"DHS CISA Shares Incident Response Tool for On-Prem Threat Activity"

The CISA Hunt and Incident Response Program (CHIRP) is a new forensics collection tool developed by the U.S. Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) to help network defenders detect signs of advanced persistent threat (APT) compromise within an on-premises environment. CHIRP is a forensics collection tool that will help detect indicators of compromise (IOCs) associated with SolarWinds and Active Directory/M365 threat activities. According to CISA, CHIRP is a command-line executable with a dynamic plugin to search for IOCs. The tool's plugins search through event logs and registry keys, as well as run YARA rules to look for signs of APT tactics, techniques, and procedures. It also has a YAML file containing a list of IOCs associated with malware and APT activity. The current version of CHIRP looks for the presence of TEARDROP and RAINDROP, which are two malware strains identified by security researchers. CHIRP also looks for credential dumping certificate pulls and persistence mechanisms. The tool is available for free on the CISA GitHub repository. Officials will continue monitoring for new threats and will release IOC packages and plugins for the threats. This article continues to discuss the purpose and features of the CHIRP tool. 

HealthITSecurity reports "DHS CISA Shares Incident Response Tool for On-Prem Threat Activity"