{"id":13935668,"url":"https://github.com/cisagov/CHIRP","last_synced_at":"2025-07-19T20:33:32.472Z","repository":{"id":39895843,"uuid":"349162056","full_name":"cisagov/CHIRP","owner":"cisagov","description":"A DFIR tool written in Python. ","archived":true,"fork":false,"pushed_at":"2021-06-09T20:12:04.000Z","size":1172,"stargazers_count":1039,"open_issues_count":8,"forks_count":91,"subscribers_count":52,"default_branch":"main","last_synced_at":"2024-09-27T02:03:40.469Z","etag":null,"topics":["cisa","cybersecurity","dfir","ioc","python","yara-python"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc0-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cisagov.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null}},"created_at":"2021-03-18T17:29:55.000Z","updated_at":"2024-08-18T05:46:12.000Z","dependencies_parsed_at":"2022-08-09T15:36:05.087Z","dependency_job_id":null,"html_url":"https://github.com/cisagov/CHIRP","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cisagov%2FCHIRP","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cisagov%2FCHIRP/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cisagov%2FCHIRP/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cisagov%2FCHIRP/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cisagov","download_url":"https://codeload.github.com/cisagov/CHIRP/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":226677214,"owners_count":17666018,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cisa","cybersecurity","dfir","ioc","python","yara-python"],"created_at":"2024-08-07T23:01:58.667Z","updated_at":"2024-11-27T03:31:02.642Z","avatar_url":"https://github.com/cisagov.png","language":"Python","funding_links":[],"categories":["Python","Forensics"],"sub_categories":["Steganography"],"readme":"#\n\n\u003cdiv align=\"center\"\u003e\n\u003cp align=\"center\"\u003e\n \u003ca href=\"\" rel=\"noopener\"\u003e\n \u003cimg width=200px height=200px src=\"assets/CISA_Logo.png\" alt=\"CISA logo\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003ch3 align=\"center\"\u003eCHIRP\u003c/h3\u003e\n\n[![Status](https://img.shields.io/badge/status-archived-red.svg)]()\n[![GitHub Issues](https://img.shields.io/github/issues/cisagov/chirp.svg)](https://github.com/cisagov/chirp/issues)\n[![GitHub Pull Requests](https://img.shields.io/github/issues-pr/cisagov/chirp.svg)](https://github.com/cisagov/chirp/pulls)\n[![License](https://img.shields.io/badge/license-CC0_1.0-blue.svg)](/LICENSE)\n\n---\n\n\u003cp align=\"center\"\u003e A DFIR tool written in Python.\n \u003cbr\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e Watch the \u003ca href=\"https://www.youtube.com/watch?v=UGYSNiNOpds\"\u003evideo overview\u003c/a\u003e\u003c/p\u003e\n\u003c/div\u003e\n\n## πŸ“ Table of Contents\n\n- [πŸ“ Table of Contents](#-table-of-contents-)\n- [🧐 About](#-about)\n- [🏁 Getting Started](#-getting-started-)\n - [Prerequisites](#prerequisites)\n - [Installing](#installing)\n- [🎈 Usage](#-usage-)\n- [⛏️ Built Using](#️-built-using-)\n- [✍️ Authors](#️-authors-)\n- [πŸŽ‰ Acknowledgements](#-acknowledgements-)\n- [🀝 Contributing](#-contributing-)\n- [πŸ“ License](#-license-)\n- [βš–οΈ Legal Disclaimer](#️-legal-disclaimer-)\n\n## 🧐 About\n\nThe CISA Hunt and Incident Response Program (CHIRP) is a tool created to\ndynamically query Indicators of Compromise (IoCs) on hosts with a single\npackage, outputting data in a JSON format for further analysis in a SIEM\nor other tool. CHIRP does not modify any system data.\n\n## 🏁 Getting Started \u003ca name = \"getting_started\"\u003e\u003c/a\u003e\n\nWe build and release CHIRP via\n[`Releases`](https://github.com/cisagov/chirp/releases).\nHowever, if you wish to run with Python3.6+, follow these instructions.\n\nYou can also write new\n[indicators](https://github.com/cisagov/CHIRP/blob/main/indicators/README.md)\nor [plugins](https://github.com/cisagov/CHIRP/blob/main/chirp/plugins/README.md)\nfor CHIRP.\n\n### Prerequisites\n\nPython 3.6 or greater is required to run CHIRP with Python. If you need help\ninstalling Python in your environment, follow the instructions\n[here](https://docs.Python.org/3/using/windows.html)\n\nCHIRP must be run on a live machine, but it does not have to be network connected.\n\n### Installing\n\n```console\npython3 -m pip install -e .\n```\n\n\u003e In our experience, yara-python comes with some other dependencies. You MAY have\nto install Visual Studio C++ 14.0 and the Windows 10 SDK, this can be retrieved\nwith [Visual Studio Community](https://visualstudio.microsoft.com/vs/community/)\n\n## 🎈 Usage \u003ca name=\"usage\"\u003e\u003c/a\u003e\n\n### From [release](https://github.com/cisagov/chirp/releases)\n\n```console\n# defaults\n.