LeakNet Campaign: Deno Runtime & Klist Suspicious Execution Detection
Detects indicators of the LeakNet campaign (analyzed by ReliaQuest, March 2026), which uses ClickFix a social engineering tactic where compromised websites display fake error dialogs that coerce users into manually pasting and executing a malicious PowerShell/CMD command. This delivers a portable Deno (JavaScript runtime) binary to user-writable directories that runs malicious payloads entirely in memory, avoiding disk-based detection. The query targets the post-delivery kill chain: Deno execution from AppData/Temp/ProgramData paths, klist.exe usage from interactive shells indicating Kerberos ticket harvesting, Deno spawning reconnaissance and living-off-the-land binaries, and dangerous Deno runtime flags or remote code fetch patterns. A noise reduction filter excludes Deno running from standard developer or Program Files paths. This query detects post-exploitation activity associated with the LeakNet campaign, which was publicly analyzed by ReliaQuest in March 2026. LeakNet uses ClickFix — a social engineering technique where compromised websites present fake browser or application error dialogs that instruct users to copy a malicious command and paste it into a Run dialog or terminal. The pasted command downloads and executes a portable Deno binary, which then runs JavaScript payloads entirely in memory to evade traditional file-based detection. The query monitors CrowdStrike Falcon EDR `ProcessRollup2` telemetry and applies four detection clauses covering distinct stages of the LeakNet kill chain, followed by a noise reduction filter. CAMPAIGN DETAILS: Campaign: LeakNet Reference: ReliaQuest Threat Research, March 2026 Delivery: ClickFix social engineering → user-pasted PowerShell/CMD command Payload: Portable Deno binary dropped to AppData/Temp Execution: In-memory JavaScript payloads via Deno runtime Post-Exploitation: Credential enumeration (klist), host discovery, C2 callbacks VULNERABILITY DETAILS: CVE: N/A (Campaign-Specific TTPs / Living off the Land) Type: Initial Access, Execution, Credential Access, Discovery, Lateral Movement Status: ACTIVE CAMPAIGN — MONITORING FOR ANOMALOUS USAGE MITRE ATT&CK MAPPING: T1204.001 - User Execution: Malicious Link (ClickFix) T1059.007 - Command and Scripting Interpreter: JavaScript/TypeScript T1059.001 - Command and Scripting Interpreter: PowerShell T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1082 - System Information Discovery T1033 - System Owner/User Discovery T1016 - System Network Configuration Discovery T1087 - Account Discovery Tactics: Initial Access, Execution, Credential Access, Discovery, Lateral Movement EXPLOITATION REQUIREMENTS: - User interaction required (ClickFix paste-and-execute social engineering) - Deno binary present on disk (often portable/non-installed) - Execution within user-writable context (AppData/Temp) - Network access for remote script fetching (--allow-net) USE CASES: - Detect Deno-based malware or C2 stagers - Identify Kerberos ticket enumeration via klist.exe - Track post-exploitation discovery commands spawned by script runtimes - Flag dangerous Deno permission flags and remote code execution patterns DATA SOURCE: Event Type: ProcessRollup2 Required Fields: ImageFileName, CommandLine, ComputerName, UserName, ParentBaseFileName Sensor: CrowdStrike Falcon EDR AFFECTED SYSTEMS: - Windows 10/11 - Windows Server 2016/2019/2022 FALSE POSITIVES: - Legitimate developer activity (Deno used in IDE/Repos) - Automated IT scripts using klist for troubleshooting - Deno-based internal tools running from standard Program Files paths - DevOps pipelines that invoke Deno with --allow-net against internal registries INVESTIGATION NOTES: 1. Check if the Deno binary is signed and from a known developer location. 2. Review the CommandLine for --allow-all or remote URLs (http/https). 3. Correlate klist usage with recent logins or network connections to Domain Controllers. 4. Inspect the parent process of klist.exe; interactive shells are higher risk. 5. Verify if the user is a known developer or DevOps engineer. 6. Cross-reference SHA256HashData against known-good Deno release hashes. TUNING RECOMMENDATIONS: - Add specific exclusion for local 'dev' or 'git' directories. - Filter out known-good service accounts that use klist for health checks. - Baseline Deno usage by SHA256 if a standard version is deployed. - Add UserName exclusions for known developer accounts if discovery clause is noisy. REMEDIATION: Priority: MEDIUM (Context Dependent) Action: Quarantine suspicious Deno binaries found in AppData/Temp. Patches: Ensure Deno is updated to the latest version to prevent engine exploits. QUERY LOGIC: 1. Filters for ProcessRollup2 events. 2. Checks for Deno in writable paths (Local/Roaming/Temp/ProgramData). 3. Flags klist.exe when spawned by common shells or script hosts. 4. Monitors Deno spawning living-off-the-land and discovery binaries. 5. Identifies dangerous Deno flags or remote fetch commands in the command line. 6. Applies a global noise reduction for standard Program Files or developer paths.
