🐛 Summary

Issue running Python command on Server 2008 R2

see picture that error shows when tried to run chirp.exe app crash

Any helpful log output or screenshots

Paste the results here:

Add any screenshots of the problem here.

second method running chirp.exe from powershell or CMD with administrator rights:

🐛 Summary

From CLI output, I see this line:

[09:33:29] [EVENTS] Read 0 logs, found 0 matches. common.py:103

To reproduce

Steps to reproduce the behavior:

1. Run Executable as administrator
2. Observe output

Expected behavior

[09:33:29] [EVENTS] Read NNNN logs, found x matches. common.py:103

Any helpful log output or screenshots

Paste the results here:

[09:30:18] [YARA] Enumerating the entire filesystem due to ['CISA Solar Fire', 'CISA Teardrop', common.py:103
'CrowdStrike Rempack', 'CrowdStrike Sunspot', 'FireEye Cosmic Gale', 'FireEye Sunburst']...
this is going to take a while.
[YARA] Entered yara plugin. common.py:103
[REGISTRY] Found 0 hit(s) for IFEO Persistence indicator. common.py:103
[REGISTRY] Found 0 hit(s) for Teardrop - Registry Activity indicator. common.py:103
[REGISTRY] Found 0 hit(s) for Sibot - Registry indicator. common.py:103
[REGISTRY] Reading HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File common.py:103
Execution Options
[REGISTRY] Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF common.py:103
[REGISTRY] Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot does not common.py:103
exist.
[REGISTRY] Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot common.py:103
[REGISTRY] Entered registry plugin. common.py:103
[NETWORK] Read 327 records, found 0 IoC hits. common.py:103
[NETWORK] Entered network plugin. common.py:103
[EVENTS] Entered events plugin. common.py:103
[09:30:36] [EVENTS] Reading KernelMode event logs. common.py:103
[EVENTS] Reading Security event logs. common.py:103
[EVENTS] Reading Windows Powershell event logs. common.py:103
[09:33:27] [YARA] Beginning processing. common.py:103
[09:33:29] [EVENTS] Read 0 logs, found 0 matches. common.py:103
[09:34:23] [YARA] We're still working on scanning files. 50000 processed. common.py:103
[09:35:17] [YARA] We're still working on scanning files. 100000 processed. common.py:103
[09:36:17] [YARA] We're still working on scanning files. 150000 processed. common.py:103
[09:36:43] [YARA] We're still working on scanning files. 200000 processed. common.py:103
[09:37:29] [YARA] We're still working on scanning files. 250000 processed. common.py:103
[09:38:07] [YARA] We're still working on scanning files. 300000 processed. common.py:103
[09:38:39] [YARA] We're still working on scanning files. 350000 processed. common.py:103
[09:39:27] [YARA] We're still working on scanning files. 400000 processed. common.py:103
[09:39:51] [YARA] We're still working on scanning files. 450000 processed. common.py:103
[09:40:17] [YARA] We're still working on scanning files. 500000 processed. common.py:103
[09:40:41] [YARA] We're still working on scanning files. 550000 processed. common.py:103
[09:41:13] [YARA] We're still working on scanning files. 600000 processed. common.py:103
[09:42:07] [YARA] We're still working on scanning files. 650000 processed. common.py:103
[09:42:47] [YARA] We're still working on scanning files. 700000 processed. common.py:103
[09:43:15] [YARA] We're still working on scanning files. 750000 processed. common.py:103
[09:43:45] [+] DONE! Your results can be found in C:\ARTemp

\chirp\output. common.py:103
[YARA] Found 0 hit(s) for yara indicators. common.py:103
[YARA] Done. Processed 796957 files. common.py:103

Add any screenshots of the problem here.

💡 Summary

Write a translation layer, allowing STIX indicators to be directly ingested and queried.

Motivation and context

This would allow CISA to release threat packages that can be directly executed without manual translation.

Implementation notes

Implementation would follow our current indicator format of dropping files in the indicators folder. When we are in the loading phase of the program, the file would be ingested and parsed, then operate like normal.

Acceptance criteria

How do we know when this work is done?

• STIX files are properly ingested and queried
• Python module follows cisagov coding conventions
• Tests have been written to ensure future compliance

💡 Summary

Would you please provide chirp.exe checksum?

Motivation and context

Why does this work belong in this project?

This would be useful because...

Implementation notes

Please provide details for implementation, such as:

• an example for how this would be used
• what this would look like
• how this would act
• any related work, including links to related issues

Acceptance criteria

How do we know when this work is done?

• Criterion

🐛 Summary

CHIRP stops running on server between 450000 and 500000 files processed.

To reproduce

Steps to reproduce the behavior:

1. Download CHIRP.zip from "Releases"
2. Extract all to C:\Temp\CHIRP
3. Run chirp as administrator
4. It starts, but eventually stops processing.

