How much time do you spend wrestling with obfuscated code, decoding strange data formats, or trying to extract meaningful information from a messy block of text? As a cyber security analyst or threat intelligence professional, you know that data manipulation is a daily challenge. What if you had a single tool that could handle it all? You do! It’s called CyberChef.
CyberChef is a free, web-based application that serves as a “cyber Swiss army knife” for various data-related tasks. Developed by the UK’s GCHQ, it empowers you to perform complex encoding, decoding, compression, and data analysis without writing a single line of code. This guide will introduce you to CyberChef, explain why it’s a vital tool, and demonstrate its use for common analysis tasks.
Let’s dive in and see how CyberChef can transform your workflow.
Want to listen on the go? Check out this article in podcast form!
What is CyberChef?
Imagine you have a suspicious PowerShell script that’s heavily obfuscated. Typically, you might need to use several different command-line tools or write a custom Python script to decode it layer by layer. It’s time-consuming and inefficient.
This is where CyberChef shines. It provides a simple, intuitive, drag-and-drop interface to build a “recipe” of operations. You can chain together dozens of functions, from decoding Base64 to decompressing data and extracting IOCs. The recipe you build will transform your unstructured or obfuscated input data into a human-readable format you can analyze with ease..
The best part? It all happens locally in your browser. No data is ever uploaded to a server, so you can safely use CyberChef with sensitive or classified information without concerns about data exposure. It integrates the power of countless individual tools into one secure and user-friendly platform.
CyberChef was developed internally by the UK’s Government Communications Headquarters (GCHQ), the country’s intelligence, security, and cyber agency. With a mission heavily focused on signals intelligence and data analysis, GCHQ’s analysts required a powerful and versatile tool to manipulate data efficiently.
Recognizing its value to the broader technical community, GCHQ open-sourced CyberChef in 2017 on GitHub. The goal was to share a powerful tool while also allowing the community to contribute, add new features, and help it evolve. This move was celebrated as a significant contribution from an intelligence agency to the open-source world, making a professional-grade tool accessible to everyone.
The tool has a basic interface with five key components
- Operations: The operations pane lists all the data manipulation tools available to the user. Operations are grouped into categories that have similar functionality, such as Data Format, Encoding/Encryption, Networking, etc., and are searchable.
- Recipe: The recipe pane is where you drag-and-drop operations to act on your input data. CyberChef’s power lies in its ability to chain multiple operations together to create complex data manipulations in a single recipe.
- Input: This is where you insert the data you want to manipulate. You can copy and paste data here or add a file or folder.
- Output: The output pane displays the results of your recipe after your input data has gone through all the operations you chained together in the recipe pane. For example, if you used the From Base64 operation to decode Base64 text, you would see the decoded text in this pane.
- Bake: The toolbar at the bottom of CyberChef’s GUI allows you to run your recipe. You can choose to “Auto Bake” and have your recipe run every time a new operation is added, or manually bake by pressing the BAKE button. There is also the option to step through your recipe operation by operation to see how your data is being transformed.
Awesome. You know what CyberChef is and where it originated. Let’s look at how you can get started using this powerful tool.
Installation Options
One of CyberChef’s greatest strengths is its flexibility. It offers multiple installation options to suit your workflow and security requirements best.
- Web Version: The easiest way to start is by using the official GCHQ-hosted version directly in your browser. This requires no setup and is always up-to-date.
- Standalone Download: For offline use or corporate environments, you can download the entire CyberChef application as a single JavaScript application. Simply open this file in your browser to get the full functionality without needing an internet connection.
- Docker Deployment: For teams and enterprises, CyberChef can be easily deployed as a Docker container. This allows you to host a private, centralized version of the tool on your own infrastructure, making it easily accessible to all analysts within your organization.
The web version of CyberChef is excellent for getting to grips with the tool. If you plan to use CyberChef to perform real security work (or within an enterprise environment), you should download and use the standalone or Docker versions. This keeps potentially sensitive information local to your environment, ensuring it remains secure and confidential. For more information, check out the GitHub Wiki.
Now you have CyberChef installed. Let’s explore some of the key features that make this such a robust cyber security tool!
CyberChef’s Key Features
CyberChef is packed with features that make it an analyst’s best friend, from its intuitive interface to the ability to save recipes for reuse. Here are some of the highlights and features that can make data analysis a breeze.
Drag-and-Drop Recipe Builder
The core of CyberChef is its intuitive interface. You can search for operations and simply drag them into your recipe list to build a complex data transformation pipeline step by step.
This feature allows anyone to build a recipe. No need to worry about complex code syntax or semantics, just drag your chosen operation across and watch it automatically be applied to your input in five simple steps:
- Choose an operation from the Operations library
- Drag it to the Recipe Pane
- Add your input data to the Input pane
- Click the Bake button (if Auto Bake is not turned on)
- See your output populated in the Output pane
Massive Operations Library
With over 460 operations and the capability to chain them together, the data manipulation possibilities are virtually limitless. You can do everything from simple encoding and decoding to complex cryptographic ciphers, data extraction, network traffic analysis, and parsing for various data types.
