CISA says CHIRP currently looks for:

• The presence of malware identified by security researchers as TEARDROP and RAINDROP;
• Credential dumping certificate pulls;
• Certain persistence mechanisms identified as associated with this campaign;
• System, network, and M365 enumeration; and
• Known observable indicators of lateral movement.

CHIRP is available on GitHub as a compiled executable or as a Python script.

FireEye in January also released a free tool on GitHub called Azure AD Investigator.

Burnt by SolarWinds attack? US releases tool for post-compromise detection | ZDNet