🐛 Summary

Getting errors when executing scan v.1.06 on Win2016 Std. Scan appears to be frozen in place. Please see output below.

To reproduce

1.Extract zip 2. Browse to chirp.exe 3. Double click chirp.exe

Expected behavior

Run all scans to completion

Any helpful log output or screenshots

10:36:43 NETWORK  Read 128 records, found 0 IoC hits.                                                        scan.py:56
10:36:44 REGISTRY Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot                 scan.py:65
         REGISTRY Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot does not exist. registry.py:93
         REGISTRY Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF                                          scan.py:65
         REGISTRY Reading HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution scan.py:65
                  Options\
         REGISTRY Found 0 hit(s) for Sibot - Registry indicator.                                             scan.py:47
         REGISTRY Found 0 hit(s) for Teardrop - Registry Activity indicator.                                 scan.py:47
         REGISTRY Found 0 hit(s) for IFEO Persistence indicator.                                             scan.py:47
         YARA     Enumerating the entire filesystem due to ['simpleseesharp : Webshell Unclassified',        run.py:161
                  'reGeorgTunnel : Webshell Commodity', 'sportsball : Webshell', 'Detection for the use of
                  procdump to dump LSASS process memory.', 'CISA Solar Fire', 'CISA Teardrop', 'CrowdStrike
                  Rempack', 'CrowdStrike Sunspot', 'FireEye Cosmic Gale', 'FireEye Sunburst']... this is
                  going to take a while.
10:36:44 EVENTS   Reading Windows Powershell event logs.                                                     scan.py:69
10:36:44 EVENTS   Reading Security event logs.                                                               scan.py:69
10:37:22 EVENTS   Reading KernelMode event logs.                                                             scan.py:69
         EVENTS   Reading Application event logs.                                                            scan.py:69
10:39:09 YARA     Beginning processing.                                                                      run.py:109
10:51:40 YARA     We're still working on scanning files. 50000 processed.                                    run.py:111
10:59:54 ERROR   multiprocessing.pool.RemoteTraceback:
"""
Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\plugins\yara\run.py", line 122, in _run
UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 33: surrogates not allowed

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\multiprocessing\pool.py", line 125, in worker
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\multiprocessing\pool.py", line 48, in mapstar
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\plugins\yara\run.py", line 132, in _run
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 2045, in error
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 1471, in error
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 1585, in _log
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 1595, in handle
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 1657, in callHandlers
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 950, in handle
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\logging.py", line 153, in emit
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\console.py", line 1506, in print
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\console.py", line 776, in __exit__
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\console.py", line 735, in _exit_buffer
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\console.py", line 1695, in _check_buffer
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\colorama\ansitowin32.py", line 41, in write
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\colorama\ansitowin32.py", line 162, in write
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\colorama\ansitowin32.py", line 187, in write_and_convert
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\colorama\ansitowin32.py", line 195, in write_plain_text
UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 34: surrogates not allowed
*** You may need to add PYTHONIOENCODING=utf-8 to your environment ***
"""

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp.py", line 17, in <module>
    run.run()
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\run.py", line 20, in run
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\run.py", line 30, in run_plugins
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\asyncio\base_events.py", line 616, in run_until_complete
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\run.py", line 44, in _run_coroutines
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\plugins\yara\run.py", line 178, in run
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\multiprocessing\pool.py", line 448, in <genexpr>
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\multiprocessing\pool.py", line 868, in next
UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 34: surrogates not allowed

🐛 Summary

Program crashes with exception code c0000005

To reproduce

Steps to reproduce the behavior:

Download Chirp.zip from GitHub Extract all files to folder Run gci -recurse | unblock-file on extracted folder Run .\chirp.exe

Expected behavior

Expected program to run. Instead got "chirp.exe has stopped working" error.

Any helpful log output or screenshots

Problem signature: Problem Event Name: APPCRASH Application Name: chirp.exe Application Version: 0.0.0.0 Application Timestamp: 605393f8 Fault Module Name: KERNELBASE.dll Fault Module Version: 6.1.7601.24545 Fault Module Timestamp: 5e0eb6bd Exception Code: c0000005 Exception Offset: 0000000000001b44 OS Version: 6.1.7601.2.1.0.305.9 Locale ID: 3081 Additional Information 1: e040 Additional Information 2: e040c29db662d05b38ba55c14f951903 Additional Information 3: 97c4 Additional Information 4: 97c44f27c029744371d2d6b1e5a32dd4

Paste the results here:

Add any screenshots of the problem here.

