{
	"id": "e46caa94-ad64-4766-98c1-167691579838",
	"created_at": "2026-04-06T00:21:14.494936Z",
	"updated_at": "2026-04-10T03:20:36.053937Z",
	"deleted_at": null,
	"sha1_hash": "a43835672bd369de116f0dfe50b2205c01725710",
	"title": "Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 73405,
	"plain_text": "Detecting Post-Compromise Threat Activity Using the CHIRP IOC\r\nDetection Tool | CISA\r\nPublished: 2021-04-15 · Archived: 2026-04-05 17:31:03 UTC\r\nSummary\r\nUpdated April 15, 2021: The U.S. Government attributes this activity to the Russian Foreign Intelligence\r\nService (SVR). Additional information may be found in a statement from the White House. For more\r\ninformation on SolarWinds-related activity, go to https://us-cert.cisa.gov/remediating-apt-compromised-networks and https://www.cisa.gov/supply-chain-compromise.\r\nThis Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics\r\ncollection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated\r\nwith activity detailed in the following CISA Alerts:\r\nAA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure,\r\nand Private Sector Organizations, which primarily focuses on an advanced persistent threat (APT) actor’s\r\ncompromise of SolarWinds Orion products affecting U.S. government agencies, critical infrastructure\r\nentities, and private network organizations.\r\nAA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments, which\r\naddresses APT activity within Microsoft 365/Azure environments and offers an overview of—and\r\nguidance on—available open-source tools. The Alert includes the CISA-developed Sparrow tool that\r\nhelps network defenders detect possible compromised accounts and applications in the Azure/M365\r\nenvironment.\r\nSimilar to Sparrow —which scans for signs of APT compromise within an M365 or Azure environment—\r\nCHIRP scans for signs of APT compromise within an on-premises environment.\r\nIn this release, CHIRP, by default, searches for IOCs associated with malicious activity detailed in AA20-352A\r\nand AA21-008A that has spilled into an on-premises enterprise environment.\r\nCHIRP is freely available on the CISA GitHub Repository . For additional guidance watch CISA's CHIRP\r\nOverview video. Note: CISA will continue to release plugins and IOC packages for new threats via the CISA\r\nGitHub Repository.\r\nCISA advises organizations to use CHIRP to:\r\nExamine Windows event logs for artifacts associated with this activity;\r\nExamine Windows Registry for evidence of intrusion;\r\nQuery Windows network artifacts; and\r\nApply YARA rules to detect malware, backdoors, or implants.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-077a\r\nPage 1 of 4\n\nNetwork defenders should review and confirm any post-compromise threat activity detected by the tool. CISA has\r\nprovided confidence scores for each IOC and YARA rule included with CHIRP’s release. For confirmed positive\r\nhits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis\r\non the system(s).\r\nIf an organization does not have the capability to follow the guidance in this Alert, consider soliciting third-party\r\nIT security support. Note: Responding to confirmed positive hits is essential to evict an adversary from a\r\ncompromised network.\r\nClick here for a PDF version of this report.\r\nTechnical Details\r\nHow CHIRP Works\r\nCHIRP is a command-line executable with a dynamic plugin and indicator system to search for signs of\r\ncompromise. CHIRP has plugins to search through event logs and registry keys and run YARA rules to scan for\r\nsigns of APT tactics, techniques, and procedures. CHIRP also has a YAML file that contains a list of IOCs that\r\nCISA associates with the malware and APT activity detailed in CISA Alerts AA20-352A and AA21-008A.\r\nCurrently, the tool looks for:\r\nThe presence of malware identified by security researchers as TEARDROP and RAINDROP;\r\nCredential dumping certificate pulls;\r\nCertain persistence mechanisms identified as associated with this campaign;\r\nSystem, network, and M365 enumeration; and\r\nKnown observable indicators of lateral movement.\r\nNetwork defenders can follow step-by-step instructions on the CISA CHIRP GitHub repository  to add\r\nadditional IOCs, YARA rules, or plugins to CHIRP to search for post-compromise threat activity related to the\r\nSolarWinds Orion supply chain compromise or new threat activity.