A short thread of solid #CyberChef alternatives and complementary tools.... ⏬ Ciphey: a fantastic tool that does automated decryption & decoding. Great documentation, and easy to setup via Docker. github.com/Ciphey/Ciphey

Let's walk through #malware de-obfuscation of a REvil PowerShell ransomware script in #CyberChef. The original can be found below if you want to play alone at home! hybrid-analysis.com/sample/e1e19d6… Following my analysis, I realised there is an excellent write up of the same PowerShell on SANS here which is worth a read: isc.sans.edu/forums/diary/P… Thanks to @xme for saving me the detonation to learn its ransomware! 👍

Here it is! It was an absolute pleasure to develop this course, #CyberChef for Security Analysts, with @chrissanders88. I've tried to cover a range of use cases for work in our field but I probably only scratched the surface. (1/5)

https://twitter.com/chrissanders88/status/1356618930438221833

What I've aimed to do instead is to teach the skills so that you can look at the data you'll be using in your work and be confident you can whip up a recipe in CyberChef to suit your needs (2/5).

A small Powershell script leads to a longer #CyberChef recipe.

(1/6): Let's extract the obfuscated section with a regular expression: a regex lookahead/lookbehind. (2/6) We're going to convert the obfuscated text into Character Codes.

So in #DFIR you'll come across lots (and lots) of timestamps. Let's take a quick dive into this weird and wonderful world....(1/x) For Windows, FILETIME is your main man. It's a 64-bit value that represents the number of 100-nanosecond intervals that have elapsed since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC). (2/x) docs.microsoft.com/en-au/windows/…