Knogin
[Developers]

CyberChef Recipes

During a live incident response engagement, an analyst encounters a malicious macro that drops a multi-stage payload: a Base64-encoded string that, once decoded, reveals an XOR-obfuscated shellcode blob concealing the ac

Back to All Modules
Category: ModulesLast Updated: May 26, 2026
modules

Overview#

During a live incident response engagement, an analyst encounters a malicious macro that drops a multi-stage payload: a Base64-encoded string that, once decoded, reveals an XOR-obfuscated shellcode blob concealing the actual command-and-control URL. Manually shuttling each artefact between investigation tools and a standalone browser-based decoder breaks focus, introduces transcription risk, and fragments the chain of custody. The CyberChef Recipes module resolves this by embedding GCHQ CyberChef transformation capabilities directly inside the analyst workspace.

The module allows organisations to build, store, and share a central library of CyberChef recipes accessible to every analyst on the team. Recipes are applied to extracted payloads, log fragments, and network captures without leaving the secure workspace. Each transformation is recorded in an immutable audit log, preserving full provenance from raw artefact to decoded indicator of compromise. Access to sensitive or classified recipe sets can be restricted by role, ensuring appropriate separation of duties across multi-tier analyst teams.

Key Features#

  • Centralised Recipe Library: Store and version complex multi-step transformation sequences as named recipes, making them instantly available to every analyst in the organisation.
  • Live CyberChef Server Integration: Connect to an internally hosted CyberChef server instance to execute recipes server-side, keeping sensitive artefact data off analyst workstations and within the secure boundary.
  • Automated IOC Emission: After a transformation completes, extracted indicators are automatically linked to the active investigation, threat actors, and detection rules without manual copy-paste.
  • Immutable Audit Trail: Every recipe execution is logged with the artefact identifier, recipe applied, analyst identity, timestamp, and output digest, satisfying forensic chain-of-custody requirements.
  • Role-Based Recipe Access: Sensitive recipes used for classified or restricted investigations can be restricted to analysts holding appropriate clearance levels, using TLP-aligned access controls.
  • YARA Pipeline Integration: Decoded artefacts feed directly into YARA scanning, enabling signature matching immediately after deobfuscation without intermediate file handling.
  • Team Recipe Sharing: Analysts can publish recipes to the shared library after validation, building an institutional knowledge base of deobfuscation techniques across campaigns.
  • Batch Processing: Apply a recipe across multiple artefacts simultaneously, accelerating triage when a campaign produces dozens of similar encoded samples.

Use Cases#

  • Malware Deobfuscation: Decode Base64, XOR, or ROT13-encoded payloads dropped by malicious macro documents, then pass the cleartext directly to a YARA engine for signature detection.
  • Command-and-Control Traffic Decoding: Reconstruct encoded or encrypted beaconing payloads captured from network traffic to extract live C2 infrastructure indicators.
  • Log Parsing and Indicator Extraction: Apply regex and field-extraction recipes to raw firewall, proxy, or web server logs to rapidly surface IP addresses, domains, and file hashes at scale.
  • Forensic Artefact Reconstruction: Decode hex dumps, reconstruct files from memory captures, or parse proprietary binary structures encountered during digital forensics examinations.
  • Campaign Pattern Analysis: Share deobfuscation recipes across team members investigating a common threat actor, ensuring consistent transformation methodology and comparable outputs.

Integration#

The CyberChef Recipes module connects to a CyberChef server instance, synchronising available recipes and executing transformations server-side so that sensitive artefact data never leaves the secure analysis boundary. Transformation outputs are returned to the analyst workspace and automatically linked to the active investigation timeline. Decoded artefacts flow downstream into YARA scanning, MISP threat sharing, and Suricata rule generation within the same session, reducing the context-switching overhead that commonly slows incident response workflows.

Open Standards#

  • STIX 2.1 (OASIS): Extracted indicators of compromise are structured and shared using the STIX 2.1 format, enabling interoperability with MISP and other threat intelligence platforms.
  • TAXII 2.1 (OASIS): Threat intelligence produced from recipe-decoded artefacts can be disseminated via TAXII-compliant feeds to partner organisations and sector-sharing communities.
  • TLP (Traffic Light Protocol, FIRST): Recipe access controls and derived intelligence sharing are governed by TLP classifications, aligning with the FIRST standard for controlled disclosure.
  • YARA (VirusTotal / open standard): Decoded payloads feed directly into YARA rule matching, the de facto open standard for malware classification and detection.
  • RFC 4648 (Base16, Base32, Base64 Data Encodings): The module correctly decodes all encoding variants defined in RFC 4648, including URL-safe Base64 and Base32 padding edge cases common in malware obfuscation.
  • ISO/IEC 27037 (Digital Evidence Identification and Preservation): The audit trail and provenance logging for each transformation aligns with ISO/IEC 27037 principles for preserving the integrity and admissibility of digital evidence.
  • MITRE ATT&CK: Decoded artefacts and extracted indicators are mapped to MITRE ATT&CK technique identifiers, contextualising deobfuscated payloads within adversary behaviour frameworks.

Availability#

  • Enterprise Plan: Included
  • Professional Plan: Available with CyberChef server self-hosted integration; recipe library capped at 50 stored recipes per organisation.

Last Reviewed: 2026-05-26

Ready to Build?

Get started with our APIs or contact our integration team for support.