🐛 Summary

From CLI output, I see this line:

[09:33:29] [EVENTS] Read 0 logs, found 0 matches. common.py:103

To reproduce

Steps to reproduce the behavior:

1. Run Executable as administrator
2. Observe output

Expected behavior

[09:33:29] [EVENTS] Read NNNN logs, found x matches. common.py:103

Any helpful log output or screenshots

Paste the results here:

[09:30:18] [YARA] Enumerating the entire filesystem due to ['CISA Solar Fire', 'CISA Teardrop', common.py:103 'CrowdStrike Rempack', 'CrowdStrike Sunspot', 'FireEye Cosmic Gale', 'FireEye Sunburst']... this is going to take a while. [YARA] Entered yara plugin. common.py:103 [REGISTRY] Found 0 hit(s) for IFEO Persistence indicator. common.py:103 [REGISTRY] Found 0 hit(s) for Teardrop - Registry Activity indicator. common.py:103 [REGISTRY] Found 0 hit(s) for Sibot - Registry indicator. common.py:103 [REGISTRY] Reading HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File common.py:103 Execution Options
[REGISTRY] Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF common.py:103 [REGISTRY] Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot does not common.py:103 exist. [REGISTRY] Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot common.py:103 [REGISTRY] Entered registry plugin. common.py:103 [NETWORK] Read 327 records, found 0 IoC hits. common.py:103 [NETWORK] Entered network plugin. common.py:103 [EVENTS] Entered events plugin. common.py:103 [09:30:36] [EVENTS] Reading KernelMode event logs. common.py:103 [EVENTS] Reading Security event logs. common.py:103 [EVENTS] Reading Windows Powershell event logs. common.py:103 [09:33:27] [YARA] Beginning processing. common.py:103 [09:33:29] [EVENTS] Read 0 logs, found 0 matches. common.py:103 [09:34:23] [YARA] We're still working on scanning files. 50000 processed. common.py:103 [09:35:17] [YARA] We're still working on scanning files. 100000 processed. common.py:103 [09:36:17] [YARA] We're still working on scanning files. 150000 processed. common.py:103 [09:36:43] [YARA] We're still working on scanning files. 200000 processed. common.py:103 [09:37:29] [YARA] We're still working on scanning files. 250000 processed. common.py:103 [09:38:07] [YARA] We're still working on scanning files. 300000 processed. common.py:103 [09:38:39] [YARA] We're still working on scanning files. 350000 processed. common.py:103 [09:39:27] [YARA] We're still working on scanning files. 400000 processed. common.py:103 [09:39:51] [YARA] We're still working on scanning files. 450000 processed. common.py:103 [09:40:17] [YARA] We're still working on scanning files. 500000 processed. common.py:103 [09:40:41] [YARA] We're still working on scanning files. 550000 processed. common.py:103 [09:41:13] [YARA] We're still working on scanning files. 600000 processed. common.py:103 [09:42:07] [YARA] We're still working on scanning files. 650000 processed. common.py:103 [09:42:47] [YARA] We're still working on scanning files. 700000 processed. common.py:103 [09:43:15] [YARA] We're still working on scanning files. 750000 processed. common.py:103 [09:43:45] [+] DONE! Your results can be found in C:\ARTemp \chirp\output. common.py:103 [YARA] Found 0 hit(s) for yara indicators. common.py:103 [YARA] Done. Processed 796957 files. common.py:103

Add any screenshots of the problem here.

🐛 Summary

Traceback error comes up and app seems to freeze while trying to scan files during YARA section.

To reproduce

Log into Win2012R2 server as domain admin, go to chirp directory and kick off app via Powershell (admin mode) /.chirp.exe Left the process running overnight. Following day found app window with errors: Traceback errors (see attached).

CHIRP process still in Task Manager, but stuck at 0% CPU utilization.

This occurs on version 1.03 and 1.04 on Win2012R2

Ran version 1.05 on Win2012R2 and getting Traceback error with Unicode errors as shown below. This is preceded by Traceback lines that are identical with each occurrence. UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 4544: invalid start byte UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 4447: invalid start byte UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 3871: invalid start byte

Expected behavior

Tool is expected to run to completion.