I noticed CPU usage reduces to nothing across all CHIRP processes. Let it sit for about 3 hours and no progress. Pressing "Enter" key gives traceback error and the process dies.

Expected behavior

Expected process to complete successfully.

Any helpful log output or screenshots

🐛 Summary

What's wrong? Please be specific.

Run on Windows 10 system from downloaded folder location.
Folder name changed to v1.0.2

I noticed this on one of my work systems that I was running the script through. Then ran on a personal non-connected system and received a similar response.

Steps to reproduce the behavior:

System Details: Windows 10, Installed VS Build Tools and Python v3.9.2

1. Download Chirp from GitHub
2. Change name of zip to "chirp v1.0.2.zip"
3. Extract Zip
4. Install via PowerShell with python install command
5. Run via powershell CLI as "python chirp.py
6. Wait for report

Expected behavior

YARA indicated file is from Chirp script directory, not base system itself. I would have expected any reported files to be outside of this directory.

Any helpful log output or screenshots

{"CrowdStrike Sunspot": {"description": "\"Identifies Sunspot backdoor dropper utilizing unique strings in key encryption material, mutexes, and logging.\"\n", "confidence": 10, "matches": [{"meta": "{'copyright': '(c) 2021 CrowdStrike Inc.', 'description': 'Detects mutex names in SUNSPOT', 'version': '202101081448', 'last_modified': '2021-01-08', 'actor': 'StellarParticle', 'malware_family': 'SUNSPOT'}", "namespace": "CrowdStrike Sunspot", "rule": "CrowdStrike_SUNSPOT_02", "strings": "[(1197, '$mutex_01', b'{12d61a41-4b74-7610-a4d8-3028d2f56395}'), (1270, '$mutex_02', b'{56331e4d-76a3-0390-a7ee-567adf5836b7}')]", "tags": "['artifact', 'stellarparticle', 'sunspot']", "file": "C:\\Users\\UserX\\Downloads\\chirp v1.0.2\\indicators\\crowdstrike_sunspot.yaml"}]}}

Add any screenshots of the problem here.

💡 Summary

A plugin to inspect process memory would be helpful to detect a variety of injections including Cobalt Strike beacons and the like.

Motivation and context

Bad guys like cobalt strike and in-memory implants

Implementation notes

Passing the pid to the python yara bindings and having a set of rules specific to the module would be helpful, with the option to leverage pe-sieve. Maybe a config to limit the processes,

Acceptance criteria

functioning plugin

🐛 Summary

Ran CHIRPv1.06 and get error message about dns records not being read. The scan tool continues through and completes. However, I'm not sure if the network.json file coming back with nothing is a valid result or if the error is impacting the scan results.

When I manually perform the ipconfig /displaydns command, the dns records are displayed.

To reproduce

Download CHIRP.zip, extract to folder, double click chirp.exe
This is on a Windows 2012R2 Server.

Expected behavior

Scan should run, process dns records found and continue with all other scans until successfully completed.

Any helpful log output or screenshots

Error message:

15:29:23 EVENTS Reading Security event logs. scan.py:69
15:29:24 ERROR Unable to read dns records returned by network.py:41
ipconfig /displaydns
NETWORK Read 28 records, found 0 IoC hits. scan.py:56
REGISTRY Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wind scan.py:65
ows\CurrentVersion\sibot
REGISTRY Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wind registry.py:93
ows\CurrentVersion\sibot does not exist.
REGISTRY Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF scan.py:65
REGISTRY Reading scan.py:65
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options
REGISTRY Found 0 hit(s) for Sibot - Registry indicator. scan.py:47
REGISTRY Found 0 hit(s) for Teardrop - Registry Activity scan.py:47
indicator.
REGISTRY Found 0 hit(s) for IFEO Persistence indicator. scan.py:47
YARA Enumerating the entire filesystem due to run.py:161
['simpleseesharp : Webshell Unclassified',
'reGeorgTunnel : Webshell Commodity', 'sportsball
: Webshell', 'Detection for the use of procdump to
dump LSASS process memory.', 'CISA Solar Fire',
'CISA Teardrop', 'CrowdStrike Rempack',
'CrowdStrike Sunspot', 'FireEye Cosmic Gale',
'FireEye Sunburst']... this is going to take a
while.
15:29:24 EVENTS Reading Application event logs. scan.py:69
15:29:26 YARA Beginning processing. run.py:109

Add any screenshots of the problem here.

🐛 Summary

Getting errors when executing scan v.1.06 on Win2016 Std. Scan appears to be frozen in place. Please see output below.