Detection Query
#event_simpleName=ProcessRollup2
| (
/* ── Clause 1: Deno launched from user-writable locations ── */
(
ImageFileName=/\\deno(\.exe)?$/i
AND ImageFileName=/\\(Users\\[^\\]+\\AppData\\(Local|Roaming)|Temp|ProgramData)\\/i
)
OR
/* ── Clause 2: klist launched from interactive shells or script hosts ── */
(
ImageFileName=/\\klist\.exe$/i
AND ParentBaseFileName=/^(cmd|powershell|pwsh|wscript|cscript|mshta)\.exe$/i
)
OR
/* ── Clause 3: Suspicious child processes spawned by Deno ── */
(
ParentBaseFileName=/^deno(\.exe)?$/i
AND ImageFileName=/\\(cmd|powershell|pwsh|net|net1|whoami|hostname|nltest|dsquery|quser|qwinsta|vssadmin|wbadmin|reg|wevtutil|ipconfig|systeminfo|tasklist|qprocess|schtasks|wmic|bitsadmin|certutil)\.exe$/i
)
OR
/* ── Clause 4: Deno with dangerous flags or remote code execution patterns ── */
(
ImageFileName=/\\deno(\.exe)?$/i
AND CommandLine=/(eval|--allow-all|--allow-net|--allow-run|https?:\/\/|atob\(|base64|WebSocket|fetch\()/i
)
)
/* ── Noise reduction: exclude Deno running from known-good install/dev paths ── */
| !(
ImageFileName=/\\deno(\.exe)?$/i
AND ImageFileName=/\\(Program Files|Program Files \(x86\)|tools|dev|repos|source|git)\\/i
)
| table([@timestamp, aid, ComputerName, UserName, ParentBaseFileName, ImageFileName, CommandLine, SHA256HashData])
| sort(@timestamp, order=desc)
//══════════════════════════════════════════════════════════════════════════════════════════════════
// ENHANCEMENT OPTIONS
//══════════════════════════════════════════════════════════════════════════════════════════════════
//
// ── Option A: Correlate Deno process execution with outbound network connections ──
// Uses selfJoinFilter to link ProcessRollup2 with NetworkConnectIP4 on the same
// agent and process ID, then filters out internal RFC1918/loopback traffic.
//
// #event_simpleName = /ProcessRollup2|NetworkConnectIP4/
// | falconPID := ContextProcessId_decimal
// | falconPID := TargetProcessId_decimal
// | selfJoinFilter(field=[aid, falconPID], where=[
// {#event_simpleName = ProcessRollup2 | ImageFileName = /\\deno(\.exe)?$/i},
// {#event_simpleName = NetworkConnectIP4}
// ])
// | RemoteAddressIP4 != "10.*"
// | RemoteAddressIP4 != "172.16.*"
// | RemoteAddressIP4 != "192.168.*"
// | RemoteAddressIP4 != "127.*"
// | groupBy([aid, ComputerName, ImageFileName, RemoteAddressIP4, RemotePort], function=[count(), collect(CommandLine)])
// | sort(_count, order=desc)
//
// ── Option B: Correlate Deno with DNS requests for domain-based C2 detection ──
//
// #event_simpleName = /ProcessRollup2|DnsRequest/
// | falconPID := ContextProcessId
// | falconPID := TargetProcessId
// | selfJoinFilter(field=[aid, falconPID], where=[
// {#event_simpleName = ProcessRollup2 | ImageFileName = /\\deno(\.exe)?$/i},
// {#event_simpleName = DnsRequest}
// ])
// | groupBy([aid, ComputerName, DomainName], function=[count(), collect(CommandLine)])
// | sort(_count, order=desc)
//
// ── Option C: Group by user to surface high-frequency discovery bursts ──
//
// // Append after the main query's table() line:
// // | groupBy([UserName, ComputerName], function=count(as=exec_count))
// // | sort(exec_count, order=desc)
// // | test(exec_count > 5)
//
//══════════════════════════════════════════════════════════════════════════════════════════════════
Author
cap10
Data Sources
Platforms
Tags
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: "LeakNet Campaign: Deno Runtime & Klist Suspicious Execution Detection"
# MITRE ATT&CK technique IDs
mitre_ids:
- T1204.001
- T1059
#- T1059.007
#- T1059.001
#- T1558.003
#- T1082
#- T1033
#- T1016
#- T1087
# Description of what the query does and its purpose.
description: |
Detects indicators of the LeakNet campaign (analyzed by ReliaQuest, March 2026), which uses ClickFix a social engineering tactic where compromised websites display fake error dialogs that coerce users into manually pasting and executing a malicious PowerShell/CMD command. This delivers a portable Deno (JavaScript runtime) binary to user-writable directories that runs malicious payloads entirely in memory, avoiding disk-based detection. The query targets the post-delivery kill chain: Deno execution from AppData/Temp/ProgramData paths, klist.exe usage from interactive shells indicating Kerberos ticket harvesting, Deno spawning reconnaissance and living-off-the-land binaries, and dangerous Deno runtime flags or remote code fetch patterns. A noise reduction filter excludes Deno running from standard developer or Program Files paths.
# The author or team that created the query.
author: cap10
# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
- Endpoint
# Tags for filtering and categorization.
tags:
- Hunting
- Detection
# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
#event_simpleName=ProcessRollup2
| (
/* ── Clause 1: Deno launched from user-writable locations ── */
(
ImageFileName=/\\deno(\.exe)?$/i
AND ImageFileName=/\\(Users\\[^\\]+\\AppData\\(Local|Roaming)|Temp|ProgramData)\\/i
)
OR
/* ── Clause 2: klist launched from interactive shells or script hosts ── */
(
ImageFileName=/\\klist\.exe$/i
AND ParentBaseFileName=/^(cmd|powershell|pwsh|wscript|cscript|mshta)\.exe$/i
)
OR
/* ── Clause 3: Suspicious child processes spawned by Deno ── */
(
ParentBaseFileName=/^deno(\.exe)?$/i
AND ImageFileName=/\\(cmd|powershell|pwsh|net|net1|whoami|hostname|nltest|dsquery|quser|qwinsta|vssadmin|wbadmin|reg|wevtutil|ipconfig|systeminfo|tasklist|qprocess|schtasks|wmic|bitsadmin|certutil)\.exe$/i
)
OR
/* ── Clause 4: Deno with dangerous flags or remote code execution patterns ── */
(
ImageFileName=/\\deno(\.exe)?$/i
AND CommandLine=/(eval|--allow-all|--allow-net|--allow-run|https?:\/\/|atob\(|base64|WebSocket|fetch\()/i
)
)
/* ── Noise reduction: exclude Deno running from known-good install/dev paths ── */
| !(
ImageFileName=/\\deno(\.exe)?$/i
AND ImageFileName=/\\(Program Files|Program Files \(x86\)|tools|dev|repos|source|git)\\/i
)
| table([@timestamp, aid, ComputerName, UserName, ParentBaseFileName, ImageFileName, CommandLine, SHA256HashData])
| sort(@timestamp, order=desc)
//══════════════════════════════════════════════════════════════════════════════════════════════════
// ENHANCEMENT OPTIONS
//══════════════════════════════════════════════════════════════════════════════════════════════════
//
// ── Option A: Correlate Deno process execution with outbound network connections ──
// Uses selfJoinFilter to link ProcessRollup2 with NetworkConnectIP4 on the same
// agent and process ID, then filters out internal RFC1918/loopback traffic.
