cisagov/CHIRP cisagov/CHIRP

  • This repository has been archived on 10/Jun/2021
  • Stars
    star
    1,040
  • Rank 42,750 (Top 0.9 %)
  • Language
    Python
  • License
    Creative Commons ...
  • Created about 3 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
cisagov/CHIRP
github

cisagov

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A DFIR tool written in Python.

CISA logo

CHIRP

Status GitHub Issues GitHub Pull Requests License

A DFIR tool written in Python.

Watch the video overview

📝 Table of Contents

🧐 About

The CISA Hunt and Incident Response Program (CHIRP) is a tool created to dynamically query Indicators of Compromise (IoCs) on hosts with a single package, outputting data in a JSON format for further analysis in a SIEM or other tool. CHIRP does not modify any system data.

🏁 Getting Started

We build and release CHIRP via Releases. However, if you wish to run with Python3.6+, follow these instructions.

You can also write new indicators or plugins for CHIRP.

Prerequisites

Python 3.6 or greater is required to run CHIRP with Python. If you need help installing Python in your environment, follow the instructions here

CHIRP must be run on a live machine, but it does not have to be network connected.

Installing

python3 -m pip install -e .

In our experience, yara-python comes with some other dependencies. You MAY have to install Visual Studio C++ 14.0 and the Windows 10 SDK, this can be retrieved with Visual Studio Community

🎈 Usage

From release

# defaults
.\chirp.exe -a AA21-008A

# with args
.\chirp.exe -a AA21-062A -p registry yara -t c:\\target_dir\\** -o chirp_result --non-interactive -vv

From python

# defaults
python3 chirp.py -a AA21-008A

# with args
python3 chirp.py -a AA21-062A -p registry yara -t c:\\target_dir\\** -o chirp_result --non-interactive -vv

Example output

[15:32:19] [YARA] Enumerating the entire filesystem due to ['CISA Solar Fire', 'CISA Teardrop', 'CrowdStrike Rempack', 'CrowdStrike Sunspot', 'FireEye       common.py:103
           Cosmic Gale', 'FireEye Sunburst']... this is going to take a while.
           [YARA] Entered yara plugin.                                                                                                                       common.py:103
           [REGISTRY] Found 0 hit(s) for IFEO Persistence indicator.                                                                                         common.py:103
           [REGISTRY] Found 0 hit(s) for Teardrop - Registry Activity indicator.                                                                             common.py:103
           [REGISTRY] Found 0 hit(s) for Sibot - Registry indicator.
           ...
           ...
           ...
           [+] Done! Your results can be found at Z:\README\output.

Non-interactive Mode

Non-interactive mode may be used by issuing the "--non-interactive" flag at runtime. Using this flag enables process completion without input. In addition, a non-zero status of 1 will be emitted at runtime completion if IoC's were discovered.

⛏️ Built Using

  • Python - Language
  • Nuitka - For compilation
  • evtx2json - For event log access
  • yara-python - Parses and runs yara rules
  • rich - Makes the CLI easier on the eyes
  • psutil - Provides an easy API for many OS functions
  • aiomp - Asynchronous multiprocessing
  • pyyaml - Allows YAML interpretation

✍️ Authors

🎉 Acknowledgements

🤝 Contributing

We welcome contributions! Please see here for details.

📝 License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

⚖️ Legal Disclaimer

NOTICE

This software package (“software” or “code”) was created by the United States Government and is not subject to copyright within the United States. All other rights are reserved. You may use, modify, or redistribute the code in any manner. However, you may not subsequently copyright the code as it is distributed. The United States Government makes no claim of copyright on the changes you effect, nor will it restrict your distribution of bona fide changes to the software. If you decide to update or redistribute the code, please include this notice with the code. Where relevant, we ask that you credit the Cybersecurity and Infrastructure Security Agency with the following statement: “Original code developed by the Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of Homeland Security.”