Any helpful log output or screenshots

Version 1.05 PS C:\kworking\chirp> cd.. PS C:\kworking> cd chirp1.05 PS C:\kworking\chirp1.05> ./chirp.exe 16:20:23 EVENTS Reading Windows Powershell event logs. scan.py:69 16:20:24 EVENTS Reading KernelMode event logs. scan.py:69 EVENTS Reading Application event logs. scan.py:69 16:20:25 REGISTRY Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot scan.py:65 REGISTRY Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot does not exist. registry.py:93 REGISTRY Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF scan.py:65 REGISTRY Reading HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution scan.py:65 Options
REGISTRY Found 0 hit(s) for Sibot - Registry indicator. scan.py:47 REGISTRY Found 0 hit(s) for Teardrop - Registry Activity indicator. scan.py:47 REGISTRY Found 0 hit(s) for IFEO Persistence indicator. scan.py:47 YARA Enumerating the entire filesystem due to ['simpleseesharp : Webshell Unclassified', run.py:141 'reGeorgTunnel : Webshell Commodity', 'sportsball : Webshell', 'Detection for the use of procdump to dump LSASS process memory.', 'CISA Solar Fire', 'CISA Teardrop', 'CrowdStrike Rempack', 'CrowdStrike Sunspot', 'FireEye Cosmic Gale', 'FireEye Sunburst']... this is going to take a while. 16:20:49 EVENTS Reading Security event logs. scan.py:69 16:29:26 YARA Beginning processing. run.py:100 Traceback (most recent call last): File "C:\Users<account>\AppData\Local\Temp\ONEFIL~3\chirp.py", line 17, in run.run() File "C:\Users<username>\AppData\Local\Temp\ONEFIL~3\chirp\run.py", line 20, in run File "C:\Users<username>\AppData\Local\Temp\ONEFIL~3\chirp\run.py", line 30, in run_plugins File "C:\Users<username>\AppData\Local\Temp\ONEFIL~3\asyncio\base_events.py", line 616, in run_until_complete File "C:\Users<username>\AppData\Local\Temp\ONEFIL~3\chirp\run.py", line 44, in _run_coroutines File "C:\Users<username>\AppData\Local\Temp\ONEFIL~3\chirp\plugins\network\scan.py", line 44, in run File "C:\Users<username>\AppData\Local\Temp\ONEFIL~3\chirp\plugins\network\network.py", line 37, in parse_dns UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 4544: invalid start byte 16:35:55 YARA We're still working on scanning files. 50000 processed. run.py:96 16:40:34 YARA We're still working on scanning files. 100000 processed. run.py:96 16:43:17 YARA We're still working on scanning files. 150000 processed. run.py:96 16:45:09 YARA We're still working on scanning files. 200000 processed. run.py:96

This is another Win2012R2 server, with CHIRP v1.05 - UnicodeError 0xff in position 4447 error. 11:05:40 EVENTS Reading KernelMode event logs. scan.py:69 EVENTS Reading Application event logs. scan.py:69 11:05:41 REGISTRY Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wind scan.py:65 ows\CurrentVersion\sibot REGISTRY Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wind registry.py:93 ows\CurrentVersion\sibot does not exist. REGISTRY Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF scan.py:65 REGISTRY Reading scan.py:65 HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
REGISTRY Found 0 hit(s) for Sibot - Registry indicator. scan.py:47 REGISTRY Found 0 hit(s) for Teardrop - Registry Activity scan.py:47 indicator. REGISTRY Found 0 hit(s) for IFEO Persistence indicator. scan.py:47 YARA Enumerating the entire filesystem due to run.py:141 ['simpleseesharp : Webshell Unclassified', 'reGeorgTunnel : Webshell Commodity', 'sportsball : Webshell', 'Detection for the use of procdump to dump LSASS process memory.', 'CISA Solar Fire', 'CISA Teardrop', 'CrowdStrike Rempack', 'CrowdStrike Sunspot', 'FireEye Cosmic Gale', 'FireEye Sunburst']... this is going to take a while. 11:09:35 YARA Beginning processing. run.py:100 Traceback (most recent call last): File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\chirp.py", line 17, in run.run() File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\chirp\run.py", line 20, in r un File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\chirp\run.py", line 30, in r un_plugins File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\asyncio\base_events.py", lin e 616, in run_until_complete File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\chirp\run.py", line 44, in _ run_coroutines File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\chirp\plugins\network\scan.p y", line 44, in run File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\chirp\plugins\network\networ k.py", line 37, in parse_dns UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 4447: inval id start byte 11:11:52 EVENTS Reading Windows Powershell event logs. scan.py:69 11:12:14 EVENTS Reading Security event logs. scan.py:69

Add any screenshots of the problem here.

