A forensic collection tool written in Python.

Overview

CISA logo

CHIRP

Status GitHub Issues GitHub Pull Requests License


A forensic collection tool written in Python.

Watch the video overview

๐Ÿ“ Table of Contents

๐Ÿง About

The CISA Hunt and Incident Response Program (CHIRP) is a tool created to dynamically query Indicators of Compromise (IoCs) on hosts with a single package, outputting data in a JSON format for further analysis in a SIEM or other tool. CHIRP does not modify any system data.

The initial IoCs are intended to search for activity detailed in CISA Alert AA21-008A that has spilled into the enterprise environment.

๐Ÿ Getting Started

We build and release CHIRP via Releases. However, if you wish to run with Python3.6+, follow these instructions.

You can also write new indicators or plugins for CHIRP.

Prerequisites

Python 3.6 or greater is required to run CHIRP with Python. If you need help installing Python in your environment, follow the instructions here

CHIRP must be run on a live machine, but it does not have to be network connected. Currently, CHIRP must run on the drive containing winevt logs. Shortly after release, this will be updated so CHIRP can run from any drive.

Installing

python3 -m pip install -e .

In our experience, yara-python comes with some other dependencies. You MAY have to install Visual Studio C++ 14.0 and the Windows 10 SDK, this can be retrieved with Visual Studio Community

๐ŸŽˆ Usage

From release

.\chirp.exe

From python

python3 chirp.py

Example output

[15:32:19] [YARA] Enumerating the entire filesystem due to ['CISA Solar Fire', 'CISA Teardrop', 'CrowdStrike Rempack', 'CrowdStrike Sunspot', 'FireEye       common.py:103
           Cosmic Gale', 'FireEye Sunburst']... this is going to take a while.
           [YARA] Entered yara plugin.                                                                                                                       common.py:103
           [REGISTRY] Found 0 hit(s) for IFEO Persistence indicator.                                                                                         common.py:103
           [REGISTRY] Found 0 hit(s) for Teardrop - Registry Activity indicator.                                                                             common.py:103
           [REGISTRY] Found 0 hit(s) for Sibot - Registry indicator.
           ...
           ...
           ...
           [+] Done! Your results can be found at Z:\README\output.

โ›๏ธ Built Using

  • Python - Language
  • Nuitka - For compilation
  • evtx2json - For event log access
  • yara-python - Parses and runs yara rules
  • rich - Makes the CLI easier on the eyes
  • psutil - Provides an easy API for many OS functions

โœ๏ธ Authors

๐ŸŽ‰ Acknowledgements

๐Ÿค Contributing

We welcome contributions! Please see here for details.

๐Ÿ“ License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

โš–๏ธ Legal Disclaimer

NOTICE

This software package (โ€œsoftwareโ€ or โ€œcodeโ€) was created by the United States Government and is not subject to copyright within the United States. All other rights are reserved. You may use, modify, or redistribute the code in any manner. However, you may not subsequently copyright the code as it is distributed. The United States Government makes no claim of copyright on the changes you effect, nor will it restrict your distribution of bona fide changes to the software. If you decide to update or redistribute the code, please include this notice with the code. Where relevant, we ask that you credit the Cybersecurity and Infrastructure Security Agency with the following statement: โ€œOriginal code developed by the Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of Homeland Security.โ€

USE THIS SOFTWARE AT YOUR OWN RISK. THIS SOFTWARE COMES WITH NO WARRANTY, EITHER EXPRESS OR IMPLIED. THE UNITED STATES GOVERNMENT ASSUMES NO LIABILITY FOR THE USE OR MISUSE OF THIS SOFTWARE OR ITS DERIVATIVES.

THIS SOFTWARE IS OFFERED โ€œAS-IS.โ€ THE UNITED STATES GOVERNMENT WILL NOT INSTALL, REMOVE, OPERATE OR SUPPORT THIS SOFTWARE AT YOUR REQUEST. IF YOU ARE UNSURE OF HOW THIS SOFTWARE WILL INTERACT WITH YOUR SYSTEM, DO NOT USE IT.

Comments
  • UnicodeEncodeError on Win2016 Std

    UnicodeEncodeError on Win2016 Std

    ๐Ÿ› Summary

    Getting errors when executing scan v.1.06 on Win2016 Std. Scan appears to be frozen in place. Please see output below.

    To reproduce

    1.Extract zip 2. Browse to chirp.exe 3. Double click chirp.exe

    Expected behavior

    Run all scans to completion

    Any helpful log output or screenshots

    10:36:43 NETWORK  Read 128 records, found 0 IoC hits.                                                        scan.py:56
    10:36:44 REGISTRY Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot                 scan.py:65
             REGISTRY Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot does not exist. registry.py:93
             REGISTRY Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF                                          scan.py:65
             REGISTRY Reading HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution scan.py:65
                      Options\
             REGISTRY Found 0 hit(s) for Sibot - Registry indicator.                                             scan.py:47
             REGISTRY Found 0 hit(s) for Teardrop - Registry Activity indicator.                                 scan.py:47
             REGISTRY Found 0 hit(s) for IFEO Persistence indicator.                                             scan.py:47
             YARA     Enumerating the entire filesystem due to ['simpleseesharp : Webshell Unclassified',        run.py:161
                      'reGeorgTunnel : Webshell Commodity', 'sportsball : Webshell', 'Detection for the use of
                      procdump to dump LSASS process memory.', 'CISA Solar Fire', 'CISA Teardrop', 'CrowdStrike
                      Rempack', 'CrowdStrike Sunspot', 'FireEye Cosmic Gale', 'FireEye Sunburst']... this is
                      going to take a while.
    10:36:44 EVENTS   Reading Windows Powershell event logs.                                                     scan.py:69
    10:36:44 EVENTS   Reading Security event logs.                                                               scan.py:69
    10:37:22 EVENTS   Reading KernelMode event logs.                                                             scan.py:69
             EVENTS   Reading Application event logs.                                                            scan.py:69
    10:39:09 YARA     Beginning processing.                                                                      run.py:109
    10:51:40 YARA     We're still working on scanning files. 50000 processed.                                    run.py:111
    10:59:54 ERROR   multiprocessing.pool.RemoteTraceback:
    """
    Traceback (most recent call last):
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\plugins\yara\run.py", line 122, in _run
    UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 33: surrogates not allowed
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\multiprocessing\pool.py", line 125, in worker
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\multiprocessing\pool.py", line 48, in mapstar
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\plugins\yara\run.py", line 132, in _run
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 2045, in error
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 1471, in error
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 1585, in _log
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 1595, in handle
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 1657, in callHandlers
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 950, in handle
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\logging.py", line 153, in emit
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\console.py", line 1506, in print
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\console.py", line 776, in __exit__
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\console.py", line 735, in _exit_buffer
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\console.py", line 1695, in _check_buffer
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\colorama\ansitowin32.py", line 41, in write
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\colorama\ansitowin32.py", line 162, in write
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\colorama\ansitowin32.py", line 187, in write_and_convert
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\colorama\ansitowin32.py", line 195, in write_plain_text
    UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 34: surrogates not allowed
    *** You may need to add PYTHONIOENCODING=utf-8 to your environment ***
    """
    