USE THIS SOFTWARE AT YOUR OWN RISK. THIS SOFTWARE COMES WITH NO WARRANTY, EITHER EXPRESS OR IMPLIED. THE UNITED STATES GOVERNMENT ASSUMES NO LIABILITY FOR THE USE OR MISUSE OF THIS SOFTWARE OR ITS DERIVATIVES.

THIS SOFTWARE IS OFFERED “AS-IS.” THE UNITED STATES GOVERNMENT WILL NOT INSTALL, REMOVE, OPERATE OR SUPPORT THIS SOFTWARE AT YOUR REQUEST. IF YOU ARE UNSURE OF HOW THIS SOFTWARE WILL INTERACT WITH YOUR SYSTEM, DO NOT USE IT.

More Repositories

1

RedEye

RedEye is a visual analytic tool supporting Red & Blue Team operations
TypeScript
2,613
star
2

Malcolm

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
Python
1,504
star
3

Sparrow

Sparrow.ps1 was created by CISA's Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment.
PowerShell
1,371
star
4

ScubaGear

Automation to assess the state of your M365 tenant against CISA's baselines
Open Policy Agent
1,361
star
5

cset

Cybersecurity Evaluation Tool
TSQL
1,305
star
6

log4j-scanner

log4j-scanner is a project derived from other members of the open-source community by CISA to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.
Java
1,262
star
7

log4j-affected-db

A community sourced list of log4j-affected software
Shell
1,115
star
8

decider

A web application that assists network defenders, analysts, and researchers in the process of mapping adversary behaviors to the MITRE ATT&CK® framework.
HTML
1,021
star
9

untitledgoosetool

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.
Python
699
star
10

LME

Logging Made Easy (LME) is a no-cost and open logging and protective monitoring solution serving all organizations.
PowerShell
690
star
11

pshtt

Scan domains and return data based on HTTPS best practices
Python
668
star
12

crossfeed

External monitoring for organization assets
TypeScript
320
star
13

ESXiArgs-Recover

A tool to recover from ESXiArgs ransomware
Shell
293
star
14

bad-practices

CISA's catalog of bad practices that are exceptionally risky.
Shell
181
star
15

development-guide

A set of guidelines and best practices for an awesome engineering team
Python
180
star
16

trustymail

Scan domains and return data based on trustworthy email best practices
Python
180
star
17

cyber.dhs.gov

A site for CISA directives
SCSS
138
star
18

dotgov-data

Official list of .gov domains
108
star
19

ScubaGoggles

SCuBA Security Configuration Baselines and assessment tool for Google Workspace
Open Policy Agent
105
star
20

check-cve-2019-19781

Test a host for susceptibility to CVE-2019-19781
Python
105
star
21

ICSNPP

Industrial Control Systems Network Protocol Parsers
104
star
22

findcdn

findCDN is a tool created to help accurately identify what CDN a domain is using.
Python
92
star
23

prescup-challenges

President's Cup Cybersecurity Competition Challenges
Python
78
star
24

ansible-role-cobalt-strike

An Ansible role for installing Cobalt Strike.
HCL
66
star
25

shareable-soar-workflows

This is a repository of vendor-agnostic workflows provided for those interested in deploying Security Orchestration, Automation, and Response capabilities within their organizations.
62
star
26

cybersecurity-performance-goals

CISA's space for collaboration on the Cybersecurity Performance Goals.
Shell
53
star
27

PNT-Integrity

The PNT Integrity Library provides users a method to verify the integrity of the received GPS data and ranging signals, thereby improving resiliency against potential GPS signal loss.
C++
49
star
28

join-cisagov

CISA is hiring! We’re looking for candidates passionate about our mission to lead the national effort to understand and manage cyber and physical risk to our critical infrastructure.
Shell
45
star
29

gophish-tools

Helpful tools for interacting with a GoPhish phishing instance
Python
39
star
30

ioc-scanner

Search a filesystem for indicators of compromise (IoC).
Python
39
star
31

vdp-in-fceb

Vulnerability disclosure policies in the US Government's executive branch
32
star
32

