A forensic collection tool written in Python.

The CISA Hunt and Incident Response Program (CHIRP) is a tool created to dynamically query Indicators of Compromise (IoCs) on hosts with a single package, outputting data in a JSON format for further analysis in a SIEM or other tool. CHIRP does not modify any system data.

The initial IoCs are intended to search for activity detailed in CISA Alert AA21-008A that has spilled into the enterprise environment.

🏁 Getting Started

We build and release CHIRP via
However, if you wish to run with Python3.6+, follow these instructions.

You can also write new
or plugins
for CHIRP.


Python 3.6 or greater is required to run CHIRP with Python. If you need help
installing Python in your environment, follow the instructions

CHIRP must be run on a live machine, but it does not have to be network connected.
Currently, CHIRP must run on the drive containing winevt logs. Shortly after release,
this will be updated so CHIRP can run from any drive.


python3 -m pip install -e .

In our experience, yara-python comes with some other dependencies. You MAY have
to install Visual Studio C++ 14.0 and the Windows 10 SDK, this can be retrieved
with Visual Studio Community

🎈 Usage

From release


From python


Example output

[15:32:19] [YARA] Enumerating the entire filesystem due to ['CISA Solar Fire', 'CISA Teardrop', 'CrowdStrike Rempack', 'CrowdStrike Sunspot', 'FireEye
           Cosmic Gale', 'FireEye Sunburst']... this is going to take a while.
           [YARA] Entered yara plugin.                                                                                                             
           [REGISTRY] Found 0 hit(s) for IFEO Persistence indicator.                                                                               
           [REGISTRY] Found 0 hit(s) for Teardrop - Registry Activity indicator.                                                                   
           [REGISTRY] Found 0 hit(s) for Sibot - Registry indicator.
           [+] Done! Your results can be found at Z:\README\output.

⛏️ Built Using

  • Python - Language
  • Nuitka - For compilation
  • evtx2json - For event log access
  • yara-python - Parses and runs yara
  • rich - Makes the CLI easier on the eyes
  • psutil - Provides an easy API for many
    OS functions

✍️ Authors