    The above exception was the direct cause of the following exception:
    
    Traceback (most recent call last):
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp.py", line 17, in <module>
        run.run()
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\run.py", line 20, in run
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\run.py", line 30, in run_plugins
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\asyncio\base_events.py", line 616, in run_until_complete
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\run.py", line 44, in _run_coroutines
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\plugins\yara\run.py", line 178, in run
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\multiprocessing\pool.py", line 448, in <genexpr>
      File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\multiprocessing\pool.py", line 868, in next
    UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 34: surrogates not allowed
    
    bug need info 
    opened by RITOps 32
  • CHIRP crashing on Windows Server 2008 R2 (APPCRASH, KERNELBASE.dll)

    CHIRP crashing on Windows Server 2008 R2 (APPCRASH, KERNELBASE.dll)

    ๐Ÿ› Summary

    Program crashes with exception code c0000005

    To reproduce

    Steps to reproduce the behavior:

    Download Chirp.zip from GitHub Extract all files to folder Run gci -recurse | unblock-file on extracted folder Run .\chirp.exe

    Expected behavior

    Expected program to run. Instead got "chirp.exe has stopped working" error.

    Any helpful log output or screenshots

    Problem signature: Problem Event Name: APPCRASH Application Name: chirp.exe Application Version: 0.0.0.0 Application Timestamp: 605393f8 Fault Module Name: KERNELBASE.dll Fault Module Version: 6.1.7601.24545 Fault Module Timestamp: 5e0eb6bd Exception Code: c0000005 Exception Offset: 0000000000001b44 OS Version: 6.1.7601.2.1.0.305.9 Locale ID: 3081 Additional Information 1: e040 Additional Information 2: e040c29db662d05b38ba55c14f951903 Additional Information 3: 97c4 Additional Information 4: 97c44f27c029744371d2d6b1e5a32dd4

    Paste the results here:

    
    

    Add any screenshots of the problem here.

    bug 
    opened by DASCert 18
  • [EVENTS] Read 0 logs, found 0 matches

    [EVENTS] Read 0 logs, found 0 matches

    ๐Ÿ› Summary

    From CLI output, I see this line:

    [09:33:29] [EVENTS] Read 0 logs, found 0 matches. common.py:103

    To reproduce

    Steps to reproduce the behavior:

    1. Run Executable as administrator
    2. Observe output

    Expected behavior

    [09:33:29] [EVENTS] Read NNNN logs, found x matches. common.py:103

    Any helpful log output or screenshots

    Paste the results here:

    [09:30:18] [YARA] Enumerating the entire filesystem due to ['CISA Solar Fire', 'CISA Teardrop', common.py:103 'CrowdStrike Rempack', 'CrowdStrike Sunspot', 'FireEye Cosmic Gale', 'FireEye Sunburst']... this is going to take a while. [YARA] Entered yara plugin. common.py:103 [REGISTRY] Found 0 hit(s) for IFEO Persistence indicator. common.py:103 [REGISTRY] Found 0 hit(s) for Teardrop - Registry Activity indicator. common.py:103 [REGISTRY] Found 0 hit(s) for Sibot - Registry indicator. common.py:103 [REGISTRY] Reading HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File common.py:103 Execution Options
    [REGISTRY] Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF common.py:103 [REGISTRY] Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot does not common.py:103 exist. [REGISTRY] Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot common.py:103 [REGISTRY] Entered registry plugin. common.py:103 [NETWORK] Read 327 records, found 0 IoC hits. common.py:103 [NETWORK] Entered network plugin. common.py:103 [EVENTS] Entered events plugin. common.py:103 [09:30:36] [EVENTS] Reading KernelMode event logs. common.py:103 [EVENTS] Reading Security event logs. common.py:103 [EVENTS] Reading Windows Powershell event logs. common.py:103 [09:33:27] [YARA] Beginning processing. common.py:103 [09:33:29] [EVENTS] Read 0 logs, found 0 matches. common.py:103 [09:34:23] [YARA] We're still working on scanning files. 50000 processed. common.py:103 [09:35:17] [YARA] We're still working on scanning files. 100000 processed. common.py:103 [09:36:17] [YARA] We're still working on scanning files. 150000 processed. common.py:103 [09:36:43] [YARA] We're still working on scanning files. 200000 processed. common.py:103 [09:37:29] [YARA] We're still working on scanning files. 250000 processed. common.py:103 [09:38:07] [YARA] We're still working on scanning files. 300000 processed. common.py:103 [09:38:39] [YARA] We're still working on scanning files. 350000 processed. common.py:103 [09:39:27] [YARA] We're still working on scanning files. 400000 processed. common.py:103 [09:39:51] [YARA] We're still working on scanning files. 450000 processed. common.py:103 [09:40:17] [YARA] We're still working on scanning files. 500000 processed. common.py:103 [09:40:41] [YARA] We're still working on scanning files. 550000 processed. common.py:103 [09:41:13] [YARA] We're still working on scanning files. 600000 processed. common.py:103 [09:42:07] [YARA] We're still working on scanning files. 650000 processed. common.py:103 [09:42:47] [YARA] We're still working on scanning files. 700000 processed. common.py:103 [09:43:15] [YARA] We're still working on scanning files. 750000 processed. common.py:103 [09:43:45] [+] DONE! Your results can be found in C:\ARTemp issue \chirp\output. common.py:103 [YARA] Found 0 hit(s) for yara indicators. common.py:103 [YARA] Done. Processed 796957 files. common.py:103

    Add any screenshots of the problem here.

    bug 
    opened by rsmith16384 14
  • Application Hangs after Traceback errors

    Application Hangs after Traceback errors

    ๐Ÿ› Summary

    Traceback error comes up and app seems to freeze while trying to scan files during YARA section.

