The Cybersecurity and Infrastructure Security Agency (CISA) has released Hunt and Incident Response Program (CHIRP) tool.

CHIRP is a Python-based tool, that allows detecting malicious activity associated with the SolarWinds hackers in compromised on-premises enterprise Windows environments.


CISA Alerts

  • AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, which primarily focuses on an advanced persistent threat (APT) actor’s compromise of SolarWinds Orion products affecting U.S. government agencies, critical infrastructure entities, and private network organizations.
  • AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments, which addresses APT activity within Microsoft 365/Azure environments and offers an overview of—and guidance on—available open-source tools. The Alert includes the CISA-developed Sparrow tool that helps network defenders detect possible compromised accounts and applications in the Azure/M365 environment.

Both alerts are related to SolarWinds attacks against government agencies, critical infrastructure, and private sector organizations.


Like Sparrow, which scans for signs of APT compromise within an M365 or Azure environment, CHIRP scans for signs of APT compromise within an on-premises environment.

CHIRP, by default, searches for IOCs associated with malicious activity detailed in AA20-352A and AA21-008A that has spilled into an on-premises enterprise environment.

CHIRP is freely available on the CISA GitHub Repository. CISA will continue to release plugins and IOC packages for new threats via the CISA GitHub Repository.

CISA Advises Organizations To Use CHIRP To:

  • Examine Windows event logs for artifacts associated with this activity;
  • Examine Windows Registry for evidence of intrusion;
  • Query Windows network artifacts; and
  • Apply YARA rules to detect malware, backdoors, or implants.


Python 3.6 or greater is required to run CHIRP with Python. If you need help installing Python in your environment, follow the instructions here

CHIRP must be run on a live machine, but it does not have to be network connected. Currently, CHIRP must run on the drive containing winevt logs. Shortly after release, this will be updated so CHIRP can run from any drive.

How CHIRP Works

CHIRP is a command-line executable with a dynamic plugin and indicator system to search for signs of compromise.

Currently, the tool looks for:

  • The presence of malware identified by security researchers as TEARDROP and RAINDROP;
  • Credential dumping certificate pulls;
  • Certain persistence mechanisms identified as associated with this campaign;
  • The system, network, and M365 enumeration; and
  • Known observable indicators of lateral movement.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read

Centreon Says that Russian Hackers Hit Older Versions of the Software

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.