CyberChef – Data decoding made easy

screen with code displayed

Author Kevin Kipp

A SOC Analysts’ job can sometimes seem overwhelming. There is a myriad of obfuscation techniques that adversaries can use – hashing, encoding, encryption, and compression just to name a few.

How are the defenders supposed to keep up with an ever-changing threat landscape? If you were presented with a secret message such as:

“10010 01101 01110 10001 00100 00010 10000 00100 10010 00111 01000 00110 00111 01010 10110 00010 01101 01100 00101 01000 00011 00100 01100 10010 01000 00000 01010”

Could you crack the code?

In this blog, we’ll go over an important tool in the SOC Analysts toolbox – CyberChef.

What is CyberChef?

CyberChef is a web-application developed by GCHQ that’s been called the “Cyber Swiss Army Knife”. From the CyberChef Github page:

“CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.”

This tool can be downloaded from Github and run on your local machine, or it can be run inside the browser at this link: https://gchq.github.io/CyberChef/

What is CyberChef used for?

CyberChef can be used to: Encode, Decode, Format data, Parse data, Encrypt, Decrypt, Compress data, Extract data, perform arithmetic functions against data, defang data, and many other functions.

How do I get started?

Go to: https://gchq.github.io/CyberChef/

From there, you’ll see 4 sections:

  1. Operations on the left side – These are how the manipulations you want to perform on the data.

  2. Recipe in the middle – These are the instructions telling Cyberchef what to do with the data.

  3. Input section on the top right side – This is the data you provide that you’re manipulating.

  4. Output section on the bottom right side – This is the result of the Input + Recipe functions

In order to use CyberChef for the first time, it’s easiest to know how you want to manipulate the data first, but you also need sample data for the input.

The next few sections will guide you through the process.

Grab your chef hat and let’s get cooking!

Example 1:

You receive an alert from your EDR that a single PC has tried to run a malicious Powershell script.

The attempt was blocked, but let’s analyze the script using Cyberchef.