    To reproduce

    Log into Win2012R2 server as domain admin, go to chirp directory and kick off app via Powershell (admin mode) /.chirp.exe Left the process running overnight. Following day found app window with errors: Traceback errors (see attached).

    CHIRP process still in Task Manager, but stuck at 0% CPU utilization.

    This occurs on version 1.03 and 1.04 on Win2012R2

    Ran version 1.05 on Win2012R2 and getting Traceback error with Unicode errors as shown below. This is preceded by Traceback lines that are identical with each occurrence. UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 4544: invalid start byte UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 4447: invalid start byte UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 3871: invalid start byte

    Expected behavior

    Tool is expected to run to completion.

    Any helpful log output or screenshots

    Win2012R2 CHIRP Error_Hangs

    Version 1.05 PS C:\kworking\chirp> cd.. PS C:\kworking> cd chirp1.05 PS C:\kworking\chirp1.05> ./chirp.exe 16:20:23 EVENTS Reading Windows Powershell event logs. scan.py:69 16:20:24 EVENTS Reading KernelMode event logs. scan.py:69 EVENTS Reading Application event logs. scan.py:69 16:20:25 REGISTRY Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot scan.py:65 REGISTRY Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot does not exist. registry.py:93 REGISTRY Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF scan.py:65 REGISTRY Reading HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution scan.py:65 Options
    REGISTRY Found 0 hit(s) for Sibot - Registry indicator. scan.py:47 REGISTRY Found 0 hit(s) for Teardrop - Registry Activity indicator. scan.py:47 REGISTRY Found 0 hit(s) for IFEO Persistence indicator. scan.py:47 YARA Enumerating the entire filesystem due to ['simpleseesharp : Webshell Unclassified', run.py:141 'reGeorgTunnel : Webshell Commodity', 'sportsball : Webshell', 'Detection for the use of procdump to dump LSASS process memory.', 'CISA Solar Fire', 'CISA Teardrop', 'CrowdStrike Rempack', 'CrowdStrike Sunspot', 'FireEye Cosmic Gale', 'FireEye Sunburst']... this is going to take a while. 16:20:49 EVENTS Reading Security event logs. scan.py:69 16:29:26 YARA Beginning processing. run.py:100 Traceback (most recent call last): File "C:\Users<account>\AppData\Local\Temp\ONEFIL~3\chirp.py", line 17, in run.run() File "C:\Users<username>\AppData\Local\Temp\ONEFIL~3\chirp\run.py", line 20, in run File "C:\Users<username>\AppData\Local\Temp\ONEFIL~3\chirp\run.py", line 30, in run_plugins File "C:\Users<username>\AppData\Local\Temp\ONEFIL~3\asyncio\base_events.py", line 616, in run_until_complete File "C:\Users<username>\AppData\Local\Temp\ONEFIL~3\chirp\run.py", line 44, in _run_coroutines File "C:\Users<username>\AppData\Local\Temp\ONEFIL~3\chirp\plugins\network\scan.py", line 44, in run File "C:\Users<username>\AppData\Local\Temp\ONEFIL~3\chirp\plugins\network\network.py", line 37, in parse_dns UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 4544: invalid start byte 16:35:55 YARA We're still working on scanning files. 50000 processed. run.py:96 16:40:34 YARA We're still working on scanning files. 100000 processed. run.py:96 16:43:17 YARA We're still working on scanning files. 150000 processed. run.py:96 16:45:09 YARA We're still working on scanning files. 200000 processed. run.py:96

    This is another Win2012R2 server, with CHIRP v1.05 - UnicodeError 0xff in position 4447 error. 11:05:40 EVENTS Reading KernelMode event logs. scan.py:69 EVENTS Reading Application event logs. scan.py:69 11:05:41 REGISTRY Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wind scan.py:65 ows\CurrentVersion\sibot REGISTRY Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wind registry.py:93 ows\CurrentVersion\sibot does not exist. REGISTRY Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF scan.py:65 REGISTRY Reading scan.py:65 HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    REGISTRY Found 0 hit(s) for Sibot - Registry indicator. scan.py:47 REGISTRY Found 0 hit(s) for Teardrop - Registry Activity scan.py:47 indicator. REGISTRY Found 0 hit(s) for IFEO Persistence indicator. scan.py:47 YARA Enumerating the entire filesystem due to run.py:141 ['simpleseesharp : Webshell Unclassified', 'reGeorgTunnel : Webshell Commodity', 'sportsball : Webshell', 'Detection for the use of procdump to dump LSASS process memory.', 'CISA Solar Fire', 'CISA Teardrop', 'CrowdStrike Rempack', 'CrowdStrike Sunspot', 'FireEye Cosmic Gale', 'FireEye Sunburst']... this is going to take a while. 11:09:35 YARA Beginning processing. run.py:100 Traceback (most recent call last): File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\chirp.py", line 17, in run.run() File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\chirp\run.py", line 20, in r un File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\chirp\run.py", line 30, in r un_plugins File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\asyncio\base_events.py", lin e 616, in run_until_complete File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\chirp\run.py", line 44, in _ run_coroutines File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\chirp\plugins\network\scan.p y", line 44, in run File "C:\Users<username>\AppData\Local\Temp\ONEFIL~4\chirp\plugins\network\networ k.py", line 37, in parse_dns UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 4447: inval id start byte 11:11:52 EVENTS Reading Windows Powershell event logs. scan.py:69 11:12:14 EVENTS Reading Security event logs. scan.py:69

    Add any screenshots of the problem here.

    bug 
    opened by RITOps 7
  • v1.0.2b - 'mountvol' is not recognized as an internal or external command, operable program or batch file.

    v1.0.2b - 'mountvol' is not recognized as an internal or external command, operable program or batch file.