Epsilon

The Epsilon Algorithm Suite provides users a method to verify the integrity of the received GPS data and ranging signals, thereby improving resiliency against potential GPS signal loss.
Python
31
star
33

gophish-docker

Docker container for the gophish phishing framework.
Shell
30
star
34

check-your-pulse

This utility can help determine if indicators of compromise (IOCs) exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510.
Python
28
star
35

getgov

Building a new .gov registrar for a bright .gov future
Python
27
star
36

postfix-docker

Docker container with a postfix server designed for use during phishing campaigns
Shell
26
star
37

dotgov-home

Homepage for the .gov registry
SCSS
25
star
38

assessment-reporting-engine

Python
24
star
39

skeleton-python-library

A skeleton project for quickly getting a new cisagov Python library started.
Python
19
star
40

scanner

Automated pshtt, trustymail, and sslyze scanning
Shell
18
star
41

cyhy_amis

AWS infrastructure for Cyber Hygiene and BOD 18-01 scanning
HCL
16
star
42

admiral

Distributed certificate transparency log harvester
Python
14
star
43

skeleton-docker

A skeleton project for quickly getting a new cisagov Docker container started.
Shell
14
star
44

icsnpp-opcua-binary

Zeek OPCUA Binary Parser - CISA ICSNPP
JavaScript
13
star
45

icsnpp-enip

Zeek Ethernet/IP and CIP Parser - CISA ICSNPP
Zeek
13
star
46

pe-reports

Automated process to build and distribute Posture & Exposure Reports' bi-weekly to customers.
Python
13
star
47

icsnpp-bacnet

Zeek BACnet Parser - CISA ICSNPP
JavaScript
12
star
48

ansible-role-clamav

Ansible role to install and enable the ClamAV virus scanner
Shell
12
star
49

lambda_functions

Generate AWS Lambda environment zip files for use by cisagov/domain-scan
Shell
12
star
50

icsnpp-s7comm

Zeek S7comm, S7comm-plus, and COTP Parser - CISA ICSNPP
JavaScript
11
star
51

network-architecture-verification-and-validation

The NAVV (Network Architecture Verification and Validation) tool creates a spreadsheet for network traffic analysis from PCAP data and Zeek logs, automating Zeek analysis of PCAP files, the collation of Zeek logs and the dissection of conn.log and dns.log to create a summary or network traffic in an XLSX-formatted spreadsheet.
Python
11
star
52

docker-kali-ansible

A systemd-enabled Kali Linux Docker image, in the spirit of geerlingguy/docker-debian11-ansible.
Dockerfile
10
star
53

tic3.0

Collaborating on Trusted Internet Connection 3.0 use cases
10
star
54

icsnpp-genisys

Industrial Control Systems Network Protocol Parsers (ICSNPP) - Genisys over TCP/IP
Python
10
star
55

gh-skeleton

This extension for the gh CLI provides the ability to easily start new projects from our existing library of skeleton repositories.
Shell
10
star
56

scoping-validation-tool

SVT is a tool that can be used to verify ownership and location of assets during the scoping process of a penetration test.
Python
9
star
57

orchestrator

Orchestrate gatherer, scanner, saver, and trustymail_reporter
Shell
9
star
58

pshtt_reporter

Generate HTTPS reports based on scan data
Python
9
star
59

cyhy-mailer

Email Cyber Hygiene, Trustworthy Email, and HTTPS reports to the appropriate technical or distribution addresses
Python
9
star
60

