Share this page!

Matt Profile picture
Twitter logo
Jul 5 11 tweets 5 min read
A short thread of solid #CyberChef alternatives and complementary tools.... ⏬
Ciphey: a fantastic tool that does automated decryption & decoding. Great documentation, and easy to setup via Docker. github.com/Ciphey/Ciphey
Binary Refinery: I'll admit I haven't played with this as much as I should have. It looks fantastic. Each script doing one job, which can be piped like a command line CyberChef. Credit to @huettenhain github.com/binref/refinery
@DidierStevens tools: There are so many tools in the collection I lose track! Didier also has blogs post upon blog post of knowledge, and YouTube. youtube.com/user/dist67 github.com/DidierStevens/…
de4js: Does what no-one wants to do. Ever. And that's...deobfuscate JavaScript. For that, I thank you. github.com/lelinhtinh/de4…
Debuggex: a tool that can help visualise regular expressions. Can test JS, Pyton, or PCRE implementations of regex. debuggex.com
Kahu Security Tools: a bunch of niche tools that are worth a look for deobfuscation and dynamic analysis. kahusecurity.com/tools.html
David Ledbetter's (@Ledtech3) tools. David writes his own tools and has a fantastic blog with detailed malware analysis. github.com/PCsXcetra?tab=… and pcsxcetrasupport3.wordpress.com
oletools by @decalage2. The 'go to', 'must have' set of tools for analysing document files. Get it? Got it? Good. github.com/decalage2/olet…
ExplainShell: If you are Linux-challenged like me then this is a life-saver. Just remember not to post sensitive information if you are not running it locally. explainshell.com
I've probably missed heaps of great tools, and for that I'm sorry. Please post what you use, so we can all benefit. Thanks to everyone who contributes their time and skills. 💪😎

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matt

Matt Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mattnotmax

Matt Profile picture
Feb 4, 2021
Let's walk through #malware de-obfuscation of a REvil PowerShell ransomware script in #CyberChef. The original can be found below if you want to play alone at home! hybrid-analysis.com/sample/e1e19d6…
Following my analysis, I realised there is an excellent write up of the same PowerShell on SANS here which is worth a read: isc.sans.edu/forums/diary/P… Thanks to @xme for saving me the detonation to learn its ransomware! 👍
Taking a scan we can see an AES decrypt function and blob of Base64 - likely what is to be decrypted. Later on we see our IV and Key variables references, also in Base64.
Read 13 tweets
Matt Profile picture
Feb 2, 2021
Here it is! It was an absolute pleasure to develop this course, #CyberChef for Security Analysts, with @chrissanders88. I've tried to cover a range of use cases for work in our field but I probably only scratched the surface. (1/5)
What I've aimed to do instead is to teach the skills so that you can look at the data you'll be using in your work and be confident you can whip up a recipe in CyberChef to suit your needs (2/5).
What's covered are the fundamentals of CyberChef up to the more advanced features that make it the indispensable tool for network defenders. Totally unpaid tweet right here: 👇 (3/5)
Read 5 tweets
Matt Profile picture
Mar 23, 2020
A small Powershell script leads to a longer #CyberChef recipe.

(1/6): Let's extract the obfuscated section with a regular expression: a regex lookahead/lookbehind.
(2/6) We're going to convert the obfuscated text into Character Codes.
(3/6) Now, following the script we have to subtract 1 from each of the Character Code values and convert it back again. So we put a 1 next to each value with a Find/Replace...
Read 6 tweets
Matt Profile picture
Jan 5, 2020
So in #DFIR you'll come across lots (and lots) of timestamps. Let's take a quick dive into this weird and wonderful world....(1/x)
For Windows, FILETIME is your main man. It's a 64-bit value that represents the number of 100-nanosecond intervals that have elapsed since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC). (2/x) docs.microsoft.com/en-au/windows/…
So why 1601? According to Microsoft, "The Gregorian calendar operates on a 400-year cycle, and 1601 is the first year of the cycle...active at the time Windows NT was being designed...it was chosen to make the math come out nicely." Seems fair. (3/x) devblogs.microsoft.com/oldnewthing/20…
Read 15 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(