    ๐Ÿ› Summary

    What's wrong? Please be specific.

    When running the python code, this error is immediately displayed and appears to affect subsequent operations (scan appears to hang):

    C:\ARTemp\chirp\LATEST\CHIRP-main>C:\Users\rsmit\AppData\Local\Programs\Python\Python39-32\python.exe chirp.py 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ Traceback (most recent call last) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”‚ C:\ARTemp\chirp\LATEST\CHIRP-main\chirp.py:16 in 'mountvol' is not recognized as an internal or external command, operable program or batch file. 'mountvol' is not recognized as an internal or external command, operable program or batch file. โ”‚ 'mountvol' is not recognized as an internal or external command, operable program or batch file. โ”‚ โ”‚'mountvol' is not recognized as an internal or external command, operable program or batch file.

    โ”‚ 13 if name == "main": โ”‚ โ”‚ 14 โ”‚ try: โ”‚ โ”‚ 15 โ”‚ โ”‚ freeze_support() โ”‚ โ”‚ > 16 โ”‚ โ”‚ run.run() โ”‚ โ”‚ 17 โ”‚ โ”‚ time.sleep(2) โ”‚ โ”‚ 18 โ”‚ โ”‚ CONSOLE( โ”‚ โ”‚ 19 โ”‚ โ”‚ โ”‚ "[green][+][/green] DONE! Your results can be found in {}. Press any key to โ”‚ โ”‚ โ”‚ โ”‚ C:\ARTemp\chirp\LATEST\CHIRP-main\chirp\run.py:19 in run โ”‚ โ”‚ โ”‚ โ”‚ 16 โ”‚ if not os.path.exists(OUTPUT_DIR): โ”‚ โ”‚ 17 โ”‚ โ”‚ os.mkdir(OUTPUT_DIR) โ”‚ โ”‚ 18 โ”‚ plugins = loader.load() โ”‚ โ”‚ > 19 โ”‚ run_plugins(plugins) โ”‚ โ”‚ 20 โ”‚ โ”‚ 21 โ”‚ โ”‚ 22 def run_plugins(plugins: Dict[str, Callable]) -> None: โ”‚ โ”‚ โ”‚ 'mountvol' is not recognized as an internal or external command, operable program or batch file. โ”‚ C:\ARTemp\chirp\LATEST\CHIRP-main\chirp\run.py:29 in run_plugins โ”‚ โ”‚ โ”‚ โ”‚ 26 โ”‚ 'mountvol' is not recognized as an internal or external command, operable program or batch file. :type plugins: Dict[str, Callable] โ”‚ โ”‚ 27 โ”‚ """ โ”‚ โ”‚ 28 โ”‚ _loop = asyncio.get_event_loop() โ”‚ โ”‚ > 29 โ”‚ _loop.run_until_complete(_run_coroutines(plugins)) โ”‚ โ”‚ 30 โ”‚ โ”‚ 31 โ”‚ โ”‚ 32 async def _run_coroutines(plugins: Dict[str, Callable]) -> None: โ”‚ โ”‚ โ”‚ โ”‚ C:\Users\rsmit\AppData\Local\Programs\Python\Python39-32\lib\asyncio\base_events.py'mountvol' is not recognized as an internal or external command, operable program or batch file. :642 in โ”‚ โ”‚ run_until_complete โ”‚ โ”‚ โ”‚ โ”‚ 639 โ”‚ โ”‚ if not future.done(): โ”‚ โ”‚ 640 โ”‚ โ”‚ โ”‚ raise RuntimeError('Event loop stopped before Future completed.') โ”‚ โ”‚ 641 โ”‚ โ”‚ โ”‚ 'mountvol' is not recognized as an internal or external command, operable program or batch file. โ”‚ > 642 โ”‚ โ”‚ return future.result() โ”‚ โ”‚ 643 โ”‚ โ”‚ โ”‚ 644 โ”‚ def stop(self): โ”‚ โ”‚ 645 โ”‚ โ”‚ """Stop running the event loop. โ”‚ โ”‚ โ”‚ โ”‚ C:\ARTemp\chirp\LATEST\CHIRP-main\chirp\run.py:43 in _run_coroutines โ”‚ โ”‚ โ”‚ โ”‚ 40 โ”‚ โ”‚ โ”‚ load.from_yaml(get_indicators()), list(plugins.keys()) โ”‚ โ”‚ 41 โ”‚ โ”‚ ) โ”‚ โ”‚ 42 โ”‚ ) โ”‚ โ”‚ > 43 โ”‚ await asyncio.gather( โ”‚ โ”‚ 44 โ”‚ โ”‚ *[ โ”‚ โ”‚ 45 โ”‚ โ”‚ โ”‚ entrypoint( โ”‚ โ”‚ 46 โ”‚ โ”‚ โ”‚ โ”‚ [ โ”‚ โ”‚ โ”‚ โ”‚ C:\ARTemp\chirp\LATEST\CHIRP-main\chirp\plugins\events\scan.py:129 in run โ”‚ โ”‚ โ”‚ โ”‚ 126 โ”‚ async with aiomp.Pool() as pool: โ”‚ โ”‚ 127 โ”‚ โ”‚ try: โ”‚ โ”‚ 128 โ”‚ โ”‚ โ”‚ async for i in pool.map(_run, tuple(run_args)): โ”‚ โ”‚ > 129 โ”‚ โ”‚ โ”‚ โ”‚ _rep = i[0] โ”‚ โ”‚ 130 โ”‚ โ”‚ โ”‚ โ”‚ num_logs += i[1] โ”‚ โ”‚ 131 โ”‚ โ”‚ โ”‚ โ”‚ for k, v in _rep.items(): โ”‚ โ”‚ 132 โ”‚ โ”‚ โ”‚ โ”‚ โ”‚ try: โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ TypeError: 'NoneType' object is not subscriptable [07:36:38] [!] We can't find windows event logs at their standard path. common.py:104 [EVENTS] Entered events plugin. common.py:104 [NETWORK] Entered network plugin. common.py:104 [NETWORK] Read 163 records, found 0 IoC hits. common.py:104 [REGISTRY] Entered registry plugin. common.py:104 [REGISTRY] Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot common.py:104 [REGISTRY] Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot does not common.py:104 exist. [REGISTRY] Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF common.py:104 [REGISTRY] Reading HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File common.py:104 Execution Options
    [REGISTRY] Found 0 hit(s) for Sibot - Registry indicator. common.py:104 [REGISTRY] Found 0 hit(s) for Teardrop - Registry Activity indicator. common.py:104 [REGISTRY] Found 0 hit(s) for IFEO Persistence indicator. common.py:104 [YARA] Entered yara plugin. common.py:104 [YARA] Enumerating the entire filesystem due to ['CISA Solar Fire', 'CISA Teardrop', common.py:104 'CrowdStrike Rempack', 'CrowdStrike Sunspot', 'FireEye Cosmic Gale', 'FireEye Sunburst']... this is going to take a while. [07:36:40] [!] We can't find windows event logs at their standard path. common.py:104 [07:36:40] [!] We can't find windows event logs at their standard path. common.py:104 [07:36:40] [!] We can't find windows event logs at their standard path. common.py:104 [YARA] Beginning processing. common.py:104 [07:36:40] [!] We can't find windows event logs at their standard path. common.py:104 [07:36:40] [[07:36:40]! ] We can't find windows event logs at their standard path. [common.py!:104 ] We can't find windows event logs at their standard path. common.py:104 [07:36:40] [!] We can't find windows event logs at their standard path. common.py:104 [07:36:40] [!] We can't find windows event logs at their standard path. common.py:104