🐛 Summary

What's wrong? Please be specific.

When running the python code, this error is immediately displayed and appears to affect subsequent operations (scan appears to hang):

C:\ARTemp\chirp\LATEST\CHIRP-main>C:\Users\rsmit\AppData\Local\Programs\Python\Python39-32\python.exe chirp.py 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. ┌─────────────────────────────── Traceback (most recent call last) ────────────────────────────────┐ │ C:\ARTemp\chirp\LATEST\CHIRP-main\chirp.py:16 in 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. │ 'mountvol' is not recognized as an internal or external command, operable program or batch file. │ │'mountvol' is not recognized as an internal or external command, operable program or batch file.

│ 13 if name == "main": │ │ 14 │ try: │ │ 15 │ │ freeze_support() │ │ > 16 │ │ run.run() │ │ 17 │ │ time.sleep(2) │ │ 18 │ │ CONSOLE( │ │ 19 │ │ │ "[green][+][/green] DONE! Your results can be found in {}. Press any key to │ │ │ │ C:\ARTemp\chirp\LATEST\CHIRP-main\chirp\run.py:19 in run │ │ │ │ 16 │ if not os.path.exists(OUTPUT_DIR): │ │ 17 │ │ os.mkdir(OUTPUT_DIR) │ │ 18 │ plugins = loader.load() │ │ > 19 │ run_plugins(plugins) │ │ 20 │ │ 21 │ │ 22 def run_plugins(plugins: Dict[str, Callable]) -> None: │ │ │ 'mountvol' is not recognized as an internal or external command, operable program or batch file. │ C:\ARTemp\chirp\LATEST\CHIRP-main\chirp\run.py:29 in run_plugins │ │ │ │ 26 │ 'mountvol' is not recognized as an internal or external command, operable program or batch file. :type plugins: Dict[str, Callable] │ │ 27 │ """ │ │ 28 │ _loop = asyncio.get_event_loop() │ │ > 29 │ _loop.run_until_complete(_run_coroutines(plugins)) │ │ 30 │ │ 31 │ │ 32 async def _run_coroutines(plugins: Dict[str, Callable]) -> None: │ │ │ │ C:\Users\rsmit\AppData\Local\Programs\Python\Python39-32\lib\asyncio\base_events.py'mountvol' is not recognized as an internal or external command, operable program or batch file. :642 in │ │ run_until_complete │ │ │ │ 639 │ │ if not future.done(): │ │ 640 │ │ │ raise RuntimeError('Event loop stopped before Future completed.') │ │ 641 │ │ │ 'mountvol' is not recognized as an internal or external command, operable program or batch file. │ > 642 │ │ return future.result() │ │ 643 │ │ │ 644 │ def stop(self): │ │ 645 │ │ """Stop running the event loop. │ │ │ │ C:\ARTemp\chirp\LATEST\CHIRP-main\chirp\run.py:43 in _run_coroutines │ │ │ │ 40 │ │ │ load.from_yaml(get_indicators()), list(plugins.keys()) │ │ 41 │ │ ) │ │ 42 │ ) │ │ > 43 │ await asyncio.gather( │ │ 44 │ │ *[ │ │ 45 │ │ │ entrypoint( │ │ 46 │ │ │ │ [ │ │ │ │ C:\ARTemp\chirp\LATEST\CHIRP-main\chirp\plugins\events\scan.py:129 in run │ │ │ │ 126 │ async with aiomp.Pool() as pool: │ │ 127 │ │ try: │ │ 128 │ │ │ async for i in pool.map(_run, tuple(run_args)): │ │ > 129 │ │ │ │ _rep = i[0] │ │ 130 │ │ │ │ num_logs += i[1] │ │ 131 │ │ │ │ for k, v in _rep.items(): │ │ 132 │ │ │ │ │ try: │ └──────────────────────────────────────────────────────────────────────────────────────────────────┘ TypeError: 'NoneType' object is not subscriptable [07:36:38] [!] We can't find windows event logs at their standard path. common.py:104 [EVENTS] Entered events plugin. common.py:104 [NETWORK] Entered network plugin. common.py:104 [NETWORK] Read 163 records, found 0 IoC hits. common.py:104 [REGISTRY] Entered registry plugin. common.py:104 [REGISTRY] Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot common.py:104 [REGISTRY] Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot does not common.py:104 exist. [REGISTRY] Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF common.py:104 [REGISTRY] Reading HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File common.py:104 Execution Options
[REGISTRY] Found 0 hit(s) for Sibot - Registry indicator. common.py:104 [REGISTRY] Found 0 hit(s) for Teardrop - Registry Activity indicator. common.py:104 [REGISTRY] Found 0 hit(s) for IFEO Persistence indicator. common.py:104 [YARA] Entered yara plugin. common.py:104 [YARA] Enumerating the entire filesystem due to ['CISA Solar Fire', 'CISA Teardrop', common.py:104 'CrowdStrike Rempack', 'CrowdStrike Sunspot', 'FireEye Cosmic Gale', 'FireEye Sunburst']... this is going to take a while. [07:36:40] [!] We can't find windows event logs at their standard path. common.py:104 [07:36:40] [!] We can't find windows event logs at their standard path. common.py:104 [07:36:40] [!] We can't find windows event logs at their standard path. common.py:104 [YARA] Beginning processing. common.py:104 [07:36:40] [!] We can't find windows event logs at their standard path. common.py:104 [07:36:40] [[07:36:40]! ] We can't find windows event logs at their standard path. [common.py!:104 ] We can't find windows event logs at their standard path. common.py:104 [07:36:40] [!] We can't find windows event logs at their standard path. common.py:104 [07:36:40] [!] We can't find windows event logs at their standard path. common.py:104

