CISA Hunt and Incident Response Program (CHIRP) is a new forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with the SolarWinds and Active Directory/M365 Compromise. CHIRP is freely available on the CISA GitHub repository.
Similar to the CISA-developed Sparrow tool—which scans for signs of APT compromise within an M365 or Azure environment—CHIRP scans for signs of APT compromise within an on-premises environment.
CISA Alert AA21-077A: Detecting Post-Compromise Threat Activity using the CHIRP IOC Detection Tool provides guidance on using the new tool. This Alert is a companion to AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations and AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud. For additional guidance watch CISA's CHIRP Overview video.
CISA encourages users and administrations to review the Alert for more information. For more technical information on the SolarWinds Orion supply chain compromise, see CISA's Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page. For general information on CISA’s response to the supply chain compromise, refer to cisa.gov/supply-chain-compromise.
CHIRP will search three (3) years before and after the date of birth for possible matches. Additional identifiers such as aliases (i.e. Maiden names, previous married names, nicknames) and social security numbers, if known, can be provided for a more thorough search of the OSBI Computerized Criminal History (CCH) Database. Chirp offers amazing limited-time deals on audiobooks without subscription fees. Sign Up for Free!
This product is provided subject to this Notification and this Privacy & Use policy.
Please share your thoughts.
Chirp Wheel
Chiropractor
We recently updated our anonymous product survey; we'd welcome your feedback.