trustymail_reporter

Generate Trustworthy Email reports based on scan data
Python
9
star
61

pre-commit-packer

Provides pre-commit hooks for Packer projects.
Shell
9
star
62

nessus-packer

Create machine images containing the Nessus vulnerability scanner
HCL
9
star
63

domain-manager-api

Flask API for Domain Manager
Python
9
star
64

gatherer

Gather domains as a precursor to scanning
Shell
9
star
65

certboto-docker

Certbot container that stores its configuration in an AWS S3 bucket
Shell
9
star
66

icsnpp-modbus

Zeek Modbus Extension Scripts - CISA ICSNPP
Zeek
8
star
67

aws-profile-sync

Synchronize AWS credential profiles from remote sources
Python
8
star
68

ansible-role-kali

An Ansible role for provisioning kali
HCL
8
star
69

icsnpp-dnp3

Zeek DNP3 Extension Scripts - CISA ICSNPP
Zeek
8
star
70

dmarc-import

A tool for parsing DMARC aggregate reports.
Python
8
star
71

icsnpp-bsap-ip

Zeek BSAP over IP Parser - CISA ICSNPP
JavaScript
8
star
72

CISASuite

The CSET, Malcom, Con-PCA suite of tools
HTML
8
star
73

icsnpp-ethercat

Zeek Ethercat Parser - CISA ICSNPP
C++
8
star
74

skeleton-generic

A generic skeleton project for quickly getting a new cisagov project started.
Shell
8
star
75

Sogu

This script generates a list of possible SOGU filenames based on serial numbers of active drives. It has the added functionality of searching each drive from the generated file list.
PowerShell
8
star
76

travis-wait-improved

A tool to help long-running, yet reticent, processes avoid death at the hands of Traivs-CI.
Python
7
star
77

con-pca-api

API Docker Container for Con-PCA
HTML
7
star
78

.dotfiles

Generic set of dotfiles to get you started with a cisagov development environment
Shell
7
star
79

domain-manager-ui

UI for the Domain Manager
HTML
7
star
80

pen-testing-findings

A collection of Active Directory, phishing, mobile technology, system, service, web application, and wireless technology weaknesses that may be discovered during a penetration test.
7
star
81

vulnerable-instances

Virtual machines that are set up with a variety of known vulnerabilities.
HCL
7
star
82

openvpn-server-tf-module

Terraform module to create an OpenVPN server instance
HCL
6
star
83

scan-target-data

Contains data used to identify targets for scanning
Shell
6
star
84

ansible-role-burp-suite-pro

An Ansible role for installing Burp Suite Professional
HCL
6
star
85

con-pca-web

The website source and terraform code for continuous phishing assessment.
HTML
6
star
86

kali-packer

This project can be used to create AMIs based on Kali Linux, a penetration testing distribution.
HCL
6
star
87

security-contact-finder

Making government security contacts accessible
CSS
6
star
88

saver

Save scan results to a database
Python
6
star
89

con-pca-cicd

continuous phishing main repository
HCL
6
star
90

megazord-composition

Shell
6
star
91

ansible-role-openvpn

Ansible role to install an OpenVPN server and configure it to authenticate users certificates against FreeIPA.
Shell
6
star
92

ansible-role-amazon-efs-utils

An Ansible role for installing aws/efs-utils
Shell
5
star
93

PNT-Integrity-Toolkit

The PNT Integrity DIY Toolkit describes how a perspective end-user of the PNT Integrity Library can assemble a demonstrational toolkit with commercial-off-the-shelf (COTS) hardware.
C++
5
star
94

awssh

Tool to simplify secure shell connections over AWS simple systems manager.
Python
5
star
95

sslyze-lambda

AWS Lambda function for sslyze
Python
5
star
96

cyhy-core

Python
5
star
97

cool-assessment-terraform

Terraform to deploy an assessment environment to the COOL
HCL
5
star
98

ncats-data-dictionary

Shell
5
star
99

flare-misp-service

Automate the regular transfer of AIS data into a MISP Server
Java
5
star
100

Excel2STIX

Generate a STIX XML output file from a Microsoft Excel spreadsheet.
Python
5
star