A forensic collection tool written in Python

CHIRP

A forensic collection tool written in Python.

The CISA Hunt and Incident Response Program (CHIRP) is a tool created to dynamically query Indicators of Compromise (IoCs) on hosts with a single package, outputting data in a JSON format for further analysis in a SIEM or other tool. CHIRP does not modify any system data.

The initial IoCs are intended to search for activity detailed in CISA Alert AA21-008A that has spilled into the enterprise environment.

? Getting Started

We build and release CHIRP via
Releases.
However, if you wish to run with Python3.6+, follow these instructions.

You can also write new
indicators
or plugins
for CHIRP.

Prerequisites

Python 3.6 or greater is required to run CHIRP with Python. If you need help
installing Python in your environment, follow the instructions
here

CHIRP must be run on a live machine, but it does not have to be network connected.
Currently, CHIRP must run on the drive containing winevt logs. Shortly after release,
this will be updated so CHIRP can run from any drive.

Installing

python3 -m pip install -e .

In our experience, yara-python comes with some other dependencies. You MAY have
to install Visual Studio C++ 14.0 and the Windows 10 SDK, this can be retrieved
with Visual Studio Community

? Usage

From release

.\chirp.exe

From python

python3 chirp.py

Example output

[15:32:19] [YARA] Enumerating the entire filesystem due to ['CISA Solar Fire', 'CISA Teardrop', 'CrowdStrike Rempack', 'CrowdStrike Sunspot', 'FireEye       common.py:103
           Cosmic Gale', 'FireEye Sunburst']... this is going to take a while.
           [YARA] Entered yara plugin.                                                                                                                       common.py:103
           [REGISTRY] Found 0 hit(s) for IFEO Persistence indicator.                                                                                         common.py:103
           [REGISTRY] Found 0 hit(s) for Teardrop - Registry Activity indicator.                                                                             common.py:103
           [REGISTRY] Found 0 hit(s) for Sibot - Registry indicator.
           ...
           ...
           ...
           [+] Done! Your results can be found at Z:\README\output.

⛏️ Built Using

• Python - Language
• Nuitka - For compilation
• evtx2json - For event log access
• yara-python - Parses and runs yara
  rules
• rich - Makes the CLI easier on the eyes
• psutil - Provides an easy API for many
  OS functions

✍️ Authors

• Will Deem, OS1 USCG
• Jordan Mussman