CyberChef – Data decoding made easy
Author Kevin Kipp
A SOC Analysts’ job can sometimes seem overwhelming. There is a myriad of obfuscation techniques that adversaries can use – hashing, encoding, encryption, and compression just to name a few.
How are the defenders supposed to keep up with an ever-changing threat landscape? If you were presented with a secret message such as:
“10010 01101 01110 10001 00100 00010 10000 00100 10010 00111 01000 00110 00111 01010 10110 00010 01101 01100 00101 01000 00011 00100 01100 10010 01000 00000 01010”
Could you crack the code?
In this blog, we’ll go over an important tool in the SOC Analysts toolbox – CyberChef.
What is CyberChef?
CyberChef is a web-application developed by GCHQ that’s been called the “Cyber Swiss Army Knife”. From the CyberChef Github page:
“CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.”
This tool can be downloaded from Github and run on your local machine, or it can be run inside the browser at this link: https://gchq.github.io/CyberChef/
What is CyberChef used for?
CyberChef can be used to: Encode, Decode, Format data, Parse data, Encrypt, Decrypt, Compress data, Extract data, perform arithmetic functions against data, defang data, and many other functions.
How do I get started?
Go to: https://gchq.github.io/CyberChef/
From there, you’ll see 4 sections:
Operations on the left side – These are how the manipulations you want to perform on the data.
Recipe in the middle – These are the instructions telling Cyberchef what to do with the data.
Input section on the top right side – This is the data you provide that you’re manipulating.
Output section on the bottom right side – This is the result of the Input + Recipe functions
In order to use CyberChef for the first time, it’s easiest to know how you want to manipulate the data first, but you also need sample data for the input.
The next few sections will guide you through the process.
Grab your chef hat and let’s get cooking!
You receive an alert from your EDR that a single PC has tried to run a malicious Powershell script.
The attempt was blocked, but let’s analyze the script using Cyberchef.
Reviewing the alert, you can see the following command from your Powershell logs:
“powershell.exe -NoP -sta -NonI -W Hidden -Enc
Let’s break this down:
Powershell.exe tells Windows to open and use the Powershell language to interpret the command.
-NoP tells the Powershell process to not use a Profile. Profiles are used in Powershell to set environment variables such as window color, text font and color, and other options.
-sta tells Powershell to use “Single Thread Apartment” or only dedicate one memory thread for this process. These can be changed to make Powershell multi-threaded, or faster.
-NonI tells Powershell to use a non-interactive window, typically to prevent the user from closing the process.
-W Hidden tells Powershell to use a hidden window, again this is typically used to hide malicious actions from the user.
The next part looks like junk, but this is actually Base64 encoded commands, and the reason we need help from CyberChef.
Copy the entire command starting from “JABX” and ending with “AKQA=” and paste it into the Input section of CyberChef:
In order to decode the command, we’ll need to tell CyberChef to decode the Base64 data.
Type “base” in the search box on the left, and drag “From Base64” into the Recipe section:
As you can see, the Output on the bottom right is better, but still not human-readable.
Copy the text in the Output section and paste it into the Input section.