    To reproduce

    Download latest code Install with python.exe -m pip install -e . Run with python.exe chirp.py Observe output

    Expected behavior

    No mountvol error

    Any helpful log output or screenshots

    Paste the results here:

    mountvol

    Add any screenshots of the problem here.

    bug need info 
    opened by rsmith16384 7
  • Exception Processing Message

    Exception Processing Message

    ๐Ÿ› Summary

    When running chirp.exe with defaults this error comes up multiple times even when hitting continue.

    I ran chirp.exe from the extract folder of chirp running from C:\chirp\

    Screenshot from 2021-04-08 19-02-49

    bug need info 
    opened by bneu78 6
  • Files not found after scans

    Files not found after scans

    ๐Ÿ› Summary

    Program scans files then appears to hang (already addressed in issue #8). After pressing one or more keys, "Traceback" is produced with multiple "[Errno 2] No such file or directory" and references to %temp%\onefile_dddd_ddd ...ddd

    To reproduce

    Program was run on virtual Server 2012 User logged in using RDP Powershell run as admin cd to Location of downloaded files: C:\Support\Chirp

    Expected behavior

    Expected program to end normally and produce report

    Any helpful log output or screenshots

    Output hard to read with current colours so ..

    C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp.py:14 in

    [Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp.py'

    C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py:19 in run

    [Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py'

    C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py:29 in run_plugins

    [Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py'

    C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\asyncio\base_events.py:642 in run_until_complete

    [Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\asyncio\base_events.py'

    C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py:43 in _run_coroutines

    [Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py'

    C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\scan.py:128 in run

    [Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\scan.py'

    C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\aiomultiprocess\pool.py:145 in results_generator

    [Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\aiomultiprocess\pool.py'

    C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\aiomultiprocess\pool.py:308 in results

    [Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\aiomultiprocess\pool.py'

    ProxyException: Traceback (most recent call last): File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\aiomultiprocess\pool.py", line 110, in run File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\scan.py", line 73, in _run File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\events.py", line 98, in gather File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\events.py", line 67, in process_files File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\evtx2json.py", line 160, in iter_evtx2xml File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\Evtx\Evtx.py", line 66, in enter FileNotFoundError: [Errno 2] No such file or directory: 'C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx'

    image

    
    

    Add any screenshots of the problem here.

    bug 
    opened by DASCert 4
  • Non-zero Exit on IOC's Discovered in Non-interactive Mode

    Non-zero Exit on IOC's Discovered in Non-interactive Mode

    Non-zero Exit on IOC's Discovered in Non-interactive Mode

    ๐Ÿ—ฃ Description

    Seeks IOC detection count from run and exits with non-zero status in non-interactive mode, retaining existing functionality in interactive mode. Addresses #31

    ๐Ÿ’ญ Motivation and context

    Common tooling in automatic workflows involves using non-zero exit codes to enable decision making after process completion. Using additional exit codes enhances CISA CHIRP's ability to be used within these contexts.

    ๐Ÿงช Testing

    Used pre-commit to ensure proper conformance with linting and style.

    Used the following against the code related to this PR to test various scenarios:

    # non-interactive mode with non-zero exit (CHIRP self-detects IOC's when targeting itself)
    python chirp.py -p yara -t c:\\chirp\\** -o chirp_result -l debug --non-interactive
    
    # non-interactive mode with zero exit (no detections)
    python chirp.py -p yara -t c:\\no_ioc_dir\\** -o chirp_result -l debug --non-interactive
    
    # interactive mode with zero exit after prompt
    python chirp.py -p yara -t c:\\no_ioc_dir\\** -o chirp_result -l debug
    

    โœ… Checklist

    • [x] This PR has an informative and human-readable title.
    • [x] Changes are limited to a single goal - eschew scope creep!
    • [x] All future TODOs are captured in issues, which are referenced in code comments.
    • [ ] All relevant type-of-change labels have been added.
    • [x] I have read the CONTRIBUTING document.
    • [x] These code changes follow cisagov code standards.
    • [x] All relevant repo and/or project documentation has been updated to reflect the changes in this PR.
    • [] Tests have been added and/or modified to cover the changes in this PR.
    • [x] All new and existing tests pass.
    improvement 
    opened by d33bs 3
  • Non-zero Exit on IOC's Discovered in Non-interactive Mode

    Non-zero Exit on IOC's Discovered in Non-interactive Mode

    ๐Ÿ’ก Summary

    Use non-zero exit when IOC's are discovered in non-interactive mode to enhance automatic workflows.

