CISA gives details of a tool it has developed for detecting post-compromise threat activity

Published: Wednesday, 24 March 2021 09:46

The US Cybersecurity & Infrastructure Security Agency (CSIA) has published details of the CHIRP indicators of compromise (IOC) detection tool which it is making freely available. In alert ‘AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool’ CISA gives an overview of the CHIRP (CISA Hunt and Incident Response Program) tool, which scans for signs of APT compromise within an on-premises environment.

CHIRP is a command-line executable with a dynamic plugin and indicator system to search for signs of compromise. CHIRP has plugins to search through event logs and registry keys and run YARA rules to scan for signs of APT tactics, techniques, and procedures. CHIRP also has a YAML file that contains a list of IOCs that CISA associates with the malware and APT activity detailed in CISA Alerts AA20-352A and AA21-008A.

CHIRP is freely available on the CISA GitHub Repository and CISA will continue to release plugins and IOC packages for new threats as they develop.