CISA Hunt and Incident Response Program (CHIRP)

Critical Infrastructure Colleagues and Partners,


CISA has released the CISA Hunt and Incident Response Program (CHIRP) – a forensics collection capability – to assist network defenders with detecting activity related to the supply chain compromises affecting SolarWinds and Active Directory/Microsoft 365.


CHIRP is an open source project and is freely available to all stakeholders on CISA’s CHIRP GitHub repository ( Visit CISA Alert AA21-077A ( for instructions and guidance on how to run the tool, and CHIRP Overview - YouTube ( for a step-by-step demonstration video.


The initial release of CHIRP scans for signs of advance persistent threat compromise within an on-premises environment to detect indicators of compromise (IOCs) associated with AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations (, and AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments (


CHIRP is most likely to benefit Category 2 entities, as defined by Activity Alert AA20-352A, where the presence of the malicious binary has been identified, but evidence of follow-on threat activity has yet to be identified.


Please be aware that further engagement is forthcoming. Next week CISA will follow up with next steps and guidance for tool utilization. In the meantime, CISA encourages CHIRP users to ask general questions via email at or by phone at 1-888-282-0870. Following the utilization of the tool, organizations are encouraged to report indications of potential compromise, please contact For all technical issues or support for CHIRP, please submit issues at the CISA CHIRP GitHub repository (



 Cybersecurity and Infrastructure Security Agency
Defend Today Secure Tomorrow