To reproduce

1.Extract zip
2. Browse to chirp.exe
3. Double click chirp.exe

Expected behavior

Run all scans to completion

Any helpful log output or screenshots

10:36:43 NETWORK  Read 128 records, found 0 IoC hits.                                                        scan.py:56
10:36:44 REGISTRY Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot                 scan.py:65
         REGISTRY Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot does not exist. registry.py:93
         REGISTRY Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF                                          scan.py:65
         REGISTRY Reading HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution scan.py:65
                  Options\
         REGISTRY Found 0 hit(s) for Sibot - Registry indicator.                                             scan.py:47
         REGISTRY Found 0 hit(s) for Teardrop - Registry Activity indicator.                                 scan.py:47
         REGISTRY Found 0 hit(s) for IFEO Persistence indicator.                                             scan.py:47
         YARA     Enumerating the entire filesystem due to ['simpleseesharp : Webshell Unclassified',        run.py:161
                  'reGeorgTunnel : Webshell Commodity', 'sportsball : Webshell', 'Detection for the use of
                  procdump to dump LSASS process memory.', 'CISA Solar Fire', 'CISA Teardrop', 'CrowdStrike
                  Rempack', 'CrowdStrike Sunspot', 'FireEye Cosmic Gale', 'FireEye Sunburst']... this is
                  going to take a while.
10:36:44 EVENTS   Reading Windows Powershell event logs.                                                     scan.py:69
10:36:44 EVENTS   Reading Security event logs.                                                               scan.py:69
10:37:22 EVENTS   Reading KernelMode event logs.                                                             scan.py:69
         EVENTS   Reading Application event logs.                                                            scan.py:69
10:39:09 YARA     Beginning processing.                                                                      run.py:109
10:51:40 YARA     We're still working on scanning files. 50000 processed.                                    run.py:111
10:59:54 ERROR   multiprocessing.pool.RemoteTraceback:
"""
Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\plugins\yara\run.py", line 122, in _run
UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 33: surrogates not allowed

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\multiprocessing\pool.py", line 125, in worker
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\multiprocessing\pool.py", line 48, in mapstar
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\plugins\yara\run.py", line 132, in _run
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 2045, in error
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 1471, in error
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 1585, in _log
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 1595, in handle
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 1657, in callHandlers
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 950, in handle
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\logging.py", line 153, in emit
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\console.py", line 1506, in print
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\console.py", line 776, in __exit__
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\console.py", line 735, in _exit_buffer
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\console.py", line 1695, in _check_buffer
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\colorama\ansitowin32.py", line 41, in write
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\colorama\ansitowin32.py", line 162, in write
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\colorama\ansitowin32.py", line 187, in write_and_convert
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\colorama\ansitowin32.py", line 195, in write_plain_text
UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 34: surrogates not allowed
*** You may need to add PYTHONIOENCODING=utf-8 to your environment ***
"""

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp.py", line 17, in <module>
    run.run()
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\run.py", line 20, in run
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\run.py", line 30, in run_plugins
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\asyncio\base_events.py", line 616, in run_until_complete
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\run.py", line 44, in _run_coroutines
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\plugins\yara\run.py", line 178, in run
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\multiprocessing\pool.py", line 448, in <genexpr>
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\multiprocessing\pool.py", line 868, in next
UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 34: surrogates not allowed

🐛 Summary

CHIRP should print it has completed then runs input() to hold the window until a user presses another button, however the process hangs after all scans have completed.

To reproduce

Steps to reproduce the behavior:

1. Run chirp.exe

Expected behavior

CHIRP should only hang until a key is pressed.

Any helpful log output or screenshots

Add any screenshots of the problem here.

🐛 Summary

Multiple asynchronous plugins occasionally write to the console buffer simultaneously despite efforts made to queue output in chirp.common.

To reproduce

Steps to reproduce the behavior:

1. Run Chirp.exe

This behavior is sporadic and difficult to replicate.

Expected behavior

Console output should happen iteratively, without writing over itself.

Any helpful log output or screenshots

Add any screenshots of the problem here.

💡 Summary

Use non-zero exit when IOC's are discovered in non-interactive mode to enhance automatic workflows.

Motivation and context

Common tooling in automatic workflows involves using non-zero exit codes to enable decision making after process completion. Using additional exit codes would enhance CISA CHIRP's ability to be used within these contexts.

Implementation notes

CISA CHIRP would run plugins to completion and use reports to determine whether IOC's discovered is greater than 0. If any IOC's were discovered from the reports, we'd exit with a non-zero sys.exit(1) (see below).

Use the following exit codes for status indications (i.e. sys.exit(number)):

• 0 == successful completion, no IOC's detected
• 1 == successful completion, IOC's detected
• 2 == unsuccessful completion (errors, unexpectedly incomplete run, etc)

Avoiding specifics about IOC's detected in logs may be beneficial (as otherwise public- or near-public display of this information may be a vulnerability or liability). Propose using generic log message (or no log message at all, solely relying on exit code) to indicate IOC's were discovered but remove specific mention of which ones. Open to thoughts or suggestions here!