To reproduce

Download latest code Install with python.exe -m pip install -e . Run with python.exe chirp.py Observe output

Expected behavior

No mountvol error

Any helpful log output or screenshots

Paste the results here:

Add any screenshots of the problem here.

🐛 Summary

When running chirp.exe with defaults this error comes up multiple times even when hitting continue.

I ran chirp.exe from the extract folder of chirp running from C:\chirp\

🐛 Summary

Program scans files then appears to hang (already addressed in issue #8). After pressing one or more keys, "Traceback" is produced with multiple "[Errno 2] No such file or directory" and references to %temp%\onefile_dddd_ddd ...ddd

To reproduce

Program was run on virtual Server 2012 User logged in using RDP Powershell run as admin cd to Location of downloaded files: C:\Support\Chirp

Expected behavior

Expected program to end normally and produce report

Any helpful log output or screenshots

Output hard to read with current colours so ..

C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp.py:14 in

[Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp.py'

C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py:19 in run

[Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py'

C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py:29 in run_plugins

[Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py'

C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\asyncio\base_events.py:642 in run_until_complete

[Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\asyncio\base_events.py'

C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py:43 in _run_coroutines

[Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py'

C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\scan.py:128 in run

[Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\scan.py'

C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\aiomultiprocess\pool.py:145 in results_generator

[Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\aiomultiprocess\pool.py'

C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\aiomultiprocess\pool.py:308 in results

[Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\aiomultiprocess\pool.py'

ProxyException: Traceback (most recent call last): File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\aiomultiprocess\pool.py", line 110, in run File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\scan.py", line 73, in _run File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\events.py", line 98, in gather File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\events.py", line 67, in process_files File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\evtx2json.py", line 160, in iter_evtx2xml File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\Evtx\Evtx.py", line 66, in enter FileNotFoundError: [Errno 2] No such file or directory: 'C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx'

Add any screenshots of the problem here.

Non-zero Exit on IOC's Discovered in Non-interactive Mode

🗣 Description

Seeks IOC detection count from run and exits with non-zero status in non-interactive mode, retaining existing functionality in interactive mode. Addresses #31

💭 Motivation and context

Common tooling in automatic workflows involves using non-zero exit codes to enable decision making after process completion. Using additional exit codes enhances CISA CHIRP's ability to be used within these contexts.

🧪 Testing

Used pre-commit to ensure proper conformance with linting and style.

