CISA says CHIRP currently looks for:
- The presence of malware identified by security researchers as TEARDROP and RAINDROP;
- Credential dumping certificate pulls;
- Certain persistence mechanisms identified as associated with this campaign;
- System, network, and M365 enumeration; and
- Known observable indicators of lateral movement.
CHIRP is available on GitHub as a compiled executable or as a Python script.
FireEye in January also released a free tool on GitHub called Azure AD Investigator.