Acceptance criteria

• CISA CHIRP runs all specified plugins through to report completion
• Successful run with no IOC's detected from reports emits exit code 0
• Successful run with IOC's detected from reports emits exit code 1
• Unsuccessful run (errors, unexpectedly incomplete, etc) emits exit code 2

🐛 Summary

For dynamic plugins, we have to:

• Include the package in setup.py
• Require the install of packages in setup.py
• Import the packages from run.py

There should be some fix to handle the dynamic nature of our plugin system in compilation, but is still unknown.

🐛 Summary

Other Chirp project for Python already exists and it's registered as Python package.

To reproduce

Open PyPi package https://pypi.org/project/chirp/

Expected behavior

I would expect that if project has unique name.

🐛 Summary

Program scans files then appears to hang (already addressed in issue #8). After pressing one or more keys, "Traceback" is produced with multiple "[Errno 2] No such file or directory" and references to %temp%\onefile_dddd_ddd ...ddd

To reproduce

Program was run on virtual Server 2012
User logged in using RDP
Powershell run as admin
cd to Location of downloaded files: C:\Support\Chirp

Expected behavior

Expected program to end normally and produce report

Any helpful log output or screenshots

Output hard to read with current colours so ..

C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\chirp.py:14 in

[Errno 2] No such file or directory:
'C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\chirp.py'

C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\chirp\run.py:19 in run

[Errno 2] No such file or directory:
'C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\chirp\run.py'

C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\chirp\run.py:29 in run_plugins

[Errno 2] No such file or directory:
'C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\chirp\run.py'

C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\asyncio\base_events.py:642 in run_until_complete

[Errno 2] No such file or directory:
'C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\asyncio\base_events.py'

C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\chirp\run.py:43 in _run_coroutines

[Errno 2] No such file or directory:
'C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\chirp\run.py'

C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\chirp\plugins\events\scan.py:128 in run

[Errno 2] No such file or directory:
'C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\chirp\plugins\events\scan.py'

C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\aiomultiprocess\pool.py:145 in results_generator

[Errno 2] No such file or directory:
'C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\aiomultiprocess\pool.py'

C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\aiomultiprocess\pool.py:308 in results

[Errno 2] No such file or directory:
'C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\aiomultiprocess\pool.py'

ProxyException: Traceback (most recent call last):
File "C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\aiomultiprocess\pool.py", line 110, in run
File "C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\chirp\plugins\events\scan.py", line 73, in _run
File "C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\chirp\plugins\events\events.py", line 98, in gather
File "C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\chirp\plugins\events\events.py", line 67, in process_files
File "C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\chirp\plugins\events\evtx2json.py", line 160, in iter_evtx2xml
File "C:\Users\DASTAF1\AppData\Local\Temp\ONEFIL2\Evtx\Evtx.py", line 66, in enter
FileNotFoundError: [Errno 2] No such file or directory:
'C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx'

Add any screenshots of the problem here.

🐛 Summary

Requires visual studio to run, not all systems can have that on the system.

To reproduce

Steps to reproduce the behavior:

1. Tried to run on WinSrv2016 without Visual Studio and failed to run.
2. Ran on a system with Visual studio and was successful.

Expected behavior

I was expecting the CHIRP.exe tool to run.

Any helpful log output or screenshots

Paste the results here:

Add any screenshots of the problem here.

🐛 Summary

What's wrong? Please be specific.

When running the python code, this error is immediately displayed and appears to affect subsequent operations (scan appears to hang):

C:\ARTemp\chirp\LATEST\CHIRP-main>C:\Users\rsmit\AppData\Local\Programs\Python\Python39-32\python.exe chirp.py
'mountvol' is not recognized as an internal or external command,
operable program or batch file.
'mountvol' is not recognized as an internal or external command,
operable program or batch file.
'mountvol' is not recognized as an internal or external command,
operable program or batch file.
'mountvol' is not recognized as an internal or external command,
operable program or batch file.
'mountvol' is not recognized as an internal or external command,
operable program or batch file.
'mountvol' is not recognized as an internal or external command,
operable program or batch file.
'mountvol' is not recognized as an internal or external command,
operable program or batch file.
'mountvol' is not recognized as an internal or external command,
operable program or batch file.
'mountvol' is not recognized as an internal or external command,
operable program or batch file.
'mountvol' is not recognized as an internal or external command,
operable program or batch file.
'mountvol' is not recognized as an internal or external command,
operable program or batch file.
┌─────────────────────────────── Traceback (most recent call last) ────────────────────────────────┐
│ C:\ARTemp\chirp\LATEST\CHIRP-main\chirp.py:16 in 'mountvol' is not recognized as an internal or external command,
operable program or batch file.
'mountvol' is not recognized as an internal or external command,
operable program or batch file.
│
'mountvol' is not recognized as an internal or external command,
operable program or batch file.
│ │'mountvol' is not recognized as an internal or external command,
operable program or batch file.