Used the following against the code related to this PR to test various scenarios:

# non-interactive mode with non-zero exit (CHIRP self-detects IOC's when targeting itself)
python chirp.py -p yara -t c:\\chirp\\** -o chirp_result -l debug --non-interactive

# non-interactive mode with zero exit (no detections)
python chirp.py -p yara -t c:\\no_ioc_dir\\** -o chirp_result -l debug --non-interactive

# interactive mode with zero exit after prompt
python chirp.py -p yara -t c:\\no_ioc_dir\\** -o chirp_result -l debug

✅ Checklist

• [x] This PR has an informative and human-readable title.
• [x] Changes are limited to a single goal - eschew scope creep!
• [x] All future TODOs are captured in issues, which are referenced in code comments.
• [ ] All relevant type-of-change labels have been added.
• [x] I have read the CONTRIBUTING document.
• [x] These code changes follow cisagov code standards.
• [x] All relevant repo and/or project documentation has been updated to reflect the changes in this PR.
• [] Tests have been added and/or modified to cover the changes in this PR.
• [x] All new and existing tests pass.

💡 Summary

Use non-zero exit when IOC's are discovered in non-interactive mode to enhance automatic workflows.

Motivation and context

Common tooling in automatic workflows involves using non-zero exit codes to enable decision making after process completion. Using additional exit codes would enhance CISA CHIRP's ability to be used within these contexts.

Implementation notes

CISA CHIRP would run plugins to completion and use reports to determine whether IOC's discovered is greater than 0. If any IOC's were discovered from the reports, we'd exit with a non-zero sys.exit(1) (see below).

Use the following exit codes for status indications (i.e. sys.exit(number)):

• 0 == successful completion, no IOC's detected
• 1 == successful completion, IOC's detected
• 2 == unsuccessful completion (errors, unexpectedly incomplete run, etc)

Avoiding specifics about IOC's detected in logs may be beneficial (as otherwise public- or near-public display of this information may be a vulnerability or liability). Propose using generic log message (or no log message at all, solely relying on exit code) to indicate IOC's were discovered but remove specific mention of which ones. Open to thoughts or suggestions here!

Acceptance criteria

• [ ] CISA CHIRP runs all specified plugins through to report completion
• [ ] Successful run with no IOC's detected from reports emits exit code 0
• [ ] Successful run with IOC's detected from reports emits exit code 1
• [ ] Unsuccessful run (errors, unexpectedly incomplete, etc) emits exit code 2

💡 Summary

Remove the "Press any key to exit" interactive prompt that occurs / add parameter to make the runtime of the EXE fully non-interactive.

[08:22:51] [+] DONE! Your results can be found in D:\output. Press any key to exit. common.py:104

Motivation and context

Why does this work belong in this project?

This would be useful because it would vastly increase the scope of audience that is able to consume this tool. RMM tools used by MSPs do not cope with programs that require keyboard input, have interactive prompts, and and have GUI-based pop-ups. If you want this tool to be used by the world, the tool must be able to run from 0 to 100 without stopping for input.

Implementation notes

Just remove any keyboard inputs OR add a parameter switch, i.e. "chirp.exe" -noprompt, to suppress all input prompts.

Acceptance criteria

How do we know when this work is done?

When "chirp.exe" can be executed without having to "press any key to exit" and it finishes running on its own (self-terminates/process end).

🗣 Description

Added malicious IP addresses associated with CISA Alert - AA21-062A

https://us-cert.cisa.gov/ncas/alerts/aa21-062a

💭 Motivation and context

I've started to use this tool with clients to detect any network activity related to the recent Exchange vulnerabilities. Figured others might want to do the same.

Do you have any tips for running chirp via SCCM?

It seems like it doesn’t run properly from an SMB share and also there doesn’t seem to be a way to capture the console output (even with a >)

This isn't a bug per-se. Probably I'm just not using the console redirection, powershell scripting, or other context/environment aspects correctly, but the naive implementation isn't working.

(run from sccm scripts->) cmd.exe /c "\SHARE\chirp\chirp.exe -o \SHARE\chirpout\test"

🐛 Summary

Seems like CHIRP tool scanning it's own resources and showing them as hit counts in final scan output.

To reproduce

Steps to reproduce the behavior:

1. Download version 1.0.7 from the repository.
2. Unzip it on your machine.
3. Run the scan with defaults.
4. Check the results - Yara indicator will show '1' Hit.

Expected behavior

What did you expect to happen that didn't?

CHIRP tool might scan it's resources. However, it should be excluded from the output and final scan results.

