Rule payload content keywording

I’m struggling to understand why one would choose “\|00|m|00|y|00 2E 00|e|00|x|00|e|00|” to identify an offending file named “my.exe”

alert smb any any -> $HOME_NET any (msg: ; flow:established,to_server; content:“SMB”; depth:8; content:"|05 00|"; distance:8; within:2; content:"\|00|m|00|y|00 2E 00|e|00|x|00|e|00|"; nocase; distance:0; metadata: former_category MALWARE; reference:url/ ; classtype:trojan-activity; sid: ; rev:1; metadata:attack_target SMB_Client, deployment Perimeter, signature_severity Major, created_at , malware_family , performance_impact , updated_at :wink:

The content match highlighted has null bytes, |00|, separating each character in the filename indicating that it’s a unicode/wide string, ‘my.exe’ wouldn’t match in this context.

2 Likes