In March of 2021, the USA’s Cybersecurity and Infrastructure Security Agency, or CISA, released a tool called the CISA Hunt and Incident Response Program, or CHIRP. CHIRP is a Python-based forensics collection tool created to detect malicious activity associated with the widely reported and devastating SolarWinds hacking attacks on enterprise Windows environments.
In their announcement, CISA described CHIRP as a free utility that can detect signs of APT compromise within an on-premises environment. The tool looks for IOCs (indicators of compromise) associated with malicious activity related to the SolarWinds attacks against organizations, including government agencies, critical infrastructures, and private companies.
CHIRP was built to search for compromises related to SolarWinds Orion software, the network monitoring software that cybercriminals penetrated to distribute the Sunburst and SUNSPOT trojans.
CISA has previously released another detection tool earlier called Sparrow. Sparrow is a PowerShell-based tool developed to scan for compromises in the Microsoft environment. While there are similarities between CHIRP and Sparrow, CHIRP is seen as a complement to Sparrow that scans on-premises systems for similar activity.
What Does CHIRP Do?
The CHIRP tool operates as a command-line executable with the ability to scan for anomalies within on-premises environments. It examines Windows event logs for any artifacts connected to AA20-352A and AA21-008A alerts and searches the Windows Registry for signs of compromise. The first alert relates to the compromise of SolarWinds Orion products affecting U.S. government agencies, infrastructure entities, or private network organizations. The second alert relates to the compromise of Microsoft 365/Azure environments.
CHIRP also allows admins to search Windows network artifacts and apply YARA rules to detect any possible malware, backdoors, or implants. YARA is another tool used for malware research and detection.
Since CHIRP is a license-free tool, skilled developers can borrow the source code and make further improvements.
What Does CHIRP Detect?
According to the Cybersecurity & Infrastructure Security Agency, CHIRP can be used to detect:
- The presence of malware identified by security researchers as TEARDROP and RAINDROP;
- Credential dumping certificate pulls;
- Certain persistence mechanisms identified as associated with this campaign;
- System, network, and M365 enumeration; and
- Known observable indicators of lateral movement.
With that kind of detection capability, the CHIRP tool is a utility that all entities using SolarWinds Orion software will need.
