil is an OSINT tool written in python for finding profiles by username.

NExfil is an OSINT tool written in python for finding profiles by username. The provided usernames are checked on over 350 websites within few seconds.

thewhiteh4t 753 Sep 25, 2022
A simple multi-threaded distributed SSH brute-forcing tool written in Python.

OrbitalDump A simple multi-threaded distributed SSH brute-forcing tool written in Python. How it Works When the script is executed without the --proxi

K4YT3X 297 Sep 22, 2022
orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner

Introduction orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner. Other popular ORF searching tools

Urminder Singh 34 Sep 13, 2022
Evil-stalker - A simple tool written in python, it is so simple that it is based on google dorks

evil-stalker How to run First of all, you must install the necessary libraries.

rock3d 5 Jan 24, 2022
Collection Of Discord Hacking Tools / Fun Stuff / Exploits That Is Completely Made Using Python.

Venom Collection Of Discord Hacking Tools / Fun Stuff / Exploits That Is Completely Made Using Python. Report Bug Β· Request Feature Contributing Well,

PndaBoi 20 Sep 18, 2022
DependConfusion-X Tool is written in Python3 that scans and monitors list of hosts for Dependency Confusion

DependConfusion-X Tool is written in Python3 which allows security researcher/bug bounty hunter to scan and monitor list of hosts for Dependency Confusion.

Ali Fathi Ali Sawehli 4 Dec 21, 2021
SSL / TLS Checking Tool written in Python3

ssts-chk SSL / TLS Checking Tool written in Python3. This tool will perform the following functions: Connect the target given Analyze the secure conne

Douglas Berdeaux 2 Feb 12, 2022
A collection of over 5.1 million sub-domains and assets belonging to public bug bounty programs, compiled into a repo, for performing bulk operations.

?? Public Bug Bounty Targets Data By BugBountyResources A collection of over 5.1M sub-domains and assets belonging to bug bounty targets, all put in a

Bug Bounty Resources 88 Aug 27, 2022
SpiderFoot automates OSINT collection so that you can focus on analysis.

SpiderFoot is an open source intelligence (OSINT) automation tool. It integrates with just about every data source available and utilises a range of m

Steve Micallef 8.5k Sep 26, 2022
A collection of write-ups and solutions for Cyber FastTrack Spring 2021.

IMPORTANT: Please contact us before you use any styling or content shown here! Cyber FastTrack Spring 2021 / National Cyber Scholarship Competition -

Alice 48 Aug 28, 2022
Kunyu, more efficient corporate asset collection

Kunyu(ε€θˆ†) - More efficient corporate asset collection English | δΈ­ζ–‡ζ–‡ζ‘£ 0x00 Introduce Tool introduction Kunyu (kunyu), whose name is taken from , is act

Knownsec, Inc. 722 Sep 30, 2022
WinRemoteEnum is a module-based collection of operations achievable by a low-privileged domain user.

WinRemoteEnum WinRemoteEnum is a module-based collection of operations achievable by a low-privileged domain user, sharing the goal of remotely gather

Simon 9 Jun 18, 2022
Convert a collection of features to a fixed-dimensional matrix using the hashing trick.

FeatureHasher Convert a collection of features to a fixed-dimensional matrix using the hashing trick. Note, this requires Jina>=2.2.4. Example Here I

Jina AI 5 Mar 15, 2022