String to Suricata UTF-16 (0-byte padding)

I came across a malware operation where some MSSQL Backdoor was doing evil things. MSSQL is using the TDS Protocol which is UTF16 and it uses 00bytes between each UTF8 Character

For Suricata to detect the Word “Hello” it shows up like this:

Hello gets to H|00|e|00|l|00|l|00|o|00|

For the win Cyberchef helped me using the following recipe, to transform arbitrary strings to UTF16.

Complete recipe: Click here

Privacy Policy Settings