│ 13 if name == "main": │
│ 14 │ try: │
│ 15 │ │ freeze_support() │
│ > 16 │ │ run.run() │
│ 17 │ │ time.sleep(2) │
│ 18 │ │ CONSOLE( │
│ 19 │ │ │ "[green][+][/green] DONE! Your results can be found in {}. Press any key to │
│ │
│ C:\ARTemp\chirp\LATEST\CHIRP-main\chirp\run.py:19 in run │
│ │
│ 16 │ if not os.path.exists(OUTPUT_DIR): │
│ 17 │ │ os.mkdir(OUTPUT_DIR) │
│ 18 │ plugins = loader.load() │
│ > 19 │ run_plugins(plugins) │
│ 20 │
│ 21 │
│ 22 def run_plugins(plugins: Dict[str, Callable]) -> None: │
│ │
'mountvol' is not recognized as an internal or external command,
operable program or batch file.
│ C:\ARTemp\chirp\LATEST\CHIRP-main\chirp\run.py:29 in run_plugins │
│ │
│ 26 │ 'mountvol' is not recognized as an internal or external command,
operable program or batch file.
:type plugins: Dict[str, Callable] │
│ 27 │ """ │
│ 28 │ _loop = asyncio.get_event_loop() │
│ > 29 │ _loop.run_until_complete(_run_coroutines(plugins)) │
│ 30 │
│ 31 │
│ 32 async def _run_coroutines(plugins: Dict[str, Callable]) -> None: │
│ │
│ C:\Users\rsmit\AppData\Local\Programs\Python\Python39-32\lib\asyncio\base_events.py'mountvol' is not recognized as an internal or external command,
operable program or batch file.
:642 in │
│ run_until_complete │
│ │
│ 639 │ │ if not future.done(): │
│ 640 │ │ │ raise RuntimeError('Event loop stopped before Future completed.') │
│ 641 │ │ │
'mountvol' is not recognized as an internal or external command,
operable program or batch file.
│ > 642 │ │ return future.result() │
│ 643 │ │
│ 644 │ def stop(self): │
│ 645 │ │ """Stop running the event loop. │
│ │
│ C:\ARTemp\chirp\LATEST\CHIRP-main\chirp\run.py:43 in _run_coroutines │
│ │
│ 40 │ │ │ load.from_yaml(get_indicators()), list(plugins.keys()) │
│ 41 │ │ ) │
│ 42 │ ) │
│ > 43 │ await asyncio.gather( │
│ 44 │ │ *[ │
│ 45 │ │ │ entrypoint( │
│ 46 │ │ │ │ [ │
│ │
│ C:\ARTemp\chirp\LATEST\CHIRP-main\chirp\plugins\events\scan.py:129 in run │
│ │
│ 126 │ async with aiomp.Pool() as pool: │
│ 127 │ │ try: │
│ 128 │ │ │ async for i in pool.map(_run, tuple(run_args)): │
│ > 129 │ │ │ │ _rep = i[0] │
│ 130 │ │ │ │ num_logs += i[1] │
│ 131 │ │ │ │ for k, v in _rep.items(): │
│ 132 │ │ │ │ │ try: │
└──────────────────────────────────────────────────────────────────────────────────────────────────┘
TypeError: 'NoneType' object is not subscriptable
[07:36:38] [!] We can't find windows event logs at their standard path. common.py:104
[EVENTS] Entered events plugin. common.py:104
[NETWORK] Entered network plugin. common.py:104
[NETWORK] Read 163 records, found 0 IoC hits. common.py:104
[REGISTRY] Entered registry plugin. common.py:104
[REGISTRY] Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot common.py:104
[REGISTRY] Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot does not common.py:104
exist.
[REGISTRY] Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF common.py:104
[REGISTRY] Reading HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File common.py:104
Execution Options
[REGISTRY] Found 0 hit(s) for Sibot - Registry indicator. common.py:104
[REGISTRY] Found 0 hit(s) for Teardrop - Registry Activity indicator. common.py:104
[REGISTRY] Found 0 hit(s) for IFEO Persistence indicator. common.py:104
[YARA] Entered yara plugin. common.py:104
[YARA] Enumerating the entire filesystem due to ['CISA Solar Fire', 'CISA Teardrop', common.py:104
'CrowdStrike Rempack', 'CrowdStrike Sunspot', 'FireEye Cosmic Gale', 'FireEye Sunburst']...
this is going to take a while.
[07:36:40] [!] We can't find windows event logs at their standard path. common.py:104
[07:36:40] [!] We can't find windows event logs at their standard path. common.py:104
[07:36:40] [!] We can't find windows event logs at their standard path. common.py:104
[YARA] Beginning processing. common.py:104
[07:36:40] [!] We can't find windows event logs at their standard path. common.py:104
[07:36:40] [[07:36:40]! ] We can't find windows event logs at their standard path. [common.py!:104
] We can't find windows event logs at their standard path. common.py:104
[07:36:40] [!] We can't find windows event logs at their standard path. common.py:104
[07:36:40] [!] We can't find windows event logs at their standard path. common.py:104

To reproduce

Download latest code
Install with python.exe -m pip install -e .
Run with python.exe chirp.py
Observe output

Expected behavior

No mountvol error

Any helpful log output or screenshots

Paste the results here:

Add any screenshots of the problem here.