    Motivation and context

    Common tooling in automatic workflows involves using non-zero exit codes to enable decision making after process completion. Using additional exit codes would enhance CISA CHIRP's ability to be used within these contexts.

    Implementation notes

    CISA CHIRP would run plugins to completion and use reports to determine whether IOC's discovered is greater than 0. If any IOC's were discovered from the reports, we'd exit with a non-zero sys.exit(1) (see below).

    Use the following exit codes for status indications (i.e. sys.exit(number)):

    • 0 == successful completion, no IOC's detected
    • 1 == successful completion, IOC's detected
    • 2 == unsuccessful completion (errors, unexpectedly incomplete run, etc)

    Avoiding specifics about IOC's detected in logs may be beneficial (as otherwise public- or near-public display of this information may be a vulnerability or liability). Propose using generic log message (or no log message at all, solely relying on exit code) to indicate IOC's were discovered but remove specific mention of which ones. Open to thoughts or suggestions here!

    Acceptance criteria

    • [ ] CISA CHIRP runs all specified plugins through to report completion
    • [ ] Successful run with no IOC's detected from reports emits exit code 0
    • [ ] Successful run with IOC's detected from reports emits exit code 1
    • [ ] Unsuccessful run (errors, unexpectedly incomplete, etc) emits exit code 2
    improvement 
    opened by d33bs 3
  • Remove

    Remove "Press any key to exit" / make runtime fully non-interactive

    ๐Ÿ’ก Summary

    Remove the "Press any key to exit" interactive prompt that occurs / add parameter to make the runtime of the EXE fully non-interactive.

    [08:22:51] [+] DONE! Your results can be found in D:\output. Press any key to exit. common.py:104

    Motivation and context

    Why does this work belong in this project?

    This would be useful because it would vastly increase the scope of audience that is able to consume this tool. RMM tools used by MSPs do not cope with programs that require keyboard input, have interactive prompts, and and have GUI-based pop-ups. If you want this tool to be used by the world, the tool must be able to run from 0 to 100 without stopping for input.

    Implementation notes

    Just remove any keyboard inputs OR add a parameter switch, i.e. "chirp.exe" -noprompt, to suppress all input prompts.

    Acceptance criteria

    How do we know when this work is done?

    When "chirp.exe" can be executed without having to "press any key to exit" and it finishes running on its own (self-terminates/process end).

    improvement 
    opened by BlueToast 3
  • Add Malicious IP Addresses Associated with CISA Alert - AA21-062A

    Add Malicious IP Addresses Associated with CISA Alert - AA21-062A

    ๐Ÿ—ฃ Description

    Added malicious IP addresses associated with CISA Alert - AA21-062A

    https://us-cert.cisa.gov/ncas/alerts/aa21-062a

    ๐Ÿ’ญ Motivation and context

    I've started to use this tool with clients to detect any network activity related to the recent Exchange vulnerabilities. Figured others might want to do the same.

    opened by greyl0cke 3
  • Do you have any tips for running chirp via SCCM?

    Do you have any tips for running chirp via SCCM?

    Do you have any tips for running chirp via SCCM?

    It seems like it doesnโ€™t run properly from an SMB share and also there doesnโ€™t seem to be a way to capture the console output (even with a >)

    This isn't a bug per-se. Probably I'm just not using the console redirection, powershell scripting, or other context/environment aspects correctly, but the naive implementation isn't working.

    (run from sccm scripts->) cmd.exe /c "\SHARE\chirp\chirp.exe -o \SHARE\chirpout\test"

    opened by apowelliaea 0
  • CHIRP scanning it's own files and reporting as hits

    CHIRP scanning it's own files and reporting as hits

    ๐Ÿ› Summary

    Seems like CHIRP tool scanning it's own resources and showing them as hit counts in final scan output.

    To reproduce

    Steps to reproduce the behavior:

    1. Download version 1.0.7 from the repository.
    2. Unzip it on your machine.
    3. Run the scan with defaults.
    4. Check the results - Yara indicator will show '1' Hit.

    Expected behavior

    What did you expect to happen that didn't?

    CHIRP tool might scan it's resources. However, it should be excluded from the output and final scan results.

    Any helpful log output or screenshots

    Paste the results here:

    image

    Add any screenshots of the problem here.

    opened by Kamalesh-Veluri 0
  • Crowdstrike yaml rules create a false positive when the tool has been ran twice.

    Crowdstrike yaml rules create a false positive when the tool has been ran twice.

    ๐Ÿ› Summary

    What's wrong? Please be specific.

    To reproduce

    Steps to reproduce the behavior:

    1. Run the CHIRP tool on a server
    2. Look at the results, they should show zero results or matches
    3. Run the CHIRP tool again
    4. The CHIRP Results show a false positive based on yaml rules

    Expected behavior

    What did you expect to happen that didn't? No detected results when using the tool multiple times

    Any helpful log output or screenshots

    Paste the results here:

    "CrowdStrike Sunspot": { "description": ""Identifies Sunspot backdoor dropper utilizing unique strings in key encryption material, mutexes, and logging."\n", "confidence": 10, "matches": [ { "meta": "{'copyright': '(c) 2021 CrowdStrike Inc.', 'description': 'Detects mutex names in SUNSPOT', 'version': '202101081448', 'last_modified': '2021-01-08', 'actor': 'StellarParticle', 'malware_family': 'SUNSPOT'}", "namespace": "CrowdStrike Sunspot", "rule": "CrowdStrike_SUNSPOT_02", "strings": "[(1155, '$mutex_01', b'{12d61a41-4b74-7610-a4d8-3028d2f56395}'), (1227, '$mutex_02', b'{56331e4d-76a3-0390-a7ee-567adf5836b7}')]", "tags": "['artifact', 'stellarparticle', 'sunspot']", "file": "C:\$Recycle.Bin\S-1-5-21-1078081533-1897051121-xxxxxx-19038\xxxxx\crowdstrike_sunspot.yaml" }, { "meta": "{'copyright': '(c) 2021 CrowdStrike Inc.', 'description': 'Detects mutex names in SUNSPOT', 'version': '202101081448', 'last_modified': '2021-01-08', 'actor': 'StellarParticle', 'malware_family': 'SUNSPOT'}", "namespace": "CrowdStrike Sunspot", "rule": "CrowdStrike_SUNSPOT_02", "strings": "[(514, '$mutex_01', b'{12d61a41-4b74-7610-a4d8-3028d2f56395}'), (578, '$mutex_02', b'{56331e4d-76a3-0390-a7ee-567adf5836b7}')]", "tags": "['artifact', 'stellarparticle', 'sunspot']", "file": "C:\Users\xxxxx\Desktop\Results\output\yara.json" } ] } }

    
    Add any screenshots of the problem here.
    
    opened by capricewag 0
  • Seems CHIRP is Visual Studio dependent.

