Discover and read the best of Twitter Threads about #CyberChef

Most recents (8)

It's been one of the more eventful weeks in cybersecurity history. In my little corner of the world, it went a little something like this... 1/n
The first #log4j / #log4shell blog from #SURGe @splunk splunk.com/en_us/blog/sec… was published a week ago with @meansec leading from the front and jump-started by @DrShannon2000 and @jsy9981 2/n
Meanwhile, hundreds of Splunkers worked through last weekend to publish our official advisory. If you take one thing from this thread, it should be this! It's updated frequently and includes details about CVE-2021-45046 and more. splunk.com/en_us/blog/bul… 3/n
Read 28 tweets
Let's walk through #malware de-obfuscation of a REvil PowerShell ransomware script in #CyberChef. The original can be found below if you want to play alone at home! hybrid-analysis.com/sample/e1e19d6…
Following my analysis, I realised there is an excellent write up of the same PowerShell on SANS here which is worth a read: isc.sans.edu/forums/diary/P… Thanks to @xme for saving me the detonation to learn its ransomware! 👍
Taking a scan we can see an AES decrypt function and blob of Base64 - likely what is to be decrypted. Later on we see our IV and Key variables references, also in Base64.
Read 13 tweets
Here it is! It was an absolute pleasure to develop this course, #CyberChef for Security Analysts, with @chrissanders88. I've tried to cover a range of use cases for work in our field but I probably only scratched the surface. (1/5)
What I've aimed to do instead is to teach the skills so that you can look at the data you'll be using in your work and be confident you can whip up a recipe in CyberChef to suit your needs (2/5).
What's covered are the fundamentals of CyberChef up to the more advanced features that make it the indispensable tool for network defenders. Totally unpaid tweet right here: 👇 (3/5)
Read 5 tweets
A small Powershell script leads to a longer #CyberChef recipe.

(1/6): Let's extract the obfuscated section with a regular expression: a regex lookahead/lookbehind.
(2/6) We're going to convert the obfuscated text into Character Codes.
(3/6) Now, following the script we have to subtract 1 from each of the Character Code values and convert it back again. So we put a 1 next to each value with a Find/Replace...
Read 6 tweets
Would someone use the Olympics to phish? Yes, yes they would.
🆕hxxps://amazingmonkeys.es/tokyo2020comiteeolympic/
🆕hxxps://amazingmonkeys.es/olympiccomitee/
hxxps://154dst.com/comiteeolympic/
hxxps://154dst.com/olympiccomitee/
hxxps://154dst.com/olympicinternationalcomitee/ Image
and
🆕hxxps://amazingmonkeys.es/tokyo2020portal/
@Olympics, you might want to check the Referrer in your weblogs to see non-Olympics sites loading stillmed.olympic.org/media/Images/O…
Could help discover phishing sites like these.
Read 6 tweets
So in #DFIR you'll come across lots (and lots) of timestamps. Let's take a quick dive into this weird and wonderful world....(1/x)
For Windows, FILETIME is your main man. It's a 64-bit value that represents the number of 100-nanosecond intervals that have elapsed since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC). (2/x) docs.microsoft.com/en-au/windows/…
So why 1601? According to Microsoft, "The Gregorian calendar operates on a 400-year cycle, and 1601 is the first year of the cycle...active at the time Windows NT was being designed...it was chosen to make the math come out nicely." Seems fair. (3/x) devblogs.microsoft.com/oldnewthing/20…
Read 15 tweets
How to tell that the ridiculously overcomplicated VBA macro function you're staring at is maybe just rolling its own Base64: accounting for padding

Decoded @digitalocean server: 178.128.141.18:8080

👨🏼‍🎓"Classeur1.xlsm" (7/58): virustotal.com/gui/file/70b86…
Uploaded from Tunis, 🇹🇳
[1/3] ImageImage
It's reasonable to expect an aspiring detection engineer to explain what's going on here.

CREATE_HEX function: MCAFEE_CERTIFICATION 👀
You should know what |4d 5a| means.

You should be able to explain the rudimentary D1, D2, and D3 evasion functions.
[2/2] ImageImage
This is a good Excel macro for entry-level analysis given its simpler structure.

I've uploaded the file so others can play with it and learn:
🌊@virusbay_io: beta.virusbay.io/sample/browse/…
🏃🏼‍♂️@anyrun_app: app.any.run/tasks/bfec85ac…
🔎@Malwageddon's IRIS-H: iris-h.services/#/pages/report…
🍻
[3/3]
Read 4 tweets
Another quick .NET triage/analysis of a related #PUBNUBRAT dropper/launcher (?) 1d155032232cd40c1788271546af36ec (U4.conf). This one we start immediately with extracting the 'app' resource using dnSpy to get 5bbe762b83e051776f1b5ea30ffc0050 (application/x-lzip).
5bbe762b83e051776f1b5ea30ffc0050 decompressed to the goliath ~8MB ca19c3c3c2ef656b33d7173a49186f5a (application/x-dosexec) which is also a .NET binary. Back in dnSpy, which nearly chokes on the size, we finally get to a main decryption routine.
We could take the next steps of this in a million ways, but this is easy to do in @GCHQ's #CyberChef. First From Base64 & To Hex the Key and IV for the crypto routine and save these in hex.
Read 8 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!