\r\nCompatibility\r\nCHIRP currently only scans Windows operating systems.\r\nInstructions\r\nCHIRP is available on CISA’s GitHub repository in two forms:\r\n1. A compiled executable\r\n2. A python script\r\nCISA recommends using the compiled version to easily scan a system for APT activity. For instructions to run,\r\nread the README.md in the CHIRP GitHub repository.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-077a\r\nPage 2 of 4\n\nIf you choose to use the native Python version, see the detailed instructions on the CHIRP GitHub repository.\r\nMitigations\r\nInterpreting the Results\r\nCHIRP provides results of its scan in JSON format. CISA encourages uploading the results into a security\r\ninformation and event management (SIEM) system, if available. If no SIEM system is available, results can be\r\nviewed in a compatible web browser or text editor. If CHIRP detects any post-compromise threat activity, those\r\ndetections should be reviewed and confirmed. CISA has provided confidence scores for each IOC and YARA rule\r\nincluded with CHIRP’s release. For confirmed positive hits, CISA recommends collecting a forensic image of the\r\nrelevant system(s) and conducting a forensic analysis on the system(s).\r\nIf you do not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security\r\nsupport. Note: Responding to confirmed positive hits is essential to evict an adversary from a compromised\r\nnetwork.\r\nFrequently Asked Questions\r\n1. What systems should CHIRP run on?\r\nSystems running SolarWinds Orion or believed to be involved in any resulting lateral movement.\r\n2. What should I do with results?\r\nIngest the JSON results into a SIEM system, web browser, or text editor.\r\n3. Are there existing tools that CHIRP complements and/or provide the same benefit as CHIRP?\r\na. Antivirus software developers may have begun to roll out detections for the SolarWinds post-compromise activity. However, those products can miss historical signs of compromise. CHIRP can\r\nprovide a complementary benefit to antivirus when run.\r\nb. CISA previously released the Sparrow tool that scans for APT activity within M365 and Azure\r\nenvironments related to activity detailed in CISA Alerts AA20-352A and AA21-008A. CHIRP\r\nprovides a complementary capability to Sparrow by scanning for on-premises systems for similar\r\nactivity.\r\n4. How often should I run CHIRP?\r\nCHIRP can be run once or routinely. Currently, CHIRP does not provide a mechanism to run repeatedly in\r\nits native format.\r\n5. Do I need to configure the tool before I run it?\r\nNo.\r\n6. Will CHIRP change or affect anything on the system(s) it runs on?\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-077a\r\nPage 3 of 4\n\nNo, CHIRP only scans the system(s) it runs on and makes no active changes.\r\n7. How long will it take to run CHIRP?\r\nCHIRP will complete its scan in approximately 1 to 2 hours. Duration will be dependent on the level of\r\nactivity, the system, and the size of the resident data sets. CHIRP will provide periodic progress updates as\r\nit runs.\r\n8. If I have questions, who do I contact?  \r\nFor general questions regarding CHIRP, please contact CISA via email at central@cisa.dhs.gov or by\r\nphone at 1-844-Say-CISA. For reporting indicators of potential compromise, contact us by submitting a\r\nreport through our website at https://us-cert.cisa.gov/report. For all technical issues or support for CHIRP,\r\nplease submit issues at the CISA CHIRP GitHub Repository . \r\nRevisions\r\nMarch 18, 2021: Initial Publication |April 9, 2021: Fixed PDF (not related to content)|April 15, 2021: Updated\r\nwith Attribution Statement\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa21-077a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-077a\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/alerts/aa21-077a"
	],
	"report_names": [
		"aa21-077a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434874,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a43835672bd369de116f0dfe50b2205c01725710.pdf",
		"text": "https://archive.orkl.eu/a43835672bd369de116f0dfe50b2205c01725710.txt",
		"img": "https://archive.orkl.eu/a43835672bd369de116f0dfe50b2205c01725710.jpg"
	}
}