HomeWinBuzzer NewsCISA Debuts Windows 10 Checking Tool Against SolarWinds Attacks

CISA Debuts Windows 10 Checking Tool Against SolarWinds Attacks

A CISA tool called CHIRP can scan Windows 10, Microsoft 365, and Azure for instances of the SolarWinds Solarigate malware.


As organizations continue to reel from the exploit that affected over 30,000 businesses and agencies, US authorities are looking for ways to help. Following a tool to help mitigate the Solarigate malware, the US and Infrastructure Security Agency (CISA) has released its own tool.

The command-line tool can be used by organizations in an on-premises situation to scan systems for activity of Solarigate. It will find instances of against SolarWinds apps. Called the CISA Hunt and Incident Response Program (Chirp), the tool is available now:

“CHIRP scans for signs of APT compromise within an on-premises environment,” CISA says in the alert.

Underpinning CHIRP is a method for finding instances of exploits against eh SolarWinds Orion app. This is a popular networking tool used by tens of thousands of organizations. It is the backdoor vulnerability that caused the Solarigate crisis.

As noted, this tool takes a similar approach to Sparrow, a program Microsoft released last month to detect Solarigate activity on Azure and . CISA says CHIRP is best used in Windows event logs and the platform Registry.

CISA advises organizations to use CHIRP to:

  • “Examine Windows event logs for artifacts associated with this activity;
  • Examine Windows Registry for evidence of intrusion;
  • Query Windows network artifacts; and
  • Apply YARA rules to detect malware, backdoors, or implants.

Network defenders should review and confirm any post-compromise threat activity detected by the tool. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP's release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s).”

Ongoing Exploit

SolarWinds related attacks have infected 18,000 organizations, including government agencies. In December, the Cybersecurity and Infrastructure Security Agency (CISA) debuted a PowerShell tool to help Microsoft 365 customers mitigate Solarigate. Microsoft had recently confirmed stolen Azure/Microsoft 365 credentials and access tokens were a part of the breach.

Tip of the day:

Though many VPN providers have their own apps, you can in many cases connect to a VPN in Windows 10 without any third-party software. This is ideal if you have a self-hosted VPN or if you're using a PC with restricted permissions. In our tutorial, we're showing you how to connect to a VPN in Windows 10.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News