Pierluigi Paganini March 21, 2021

US CISA has released a new tool that allows detecting malicious activity associated with the SolarWinds hackers in compromised on-premises enterprise environments.

US CISA released the CISA Hunt and Incident Response Program (CHIRP) tool, is a Python-based tool, that allows detecting malicious activity associated with the SolarWinds hackers in compromised on-premises enterprise Windows environments. Below an excerpt of the CISA’s announcement:

“This Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts:”

• AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, which primarily focuses on an advanced persistent threat (APT) actor’s compromise of SolarWinds Orion products affecting U.S. government agencies, critical infrastructure entities, and private network organizations.
• AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments, which addresses APT activity within Microsoft 365/Azure environments and offers an overview of—and guidance on—available open-source tools. The Alert includes the CISA-developed Sparrow tool that helps network defenders detect possible compromised accounts and applications in the Azure/M365 environment.

Both alerts are related to SolarWinds attacks against government agencies, critical infrastructure, and private sector organizations.

This isn’t the first tool released by the US CISA to detect indicators of compromise in Microsoft environment, early this year the agency’s Cloud Forensics team released another PowerShell-based tool, dubbed Sparrow, that can that helps administrators to detect anomalies and potentially malicious activities in Azure/Microsoft 365 environments.

Similar to Sparrow, CHIRP scans for signs of APT compromise within an on-premises environment, by default it searches for IOCs associated with malicious activity detailed in AA20-352A and AA21-008A alerts.

The CHIRP tool allows to examine Windows event logs for artifacts associated with this activity, Windows Registry for evidence of intrusion, query Windows network artifacts, and apply YARA rules to detect malware, backdoors, or implants.

“The CISA Hunt and Incident Response Program (CHIRP) is a tool created to dynamically query Indicators of Compromise (IoCs) on hosts with a single package, outputting data in a JSON format for further analysis in a SIEM or other tool. CHIRP does not modify any system data.” reads the description provided on GitHub for the tool.

“The initial IoCs are intended to search for activity detailed in CISA Alert AA21-008A that has spilled into the enterprise environment.”

Currently, the tool scans for:

• The presence of malware identified by security researchers as TEARDROP and RAINDROP;
• Credential dumping certificate pulls;
• Certain persistence mechanisms identified as associated with this campaign;
• System, network, and M365 enumeration; and
• Known observable indicators of lateral movement.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

[adrotate banner=”5″]

[adrotate banner=”13″]