CyberChef’s true power lies in the ability to chain these operations together to perform a variety of data manipulation tasks in succession. For instance, you could extract Base64-encoded data, decode it, and enrich the data by making an external HTTP request.
The platform even includes control flow operations, such as Merge, Fork, Subsection, Register, and Jump, allowing you to control the sequence of operations based on the data returned after each operation.
These operations allow you to build a script with logic, loops, and other common elements you’ll find in modern programming languages. Coupled with a massive library of data manipulation operations, the only limit to what manipulations you perform is what you can think of.
The data manipulation operations that CyberChef performs rely on JavaScript code under the hood. This means that, compared to command-line equivalents (e.g., sed, grep, awk, etc.), they are slower. Therefore, if performance and scale are essential, stick to the command line.
Automatic Baking
As you build your recipe, CyberChef automatically processes the input and updates the output in real-time. This immediate feedback loop enables you to quickly see the effects of each operation and adjust on the fly without having to re-run your recipe manually.
This is great for prototyping or smaller recipes. However, if you are building longer recipes that involve complex data manipulations, it is best to disable this feature to prevent overwhelming the web application. Then, once finished with your recipe, hit the bake button and see the fruits of your labour!
Save and Load Recipes
Found a series of operations that perfectly deobfuscate a specific malware family’s C2 communication? You can save that entire recipe and reload it into CyberChef when you encounter malware in the future.
This functionality is useful when you find a set of operations that successfully achieve your data manipulation objective and can be reused with other data. For example, you might have a deobfuscation recipe that you can reuse when you come across the same malware family, or a log parsing recipe you can reuse the next time you’re hunting for malicious activity.
By saving the “recipe,” you can quickly load it again in the future or share it with team members to standardize analysis procedures and improve efficiency.
Powerful Search and Magic Operation
Can’t figure out what type of encoding you’re dealing with or what data manipulation you need to perform? You can try searching for it in the Operations pane or use the Magic operation, which can automatically detect possible encoding layers and suggest the appropriate operations.
When you have a piece of data but don’t know how it has been encoded or obfuscated, the Magic operation can figure it out for you. It automatically analyzes the input data and suggests a list of possible operations and recipes that could be used to decode it.
Instead of you having to manually try to figure out if data has been encoded with Base64, then Hex, then Base85, etc., the Magic operation intelligently detects clues in the data and presents you with the most likely solutions.
It’s an automated analysis feature that can save a significant amount of time and effort.
Client-Side Security
All data processing is performed locally within your web browser. This means that if you download and run CyberChef locally, no information is shared outside of the network, including recipes, configurations, or sensitive corporate data. This capability ensures your data stays secure and private.
If you choose to run the web version of CyberChef, some operations will send out data (e.g., operations that rely on API calls). As such, if you plan to use this tool in a production environment, it is recommended that you use the standalone version or host it via Docker. These give you more control over the web traffic being sent out.
These sound like great features, but who uses this tool? Let’s look at some common use cases and how you can integrate CyberChef into your workflow.
Who is CyberChef For?
CyberChef can chop up, reorganize, and serve you up data like a … chef, but who is it designed for? According to GCHQ, CyberChef is “designed to enable both technical and non-technical analysts to manipulate data in complex ways without having to deal with complex tools or algorithms.” Anyone with a web browser and data manipulation skills can use it!
While this is true, CyberChef is particularly powerful for specific roles within cyber security, such as:
- Security Operations Center (SOC) Analysts: Quickly decode suspicious URLs, PowerShell commands, or Base64-encoded payloads found in logs. Extract IOCs from phishing emails or alert data to feed into blocklists.
- Malware Reverse Engineers: Deobfuscate malicious scripts, decompress packed data, and analyze shellcode. Use the “Disassemble” operation to get a quick look at x86/x64 instructions.
- Cyber Threat Intelligence (CTI) Analysts: Clean and parse data from unstructured threat reports. Extract domains, IPs, and hashes, and convert data into formats suitable for your Threat Intelligence Platform (TIP).
- Digital Forensics and Incident Response (DFIR) Professionals: Convert timestamps from different formats, analyze data from memory dumps, and carve out files or artifacts from raw data streams.
- Cryptographers and CTF Players: Solve cryptographic challenges by testing different ciphers, keys, and modes of operation. Perform frequency analysis and other classic cryptanalysis techniques.
To learn how to use CyberChef in your daily work, there is no better place to start than getting hands-on experience with the tool. Let me show you how.
Putting CyberChef into Practice: Common Recipes
The best way to understand CyberChef is to see it in action. Here are a few common scenarios where it proves invaluable.
