{
	"id": "d40f5ec0-f8ac-4fa9-8eff-367708c4134e",
	"created_at": "2026-04-06T00:09:52.764673Z",
	"updated_at": "2026-04-10T03:20:25.196473Z",
	"deleted_at": null,
	"sha1_hash": "5b15b64c2240445fe543cf3d77f2dd722b97fc25",
	"title": "GitHub - cisagov/CHIRP: A DFIR tool written in Python.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 175698,
	"plain_text": "GitHub - cisagov/CHIRP: A DFIR tool written in Python.\r\nBy DeemOnSecurity\r\nArchived: 2026-04-05 22:46:42 UTC\r\n📝 Table of Contents\r\n📝 Table of Contents\r\n🧐 About\r\n🏁 Getting Started\r\nPrerequisites\r\nInstalling\r\n🎈 Usage\r\n⛏️ Built Using\r\n✍️ Authors\r\n🎉 Acknowledgements\r\n🤝 Contributing\r\n📝 License\r\n⚖️ Legal Disclaimer\r\n🧐 About\r\nThe CISA Hunt and Incident Response Program (CHIRP) is a tool created to dynamically query Indicators of\r\nCompromise (IoCs) on hosts with a single package, outputting data in a JSON format for further analysis in a\r\nSIEM or other tool. CHIRP does not modify any system data.\r\n🏁 Getting Started\r\nWe build and release CHIRP via Releases . However, if you wish to run with Python3.6+, follow these\r\ninstructions.\r\nYou can also write new indicators or plugins for CHIRP.\r\nPrerequisites\r\nPython 3.6 or greater is required to run CHIRP with Python. If you need help installing Python in your\r\nenvironment, follow the instructions here\r\nCHIRP must be run on a live machine, but it does not have to be network connected.\r\nInstalling\r\nhttps://github.com/cisagov/CHIRP\r\nPage 1 of 4\n\npython3 -m pip install -e .\r\nIn our experience, yara-python comes with some other dependencies. You MAY have to install Visual\r\nStudio C++ 14.0 and the Windows 10 SDK, this can be retrieved with Visual Studio Community\r\n🎈 Usage\r\nFrom release\r\n# defaults\r\n.\\chirp.exe -a AA21-008A\r\n# with args\r\n.\\chirp.exe -a AA21-062A -p registry yara -t c:\\\\target_dir\\\\** -o chirp_result --non-interactive -vv\r\nFrom python\r\n# defaults\r\npython3 chirp.py -a AA21-008A\r\n# with args\r\npython3 chirp.py -a AA21-062A -p registry yara -t c:\\\\target_dir\\\\** -o chirp_result --non-interactiv\r\nExample output\r\n[15:32:19] [YARA] Enumerating the entire filesystem due to ['CISA Solar Fire', 'CISA Teardrop', 'Crow\r\n Cosmic Gale', 'FireEye Sunburst']... this is going to take a while.\r\n [YARA] Entered yara plugin.\r\n [REGISTRY] Found 0 hit(s) for IFEO Persistence indicator.\r\n [REGISTRY] Found 0 hit(s) for Teardrop - Registry Activity indicator.\r\n [REGISTRY] Found 0 hit(s) for Sibot - Registry indicator.\r\n ...\r\n ...\r\n ...\r\n [+] Done! Your results can be found at Z:\\README\\output.\r\nNon-interactive Mode\r\nNon-interactive mode may be used by issuing the \"--non-interactive\" flag at runtime. Using this flag enables\r\nprocess completion without input. In addition, a non-zero status of 1 will be emitted at runtime completion if IoC's\r\nwere discovered.\r\n⛏️ Built Using\r\nhttps://github.com/cisagov/CHIRP\r\nPage 2 of 4\n\nPython - Language\r\nNuitka - For compilation\r\nevtx2json - For event log access\r\nyara-python - Parses and runs yara rules\r\nrich - Makes the CLI easier on the eyes\r\npsutil - Provides an easy API for many OS functions\r\naiomp - Asynchronous multiprocessing\r\npyyaml - Allows YAML interpretation\r\n✍️ Authors\r\nWill Deem, OS1 USCG\r\nJordan Mussman\r\n🎉 Acknowledgements\r\nDenise Keating\r\nLiana Parakesyan\r\nRichard Kenny\r\nMegan Nadeau\r\nEwa Dadok\r\nDavid Zito\r\nChris Brown\r\nJulian Blanco, LTJG USCG\r\nCaleb Stewart, LT USCG\r\nJames Haughom\r\n🤝 Contributing\r\nWe welcome contributions! Please see here for details.\r\n📝 License\r\nThis project is in the worldwide public domain.\r\nThis project is in the public domain within the United States, and copyright and related rights in the work\r\nworldwide are waived through the CC0 1.0 Universal public domain dedication.\r\nAll contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are\r\nagreeing to comply with this waiver of copyright interest.\r\n⚖️ Legal Disclaimer\r\nNOTICE\r\nhttps://github.com/cisagov/CHIRP\r\nPage 3 of 4\n\nThis software package (“software” or “code”) was created by the United States Government and is not subject to\r\ncopyright within the United States. All other rights are reserved. You may use, modify, or redistribute the code in\r\nany manner. However, you may not subsequently copyright the code as it is distributed. The United States\r\nGovernment makes no claim of copyright on the changes you effect, nor will it restrict your distribution of bona\r\nfide changes to the software. If you decide to update or redistribute the code, please include this notice with the\r\ncode. Where relevant, we ask that you credit the Cybersecurity and Infrastructure Security Agency with the\r\nfollowing statement: “Original code developed by the Cybersecurity and Infrastructure Security Agency (CISA),\r\nU.S. Department of Homeland Security.”\r\nUSE THIS SOFTWARE AT YOUR OWN RISK. THIS SOFTWARE COMES WITH NO WARRANTY, EITHER\r\nEXPRESS OR IMPLIED. THE UNITED STATES GOVERNMENT ASSUMES NO LIABILITY FOR THE USE\r\nOR MISUSE OF THIS SOFTWARE OR ITS DERIVATIVES.\r\nTHIS SOFTWARE IS OFFERED “AS-IS.” THE UNITED STATES GOVERNMENT WILL NOT INSTALL,\r\nREMOVE, OPERATE OR SUPPORT THIS SOFTWARE AT YOUR REQUEST. IF YOU ARE UNSURE OF\r\nHOW THIS SOFTWARE WILL INTERACT WITH YOUR SYSTEM, DO NOT USE IT.\r\nSource: https://github.com/cisagov/CHIRP\r\nhttps://github.com/cisagov/CHIRP\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/cisagov/CHIRP"
	],
	"report_names": [
		"CHIRP"
	],
	"threat_actors": [],
	"ts_created_at": 1775434192,
	"ts_updated_at": 1775791225,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5b15b64c2240445fe543cf3d77f2dd722b97fc25.pdf",
		"text": "https://archive.orkl.eu/5b15b64c2240445fe543cf3d77f2dd722b97fc25.txt",
		"img": "https://archive.orkl.eu/5b15b64c2240445fe543cf3d77f2dd722b97fc25.jpg"
	}
}