💡 Summary

"chirp" is already registered as a package name on PYPI, meaning someone may erroneously believe they're installing CISA's CHIRP but end up with https://pypi.org/project/chirp/ instead. In general, this may make this project vulnerable to typosquatting (https://en.wikipedia.org/wiki/Typosquatting). CISA could deploy a PYPI package as "cisa-chirp" to differentiate from other packages and protect against typosquatting (in addition to general confusion with other packages).

This seems to have been brought up and closed, but I'd like to resurface as an idea for consideration. Reference: #19

Motivation and context

In general, the package and project name similarities may make this project vulnerable to typosquatting (https://en.wikipedia.org/wiki/Typosquatting). Making a PYPI package available with another name and documenting it would be beneficial in securing the project and enable wide distribution via command line: "pip install <package name>".

Implementation notes

Propose including authority in the package name itself, for instance "cisa-chirp", to differentiate and provide trust in the package via PYPI.

Acceptance criteria

How do we know when this work is done?

• Issuing the command "pip install <modified package name>" installs CISA's CHIRP project and enables it to be used on client machine.

🐛 Summary

Seems like CHIRP tool scanning it's own resources and showing them as hit counts in final scan output.

To reproduce

Steps to reproduce the behavior:

1. Download version 1.0.7 from the repository.
2. Unzip it on your machine.
3. Run the scan with defaults.
4. Check the results - Yara indicator will show '1' Hit.

Expected behavior

What did you expect to happen that didn't?

CHIRP tool might scan it's resources. However, it should be excluded from the output and final scan results.

Any helpful log output or screenshots

Paste the results here:

Add any screenshots of the problem here.

🐛 Summary

Program crashes with exception code c0000005

To reproduce

Steps to reproduce the behavior:

Download Chirp.zip from GitHub
Extract all files to folder
Run gci -recurse | unblock-file on extracted folder
Run .\chirp.exe

Expected behavior

Expected program to run. Instead got "chirp.exe has stopped working" error.

Any helpful log output or screenshots

Problem signature:
Problem Event Name: APPCRASH
Application Name: chirp.exe
Application Version: 0.0.0.0
Application Timestamp: 605393f8
Fault Module Name: KERNELBASE.dll
Fault Module Version: 6.1.7601.24545
Fault Module Timestamp: 5e0eb6bd
Exception Code: c0000005
Exception Offset: 0000000000001b44
OS Version: 6.1.7601.2.1.0.305.9
Locale ID: 3081
Additional Information 1: e040
Additional Information 2: e040c29db662d05b38ba55c14f951903
Additional Information 3: 97c4
Additional Information 4: 97c44f27c029744371d2d6b1e5a32dd4

Paste the results here:

Add any screenshots of the problem here.

🐛 Summary

Traceback error comes up and app seems to freeze while trying to scan files during YARA section.

To reproduce

Log into Win2012R2 server as domain admin, go to chirp directory and kick off app via Powershell (admin mode) /.chirp.exe
Left the process running overnight. Following day found app window with errors:
Traceback errors (see attached).

CHIRP process still in Task Manager, but stuck at 0% CPU utilization.

This occurs on version 1.03 and 1.04 on Win2012R2

Ran version 1.05 on Win2012R2 and getting Traceback error with Unicode errors as shown below. This is preceded by Traceback lines that are identical with each occurrence.
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 4544: invalid start byte
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 4447: invalid start byte
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 3871: invalid start byte

Expected behavior

Tool is expected to run to completion.