\\chirp.exe -a AA21-008A\n\n# with args\n.\\chirp.exe -a AA21-062A -p registry yara -t c:\\\\target_dir\\\\** -o chirp_result --non-interactive -vv\n```\n\n### From python\n\n```console\n# defaults\npython3 chirp.py -a AA21-008A\n\n# with args\npython3 chirp.py -a AA21-062A -p registry yara -t c:\\\\target_dir\\\\** -o chirp_result --non-interactive -vv\n```\n\n### Example output\n\n```console\n[15:32:19] [YARA] Enumerating the entire filesystem due to ['CISA Solar Fire', 'CISA Teardrop', 'CrowdStrike Rempack', 'CrowdStrike Sunspot', 'FireEye common.py:103\n Cosmic Gale', 'FireEye Sunburst']... this is going to take a while.\n [YARA] Entered yara plugin. common.py:103\n [REGISTRY] Found 0 hit(s) for IFEO Persistence indicator. common.py:103\n [REGISTRY] Found 0 hit(s) for Teardrop - Registry Activity indicator. common.py:103\n [REGISTRY] Found 0 hit(s) for Sibot - Registry indicator.\n ...\n ...\n ...\n [+] Done! Your results can be found at Z:\\README\\output.\n```\n\n### Non-interactive Mode\n\nNon-interactive mode may be used by issuing the \"--non-interactive\" flag at runtime. Using this flag enables process completion without input. In addition, a non-zero status of 1 will be emitted at runtime completion if IoC's were discovered.\n\n## ⛏️ Built Using \u003ca name = \"built_using\"\u003e\u003c/a\u003e\n\n- [Python](https://www.Python.org/) - Language\n- [Nuitka](https://nuitka.net/) - For compilation\n- [evtx2json](https://github.com/vavarachen/evtx2json) - For event log access\n- [yara-python](https://github.com/VirusTotal/yara-python) - Parses and runs yara\nrules\n- [rich](https://github.com/willmcgugan/rich) - Makes the CLI easier on the eyes\n- [psutil](https://github.com/giampaolo/psutil) - Provides an easy API for many\nOS functions\n- [aiomp](https://pypi.org/project/aiomultiprocess/) - Asynchronous multiprocessing\n- [pyyaml](https://pyyaml.org/) - Allows YAML interpretation\n\n## ✍️ Authors \u003ca name = \"authors\"\u003e\u003c/a\u003e\n\n- [Will Deem, OS1 USCG](https://github.com/deemonsecurity)\n- [Jordan Mussman](https://github.com/jklm264)\n\n## πŸŽ‰ Acknowledgements \u003ca name = \"acknowledgement\"\u003e\u003c/a\u003e\n\n- Denise Keating\n- Liana Parakesyan\n- Richard Kenny\n- Megan Nadeau\n- Ewa Dadok\n- David Zito\n- Chris Brown\n- [Julian Blanco, LTJG USCG](https://github.com/julianblanco)\n- [Caleb Stewart, LT USCG](https://github.com/calebstewart)\n- James Haughom\n\n## 🀝 Contributing \u003ca name = \"contributing\"\u003e\u003c/a\u003e\n\nWe welcome contributions! Please see [here](CONTRIBUTING.md) for details.\n\n## πŸ“ License \u003ca name = \"license\"\u003e\u003c/a\u003e\n\nThis project is in the worldwide [public domain](LICENSE).\n\nThis project is in the public domain within the United States, and copyright and\nrelated rights in the work worldwide are waived through the\n[CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/).\n\nAll contributions to this project will be released under the CC0 dedication. By\nsubmitting a pull request, you are agreeing to comply with this waiver of\ncopyright interest.\n\n## βš–οΈ Legal Disclaimer \u003ca name = \"legal_disclaimer\"\u003e\u003c/a\u003e\n\nNOTICE\n\nThis software package (β€œsoftware” or β€œcode”) was created by the United States\nGovernment and is not subject to copyright within the United States. All other\nrights are reserved. You may use, modify, or redistribute\nthe code in any manner. However, you may not subsequently copyright the code as\nit is distributed. The United States Government makes no claim of copyright on\nthe changes you effect, nor will it restrict your distribution of bona fide\nchanges to the software. If you decide to update or redistribute the code, please\ninclude this notice with the code. Where relevant, we ask that you credit the\nCybersecurity and Infrastructure Security Agency with the following statement:\nβ€œOriginal code developed by the Cybersecurity and Infrastructure Security Agency\n(CISA), U.S. Department of Homeland Security.”\n\nUSE THIS SOFTWARE AT YOUR OWN RISK. THIS SOFTWARE COMES WITH NO WARRANTY, EITHER\nEXPRESS OR IMPLIED. THE UNITED STATES GOVERNMENT ASSUMES NO LIABILITY FOR THE\nUSE OR MISUSE OF THIS SOFTWARE OR ITS DERIVATIVES.\n\nTHIS SOFTWARE IS OFFERED β€œAS-IS.” THE UNITED STATES GOVERNMENT WILL NOT INSTALL,\nREMOVE, OPERATE OR SUPPORT THIS SOFTWARE AT YOUR REQUEST. IF YOU ARE UNSURE OF\nHOW THIS SOFTWARE WILL INTERACT WITH YOUR SYSTEM, DO NOT USE IT.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcisagov%2FCHIRP","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcisagov%2FCHIRP","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcisagov%2FCHIRP/lists"}