Any helpful log output or screenshots

Paste the results here:

Add any screenshots of the problem here.

🐛 Summary

What's wrong? Please be specific.

To reproduce

Steps to reproduce the behavior:

1. Run the CHIRP tool on a server
2. Look at the results, they should show zero results or matches
3. Run the CHIRP tool again
4. The CHIRP Results show a false positive based on yaml rules

Expected behavior

What did you expect to happen that didn't? No detected results when using the tool multiple times

Any helpful log output or screenshots

Paste the results here:

"CrowdStrike Sunspot": { "description": ""Identifies Sunspot backdoor dropper utilizing unique strings in key encryption material, mutexes, and logging."\n", "confidence": 10, "matches": [ { "meta": "{'copyright': '(c) 2021 CrowdStrike Inc.', 'description': 'Detects mutex names in SUNSPOT', 'version': '202101081448', 'last_modified': '2021-01-08', 'actor': 'StellarParticle', 'malware_family': 'SUNSPOT'}", "namespace": "CrowdStrike Sunspot", "rule": "CrowdStrike_SUNSPOT_02", "strings": "[(1155, '$mutex_01', b'{12d61a41-4b74-7610-a4d8-3028d2f56395}'), (1227, '$mutex_02', b'{56331e4d-76a3-0390-a7ee-567adf5836b7}')]", "tags": "['artifact', 'stellarparticle', 'sunspot']", "file": "C:\$Recycle.Bin\S-1-5-21-1078081533-1897051121-xxxxxx-19038\xxxxx\crowdstrike_sunspot.yaml" }, { "meta": "{'copyright': '(c) 2021 CrowdStrike Inc.', 'description': 'Detects mutex names in SUNSPOT', 'version': '202101081448', 'last_modified': '2021-01-08', 'actor': 'StellarParticle', 'malware_family': 'SUNSPOT'}", "namespace": "CrowdStrike Sunspot", "rule": "CrowdStrike_SUNSPOT_02", "strings": "[(514, '$mutex_01', b'{12d61a41-4b74-7610-a4d8-3028d2f56395}'), (578, '$mutex_02', b'{56331e4d-76a3-0390-a7ee-567adf5836b7}')]", "tags": "['artifact', 'stellarparticle', 'sunspot']", "file": "C:\Users\xxxxx\Desktop\Results\output\yara.json" } ] } }

Add any screenshots of the problem here.

🐛 Summary

Requires visual studio to run, not all systems can have that on the system.

To reproduce

Steps to reproduce the behavior:

1. Tried to run on WinSrv2016 without Visual Studio and failed to run.
2. Ran on a system with Visual studio and was successful.

Expected behavior

I was expecting the CHIRP.exe tool to run.

Any helpful log output or screenshots

Paste the results here:

Add any screenshots of the problem here.

💡 Summary

"chirp" is already registered as a package name on PYPI, meaning someone may erroneously believe they're installing CISA's CHIRP but end up with https://pypi.org/project/chirp/ instead. In general, this may make this project vulnerable to typosquatting (https://en.wikipedia.org/wiki/Typosquatting). CISA could deploy a PYPI package as "cisa-chirp" to differentiate from other packages and protect against typosquatting (in addition to general confusion with other packages).

This seems to have been brought up and closed, but I'd like to resurface as an idea for consideration. Reference: https://github.com/cisagov/CHIRP/issues/19

Motivation and context

In general, the package and project name similarities may make this project vulnerable to typosquatting (https://en.wikipedia.org/wiki/Typosquatting). Making a PYPI package available with another name and documenting it would be beneficial in securing the project and enable wide distribution via command line: "pip install <package name>".

Implementation notes

Propose including authority in the package name itself, for instance "cisa-chirp", to differentiate and provide trust in the package via PYPI.

Acceptance criteria

How do we know when this work is done?

• [ ] Issuing the command "pip install <modified package name>" installs CISA's CHIRP project and enables it to be used on client machine.

💡 Summary

A plugin to inspect process memory would be helpful to detect a variety of injections including Cobalt Strike beacons and the like.

Motivation and context

Bad guys like cobalt strike and in-memory implants

Implementation notes

Passing the pid to the python yara bindings and having a set of rules specific to the module would be helpful, with the option to leverage pe-sieve. Maybe a config to limit the processes,

Acceptance criteria

functioning plugin