Any helpful log output or screenshots

Version 1.05
PS C:\kworking\chirp> cd..
PS C:\kworking> cd chirp1.05
PS C:\kworking\chirp1.05> ./chirp.exe
16:20:23 EVENTS Reading Windows Powershell event logs. scan.py:69
16:20:24 EVENTS Reading KernelMode event logs. scan.py:69
EVENTS Reading Application event logs. scan.py:69
16:20:25 REGISTRY Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot scan.py:65
REGISTRY Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot does not exist. registry.py:93
REGISTRY Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF scan.py:65
REGISTRY Reading HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution scan.py:65
Options
REGISTRY Found 0 hit(s) for Sibot - Registry indicator. scan.py:47
REGISTRY Found 0 hit(s) for Teardrop - Registry Activity indicator. scan.py:47
REGISTRY Found 0 hit(s) for IFEO Persistence indicator. scan.py:47
YARA Enumerating the entire filesystem due to ['simpleseesharp : Webshell Unclassified', run.py:141
'reGeorgTunnel : Webshell Commodity', 'sportsball : Webshell', 'Detection for the use of
procdump to dump LSASS process memory.', 'CISA Solar Fire', 'CISA Teardrop', 'CrowdStrike
Rempack', 'CrowdStrike Sunspot', 'FireEye Cosmic Gale', 'FireEye Sunburst']... this is
going to take a while.
16:20:49 EVENTS Reading Security event logs. scan.py:69
16:29:26 YARA Beginning processing. run.py:100
Traceback (most recent call last):
File "C:\Users<account>\AppData\Local\Temp\ONEFIL3\chirp.py", line 17, in
run.run()
File "C:\Users<username>\AppData\Local\Temp\ONEFIL3\chirp\run.py", line 20, in run
File "C:\Users<username>\AppData\Local\Temp\ONEFIL3\chirp\run.py", line 30, in run_plugins
File "C:\Users<username>\AppData\Local\Temp\ONEFIL3\asyncio\base_events.py", line 616, in run_until_complete
File "C:\Users<username>\AppData\Local\Temp\ONEFIL3\chirp\run.py", line 44, in _run_coroutines
File "C:\Users<username>\AppData\Local\Temp\ONEFIL3\chirp\plugins\network\scan.py", line 44, in run
File "C:\Users<username>\AppData\Local\Temp\ONEFIL~3\chirp\plugins\network\network.py", line 37, in parse_dns
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 4544: invalid start byte
16:35:55 YARA We're still working on scanning files. 50000 processed. run.py:96
16:40:34 YARA We're still working on scanning files. 100000 processed. run.py:96
16:43:17 YARA We're still working on scanning files. 150000 processed. run.py:96
16:45:09 YARA We're still working on scanning files. 200000 processed. run.py:96

This is another Win2012R2 server, with CHIRP v1.05 - UnicodeError 0xff in position 4447 error.
11:05:40 EVENTS Reading KernelMode event logs. scan.py:69
EVENTS Reading Application event logs. scan.py:69
11:05:41 REGISTRY Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wind scan.py:65
ows\CurrentVersion\sibot
REGISTRY Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wind registry.py:93
ows\CurrentVersion\sibot does not exist.
REGISTRY Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF scan.py:65
REGISTRY Reading scan.py:65
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options
REGISTRY Found 0 hit(s) for Sibot - Registry indicator. scan.py:47
REGISTRY Found 0 hit(s) for Teardrop - Registry Activity scan.py:47
indicator.
REGISTRY Found 0 hit(s) for IFEO Persistence indicator. scan.py:47
YARA Enumerating the entire filesystem due to run.py:141
['simpleseesharp : Webshell Unclassified',
'reGeorgTunnel : Webshell Commodity', 'sportsball
: Webshell', 'Detection for the use of procdump to
dump LSASS process memory.', 'CISA Solar Fire',
'CISA Teardrop', 'CrowdStrike Rempack',
'CrowdStrike Sunspot', 'FireEye Cosmic Gale',
'FireEye Sunburst']... this is going to take a
while.
11:09:35 YARA Beginning processing. run.py:100
Traceback (most recent call last):
File "C:\Users<username>\AppData\Local\Temp\ONEFIL4\chirp.py", line 17, in
run.run()
File "C:\Users<username>\AppData\Local\Temp\ONEFIL4\chirp\run.py", line 20, in r
un
File "C:\Users<username>\AppData\Local\Temp\ONEFIL4\chirp\run.py", line 30, in r
un_plugins
File "C:\Users<username>\AppData\Local\Temp\ONEFIL4\asyncio\base_events.py", lin
e 616, in run_until_complete
File "C:\Users<username>\AppData\Local\Temp\ONEFIL4\chirp\run.py", line 44, in _
run_coroutines
File "C:\Users<username>\AppData\Local\Temp\ONEFIL4\chirp\plugins\network\scan.p
y", line 44, in run
File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\chirp\plugins\network\networ
k.py", line 37, in parse_dns
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 4447: inval
id start byte
11:11:52 EVENTS Reading Windows Powershell event logs. scan.py:69
11:12:14 EVENTS Reading Security event logs. scan.py:69

Add any screenshots of the problem here.

💡 Summary

Add the ability to choose which IOCs to scan for.

Motivation and context

I started using this tool to look for IOCs related to the recent Exchange server vulnerabilities. The SolarWinds IOCs, albeit helpful to have, are of no use to me in those environments. It would be nice to select only the IOCs that pertain to the environment which you are scanning.

It would be helpful not only from a convenience factor, but also I would imagine it would speed up the scanning speed somewhat, depending on how many IOCs there are to look for obviously.