Scenario 1: Deobfuscating a Simple Malicious String
Attackers often employ multiple layers of encoding to conceal their payloads. Let’s look at a simple example.
The Problem: You find the following PowerShell command in a log file and suspect it’s malicious: powershell.exe -nop -w -hidden -encodedcommand VwByAGkAdABlAC0ASABvAHMAdAAgACIASABlAGwAbABvACAAZgByAG8AbQAgAEIAYQBzAGUANgA0ACAAZQBuAGMAbwBkAGUAZAAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIQAiAA==
The Recipe:
- Drag the Regular Expression operation into the recipe list.
- Create a regex query to extract the Base64 encoded data [a-zA-Z0-9+/=]{30,}
- Select the List Matches for Output format option.
- Drag the From Base64 operation to your recipe.
- Finally, drag the Decode Text operation and set the Encoding option to UTF-16LE (1200) to see the obfuscated PowerShell.
The Result: The output reveals the decoded string: Write-Host "Hello from Base64 encoded PowerShell!"
Scenario 2: Extracting IOCs from Unstructured Text
You receive an intelligence report as a block of text and need to quickly pull out all the IP addresses, URLs, and file hashes.
The Problem: A large text file containing mixed data.
The Recipe:
- Drag the Extract IP Addresses operation into the recipe list.
- Enable the Sort and Unique options to remove duplicates. Save these.
- Disable Extract IP Addresses. Drag the Extract URLs operation into your recipe and enable the Sort and Unique option, as you did before. Save these.
- Disable Extract URLs. Drag the Extract Hashes operation across and set Hash character length to 32. Save these.
The Result: A clean, deduplicated list of all IOCs found in the text, ready to be added to your security controls.
For more complex patterns, the Regular Expression operation is your best friend. You can define your own custom regex and see the matches update in real-time. Regular expressions (regex) are used in many CyberChef operations, so it’s worthwhile spending time learning the basics.
Scenario 3: Converting Timestamps
Different systems log timestamps in various formats. You will often need to convert this to UTC time for analysis. CyberChef makes conversion trivial.
The Problem: A log file indicates that an event occurred at the Unix timestamp 1672531200. You need to know the corresponding date and time.
The Recipe:
- Drag the From UNIX Timestamp operation into the recipe. Select the correct unit (e.g., seconds). The Magic option (wand icon) might even suggest this to you!
The Result: The output immediately shows the human-readable date and time: Sun, 01 Jan 2023 00:00:00 GMT.
As an exercise for the reader, consider how you could extract a UNIX timestamp from a log file and convert it like you saw with the Base64-encoded PowerShell command. Hint: Use the Regular Expression operation.
These examples are excellent, but you may be looking for more. That’s why we have built an entire GitHub repository of recipes ready for you to use today! Allow me to introduce you to the Kraven Security CyberChef GitHub repository.
The Kraven Security CyberChef Repository
To maximize the value from CyberChef, we have created a GitHub repository filled with practical recipes that our team has used. This includes recipes for malware analysis, parsing log files, decoding web tokens, investigating phishing emails, and more!
Currently, there are 9 CyberChef recipes in the repository ready for you to explore and use, with plans to add more in the future. At Kraven, we see security as a collaborative effort and encourage anyone willing to share recipes they have created or provide feedback on how recipes could be improved. Enjoy using our current collection!
Conclusion
CyberChef is more than just another tool; it’s an essential platform for anyone working with data in the cyber security field.
By simplifying complex data manipulation, it frees up valuable time for analysts to focus on what truly matters: finding, understanding, and mitigating threats. Its power, versatility, and secure design make it an indispensable part of any modern SOC or CTI team.
If you haven’t already, open CyberChef in your browser and try it for yourself. Take a piece of data you’ve struggled with in the past and see if you can build a recipe to crack it. You’ll quickly wonder how you ever worked without it!
Frequently Asked Questions
What is CyberChef?
Far far away, behind the word mountains, far from the countries Vokalia and Consonantia, there live the blind texts. Separated they live in Bookmarksgrove right at the coast of the Semantics, a large language ocean.
Is CyberChef safe to use with sensitive data?
Yes. All processing in CyberChef takes place client-side within your web browser. No data is ever sent to the CyberChef web server, ensuring it is safe to use with sensitive, proprietary, or classified information if using the standalone or Docker version locally.
Where Can I Access CyberChef?
You can access the official GCHQ-hosted version of CyberChef online for free or download your own copy from their GitHub repository. Because it’s a popular tool, always ensure you are using the official, trusted version to avoid malicious copies.
Can I host CyberChef myself?
Yes, CyberChef is an open-source project available on GitHub. You can download and run it on your own server, local machine, or within a Docker container. This is an excellent option for use in offline or corporate environments. If you plan to run CyberChef in a production setting, it is recommended to operate it locally on your workstation or self-hosted via Docker.