    Seems CHIRP is Visual Studio dependent.

    ๐Ÿ› Summary

    Requires visual studio to run, not all systems can have that on the system.

    To reproduce

    Steps to reproduce the behavior:

    1. Tried to run on WinSrv2016 without Visual Studio and failed to run.
    2. Ran on a system with Visual studio and was successful.

    Expected behavior

    I was expecting the CHIRP.exe tool to run.

    Any helpful log output or screenshots

    Paste the results here:

    
    

    Add any screenshots of the problem here.

    wontfix 
    opened by avaxa21 7
  • Create PYPI Package with Modified Name to Avoid Typosquatting and Enable Wide Distribution

    Create PYPI Package with Modified Name to Avoid Typosquatting and Enable Wide Distribution

    ๐Ÿ’ก Summary

    "chirp" is already registered as a package name on PYPI, meaning someone may erroneously believe they're installing CISA's CHIRP but end up with https://pypi.org/project/chirp/ instead. In general, this may make this project vulnerable to typosquatting (https://en.wikipedia.org/wiki/Typosquatting). CISA could deploy a PYPI package as "cisa-chirp" to differentiate from other packages and protect against typosquatting (in addition to general confusion with other packages).

    This seems to have been brought up and closed, but I'd like to resurface as an idea for consideration. Reference: https://github.com/cisagov/CHIRP/issues/19

    Motivation and context

    In general, the package and project name similarities may make this project vulnerable to typosquatting (https://en.wikipedia.org/wiki/Typosquatting). Making a PYPI package available with another name and documenting it would be beneficial in securing the project and enable wide distribution via command line: "pip install <package name>".

    Implementation notes

    Propose including authority in the package name itself, for instance "cisa-chirp", to differentiate and provide trust in the package via PYPI.

    Acceptance criteria

    How do we know when this work is done?

    • [ ] Issuing the command "pip install <modified package name>" installs CISA's CHIRP project and enables it to be used on client machine.
    evaluating 
    opened by d33bs 2
  • Process Memory Plugin

    Process Memory Plugin

    ๐Ÿ’ก Summary

    A plugin to inspect process memory would be helpful to detect a variety of injections including Cobalt Strike beacons and the like.

    Motivation and context

    Bad guys like cobalt strike and in-memory implants

    Implementation notes

    Passing the pid to the python yara bindings and having a set of rules specific to the module would be helpful, with the option to leverage pe-sieve. Maybe a config to limit the processes,

    Acceptance criteria

    functioning plugin

    improvement version bump 
    opened by kfaber 0
Releases(v1.0.7)
Owner
Cybersecurity and Infrastructure Security Agency
Commit today, secure tomorrow.
Cybersecurity and Infrastructure Security Agency
Convert a collection of features to a fixed-dimensional matrix using the hashing trick.

FeatureHasher Convert a collection of features to a fixed-dimensional matrix using the hashing trick. Note, this requires Jina=2.2.4. Example Here I

Jina AI 5 Mar 15, 2022
Proof-of-concept obfuscation toolkit for C# post-exploitation tools

InvisibilityCloak Proof-of-concept obfuscation toolkit for C# post-exploitation tools. This will perform the below actions for a C# visual studio proj

259 Dec 19, 2022
CVE-2021-43798Expๅคš็บฟ็จ‹ๆ‰น้‡้ชŒ่ฏ่„šๆœฌ

Grafana V8.*ไปปๆ„ๆ–‡ไปถ่ฏปๅ–Exp--ๅคš็บฟ็จ‹ๆ‰น้‡้ชŒ่ฏ่„šๆœฌ ๆผๆดžๆ่ฟฐ Grafanaๆ˜ฏไธ€ไธชๅผ€ๆบ็š„ๅบฆ้‡ๅˆ†ๆžไธŽๅฏ่ง†ๅŒ–ๅฅ—ไปถใ€‚็ปๅธธ่ขซ็”จไฝœๅŸบ็ก€่ฎพๆ–ฝ็š„ๆ—ถ้—ดๅบๅˆ—ๆ•ฐๆฎๅ’Œๅบ”็”จ็จ‹ๅบๅˆ†ๆž็š„ๅฏ่ง†ๅŒ–๏ผŒๅฎƒๅœจๅ…ถไป–้ข†ๅŸŸไนŸ่ขซๅนฟๆณ›็š„ไฝฟ็”จๅŒ…ๆ‹ฌๅทฅไธšไผ ๆ„Ÿๅ™จใ€ๅฎถๅบญ่‡ชๅŠจๅŒ–ใ€ๅคฉๆฐ”ๅ’Œ่ฟ‡็จ‹ๆŽงๅˆถ็ญ‰ใ€‚ๅ…ถ 8.*็‰ˆๆœฌไปปๆ„ๆ–‡ไปถ่ฏปๅ–ๆผๆดž๏ผŒ่ฏฅๆผๆดž็›ฎๅ‰ไธบ0d

2 Dec 16, 2021
A python script to decrypt media files encrypted using the Android application 'Decrypting 'LOCKED Secret Calculator Vault''. Will identify PIN / pattern.

A python script to decrypt media files encrypted using the Android application 'Decrypting 'LOCKED Secret Calculator Vault''. Will identify PIN / pattern.