Implementation notes

I think this could implemented via command-line switch. For example, if you only wanted to look for SolarFire IOCs;
chirp.exe -i cisa_solarfire

Another option might be if you wanted to run all the cisa IOCs (cisa_raindrop, cisa_solarfire, cisa_sunshuttle, etc..);
chirp.exe -i cisa

Acceptance criteria

How do we know when this work is done?

• Specific IOCs can be scanned for by specifying the indicator filename or group by way of a command-line switch (-i for example)
• Changes follow cisagov coding conventions
• Tests have been written to ensure future compliance

Downloaded the latest version>unzipped>sandboxed the chirp.exe

Reports of being Malicious.

• Open source sandboxing tool - cuckoo sandbox
• and even VirusTotal in some cases

Does anyone verified it before running in their environment?

💡 Summary

Remove the "Press any key to exit" interactive prompt that occurs / add parameter to make the runtime of the EXE fully non-interactive.

[08:22:51] [+] DONE! Your results can be found in D:\output. Press any key to exit. common.py:104

Motivation and context

Why does this work belong in this project?

This would be useful because it would vastly increase the scope of audience that is able to consume this tool. RMM tools used by MSPs do not cope with programs that require keyboard input, have interactive prompts, and and have GUI-based pop-ups. If you want this tool to be used by the world, the tool must be able to run from 0 to 100 without stopping for input.

Implementation notes

Just remove any keyboard inputs OR add a parameter switch, i.e. "chirp.exe" -noprompt, to suppress all input prompts.

Acceptance criteria

How do we know when this work is done?

When "chirp.exe" can be executed without having to "press any key to exit" and it finishes running on its own (self-terminates/process end).

🐛 Summary

When running chirp.exe with defaults this error comes up multiple times even when hitting continue.

I ran chirp.exe from the extract folder of chirp running from C:\chirp\

Do you have any tips for running chirp via SCCM?

It seems like it doesn’t run properly from an SMB share and also there doesn’t seem to be a way to capture the console output (even with a >)

This isn't a bug per-se. Probably I'm just not using the console redirection, powershell scripting, or other context/environment aspects correctly, but the naive implementation isn't working.

(run from sccm scripts->)
cmd.exe /c "\SHARE\chirp\chirp.exe -o \SHARE\chirpout\test"

🐛 Summary

Events plugin does not dynamically path to the winevts folder, but searches for the winevts folder in the current directory.

To reproduce

Steps to reproduce the behavior:

1. Run chirp from a drive without winevts.

Expected behavior

CHIRP should search all available drives for a valid winevts folder.

🐛 Summary

What's wrong? Please be specific.

To reproduce

Steps to reproduce the behavior:

1. Run the CHIRP tool on a server
2. Look at the results, they should show zero results or matches
3. Run the CHIRP tool again
4. The CHIRP Results show a false positive based on yaml rules

Expected behavior

What did you expect to happen that didn't?
No detected results when using the tool multiple times

Any helpful log output or screenshots

Paste the results here:

"CrowdStrike Sunspot": {
"description": ""Identifies Sunspot backdoor dropper utilizing unique strings in key encryption material, mutexes, and logging."\n",
"confidence": 10,
"matches": [
{
"meta": "{'copyright': '(c) 2021 CrowdStrike Inc.', 'description': 'Detects mutex names in SUNSPOT', 'version': '202101081448', 'last_modified': '2021-01-08', 'actor': 'StellarParticle', 'malware_family': 'SUNSPOT'}",
"namespace": "CrowdStrike Sunspot",
"rule": "CrowdStrike_SUNSPOT_02",
"strings": "[(1155, '$mutex_01', b'{12d61a41-4b74-7610-a4d8-3028d2f56395}'), (1227, '$mutex_02', b'{56331e4d-76a3-0390-a7ee-567adf5836b7}')]",
"tags": "['artifact', 'stellarparticle', 'sunspot']",
"file": "C:\$Recycle.Bin\S-1-5-21-1078081533-1897051121-xxxxxx-19038\xxxxx\crowdstrike_sunspot.yaml"
},
{
"meta": "{'copyright': '(c) 2021 CrowdStrike Inc.', 'description': 'Detects mutex names in SUNSPOT', 'version': '202101081448', 'last_modified': '2021-01-08', 'actor': 'StellarParticle', 'malware_family': 'SUNSPOT'}",
"namespace": "CrowdStrike Sunspot",
"rule": "CrowdStrike_SUNSPOT_02",
"strings": "[(514, '$mutex_01', b'{12d61a41-4b74-7610-a4d8-3028d2f56395}'), (578, '$mutex_02', b'{56331e4d-76a3-0390-a7ee-567adf5836b7}')]",
"tags": "['artifact', 'stellarparticle', 'sunspot']",
"file": "C:\Users\xxxxx\Desktop\Results\output\yara.json"
}
]
}
}

Add any screenshots of the problem here.