Using CHIRP to Detect Post-Compromise Threat Activity in On-Premises Environments

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to National Cyber Awareness System Current Activity for Cybersecurity and Infrastructure Security Agency. This information has recently been updated, and is now available.

03/18/2021 10:53 AM EDT
Original release date: March 18, 2021

CISA Hunt and Incident Response Program (CHIRP) is a new forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with the SolarWinds and Active Directory/M365 Compromise. CHIRP is freely available on the CISA GitHub repository.

Similar to the CISA-developed Sparrow tool—which scans for signs of APT compromise within an M365 or Azure environment—CHIRP scans for signs of APT compromise within an on-premises environment.

CISA Alert AA21-077A: Detecting Post-Compromise Threat Activity using the CHIRP IOC Detection Tool provides guidance on using the new tool. This Alert is a companion to AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations and AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud. For additional guidance watch CISA’s CHIRP Overview video.

CISA encourages users and administrations to review the Alert for more information. For more technical information on the SolarWinds Orion supply chain compromise, see CISA’s Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page. For general information on CISA’s response to the supply chain compromise, refer to

This product is provided subject to this Notification and this Privacy & Use policy.

Leave a comment

Your email address will not be published. Required fields are marked *