3 Sep 26, 2022
Fast and easy way to rollout on multiple GitLab project file a particular content.

Volatile Fast and easy way to rollout on multiple GitLab project file a particular content. Why ? After looking for a tool to simply enforce a develop

Lujeni 4 Jan 17, 2022
simple python keylogger

HELLogger simple python keylogger DISCLAIMERS: DON'T DO BAD THINGS. THIS PROGRAM IS MEANT FOR PERSONAL USES ONLY. USE IT ONLY IN COMPUTERS WHERE YOU H

Arya 10 Nov 10, 2022
Implementation of an attack on a tropical algebra discrete logarithm based protocol

Implementation of an attack on a tropical algebra discrete logarithm based protocol This code implements the attack detailed in the paper: On the trop

3 Dec 30, 2021
A brute Force tool for Facebook

EliBruter A brute Force tool for Facebook Installing this tool -- $ pkg upgrade && update $ pkg install python $ pkg install python3 $ pkg install gi

Eli Hacks 3 Mar 29, 2022
Hikvision ๆตๅช’ไฝ“็ฎก็†ๆœๅŠกๅ™จๆ•ๆ„Ÿไฟกๆฏๆณ„ๆผ

Hikvisioninformation Hikvision ๆตๅช’ไฝ“็ฎก็†ๆœๅŠกๅ™จๆ•ๆ„Ÿไฟกๆฏๆณ„ๆผ Options optional arguments: -h, --help show this help message and exit -u url, --url url

Henry4E36 13 Nov 09, 2022
Python APK Reverser & Patcher Tool

DTL-X An Advanced Python APK Reverser and Patcher Tool. --rmads1: target=AndroidManifest.xml,replace=com.google.android.gms.ad --rmads2: No Internet (

DedSecTL 10 Oct 31, 2022
A honey token manager and alert system for AWS.

SpaceSiren SpaceSiren is a honey token manager and alert system for AWS. With this fully serverless application, you can create and manage honey token

287 Nov 09, 2022
้›†ๆˆcrawlergoใ€xrayใ€dirsearchใ€nmap็ญ‰ๅทฅๅ…ท็š„srcๆผๆดžๆŒ–ๆŽ˜ๅทฅๅ…ท๏ผŒไฝฟ็”จdockerๅฐ่ฃ…่ฟ่กŒ๏ผ›

toolsไธ‹ๆœ‰ๅ‡ ไธชๅทฅๅ…ท๏ผŒๆ‰€ไปฅ้กน็›ฎๆ–‡ไปถๆฏ”่พƒๅคง๏ผŒๅฆ‚ๆžœไธ‹่ฝฝๆ€ปๆ˜ฏไธญๆ–ญ็š„่ฏๅปบ่ฎฎๆ‹†ๅผ€ไธ‹่ฝฝๅ„ไธช้กน็›ฎ็„ถๅŽ็›ดๆŽฅๆ‹ท่ดdockefileๅ’Œrecon.pyๅณๅฏ 0x01 hscanไป‹็ป hscanๆ˜ฏไป€ไนˆ hscanๆ˜ฏไธ€ๆฌพๆ—จๅœจไฝฟ็”จไธ€ๆกๅ‘ฝไปคๆ›ฟไปฃๆธ—้€ๅ‰็š„ๅคšๆกๆ‰ซๆๅ‘ฝไปค๏ผŒ้€š่ฟ‡้›†ๆˆcrawlergoๆ‰ซๆๅ’Œxrayๆ‰ซๆใ€dirsear

102 Jan 04, 2023
This is python script that will extract the functions call in all used DLL in an executable and then provide a mapping of those functions to the attack classes defined and curated malapi.io.

F2Amapper This is python script that will extract the functions call in all used DLL in an executable and then provide a mapping of those functions to

Ajit Kumar 3 Sep 03, 2022
Cve-2021-22005-exp

cve-2021-22005-exp 0x01 ๆผๆดž็ฎ€ไป‹ 2021ๅนด9ๆœˆ21ๆ—ฅ๏ผŒVMwareๅ‘ๅธƒๅฎ‰ๅ…จๅ…ฌๅ‘Š๏ผŒๅ…ฌๅผ€ๆŠซ้œฒไบ†vCenter Serverไธญ็š„19ไธชๅฎ‰ๅ…จๆผๆดž๏ผŒ่ฟ™ไบ›ๆผๆดž็š„CVSSv3่ฏ„ๅˆ†่Œƒๅ›ดไธบ4.3-9.8ใ€‚ ๅ…ถไธญ๏ผŒๆœ€ไธบไธฅ้‡็š„ๆผๆดžไธบvCenter Server ไธญ็š„ไปปๆ„ๆ–‡ไปถไธŠไผ ๆผๆดž(CVE-20

Jing Ling 146 Dec 31, 2022
ProxyShell POC Exploit : Exchange Server RCE (ACL Bypass + EoP + Arbitrary File Write)

ProxyShell Install git clone https://github.com/ktecv2000/ProxyShell cd ProxyShell virtualenv -p $(which python3) venv source venv/bin/activate pip3 i

Poming huang 312 Dec 09, 2022
Windows Stack Based Auto Buffer Overflow Exploiter

Autoflow - Windows Stack Based Auto Buffer Overflow Exploiter Autoflow is a tool that exploits windows stack based buffer overflow automatically.

Himanshu Shukla 19 Dec 22, 2022
Open-source keylogger write in python

Python open-source keylogger Language Python open-source keylogger using pynput module Using Install dependences in archive setup.py or install.sh in

Dio brando 4 Jan 15, 2022
CVE-log4j CheckMK plugin

CVE-2021-44228-log4j discovery (Download the MKP package) This plugin discovers vulnerable files for the CVE-2021-44228-log4j issue. To discover this

4 Jan 08, 2022
Gitlab RCE - Remote Code Execution

Gitlab RCE - Remote Code Execution RCE for old gitlab version = 11.4.7 & 12.4.0-12.8.1 LFI for old gitlab versions 10.4 - 12.8.1 This is an exploit f

153 Nov 09, 2022
Python Library For Ethical Hacker

Python Library For Ethical Hacker

11 Nov 03, 2022