//
// #event_simpleName = /ProcessRollup2|NetworkConnectIP4/
// | falconPID := ContextProcessId_decimal
// | falconPID := TargetProcessId_decimal
// | selfJoinFilter(field=[aid, falconPID], where=[
// {#event_simpleName = ProcessRollup2 | ImageFileName = /\\deno(\.exe)?$/i},
// {#event_simpleName = NetworkConnectIP4}
// ])
// | RemoteAddressIP4 != "10.*"
// | RemoteAddressIP4 != "172.16.*"
// | RemoteAddressIP4 != "192.168.*"
// | RemoteAddressIP4 != "127.*"
// | groupBy([aid, ComputerName, ImageFileName, RemoteAddressIP4, RemotePort], function=[count(), collect(CommandLine)])
// | sort(_count, order=desc)
//
// ── Option B: Correlate Deno with DNS requests for domain-based C2 detection ──
//
// #event_simpleName = /ProcessRollup2|DnsRequest/
// | falconPID := ContextProcessId
// | falconPID := TargetProcessId
// | selfJoinFilter(field=[aid, falconPID], where=[
// {#event_simpleName = ProcessRollup2 | ImageFileName = /\\deno(\.exe)?$/i},
// {#event_simpleName = DnsRequest}
// ])
// | groupBy([aid, ComputerName, DomainName], function=[count(), collect(CommandLine)])
// | sort(_count, order=desc)
//
// ── Option C: Group by user to surface high-frequency discovery bursts ──
//
// // Append after the main query's table() line:
// // | groupBy([UserName, ComputerName], function=count(as=exec_count))
// // | sort(exec_count, order=desc)
// // | test(exec_count > 5)
//
//══════════════════════════════════════════════════════════════════════════════════════════════════
# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
This query detects post-exploitation activity associated with the LeakNet campaign, which was publicly analyzed by ReliaQuest in March 2026. LeakNet uses ClickFix — a social engineering technique where compromised websites present fake browser or application error dialogs that instruct users to copy a malicious command and paste it into a Run dialog or terminal. The pasted command downloads and executes a portable Deno binary, which then runs JavaScript payloads entirely in memory to evade traditional file-based detection.
The query monitors CrowdStrike Falcon EDR `ProcessRollup2` telemetry and applies four detection clauses covering distinct stages of the LeakNet kill chain, followed by a noise reduction filter.
CAMPAIGN DETAILS:
Campaign: LeakNet
Reference: ReliaQuest Threat Research, March 2026
Delivery: ClickFix social engineering → user-pasted PowerShell/CMD command
Payload: Portable Deno binary dropped to AppData/Temp
Execution: In-memory JavaScript payloads via Deno runtime
Post-Exploitation: Credential enumeration (klist), host discovery, C2 callbacks
VULNERABILITY DETAILS:
CVE: N/A (Campaign-Specific TTPs / Living off the Land)
Type: Initial Access, Execution, Credential Access, Discovery, Lateral Movement
Status: ACTIVE CAMPAIGN — MONITORING FOR ANOMALOUS USAGE
MITRE ATT&CK MAPPING:
T1204.001 - User Execution: Malicious Link (ClickFix)
T1059.007 - Command and Scripting Interpreter: JavaScript/TypeScript
T1059.001 - Command and Scripting Interpreter: PowerShell
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1082 - System Information Discovery
T1033 - System Owner/User Discovery
T1016 - System Network Configuration Discovery
T1087 - Account Discovery
Tactics: Initial Access, Execution, Credential Access, Discovery, Lateral Movement
EXPLOITATION REQUIREMENTS:
- User interaction required (ClickFix paste-and-execute social engineering)
- Deno binary present on disk (often portable/non-installed)
- Execution within user-writable context (AppData/Temp)
- Network access for remote script fetching (--allow-net)
USE CASES:
- Detect Deno-based malware or C2 stagers
- Identify Kerberos ticket enumeration via klist.exe
- Track post-exploitation discovery commands spawned by script runtimes
- Flag dangerous Deno permission flags and remote code execution patterns
DATA SOURCE:
Event Type: ProcessRollup2
Required Fields: ImageFileName, CommandLine, ComputerName, UserName, ParentBaseFileName
Sensor: CrowdStrike Falcon EDR
AFFECTED SYSTEMS:
- Windows 10/11
- Windows Server 2016/2019/2022
FALSE POSITIVES:
- Legitimate developer activity (Deno used in IDE/Repos)
- Automated IT scripts using klist for troubleshooting
- Deno-based internal tools running from standard Program Files paths
- DevOps pipelines that invoke Deno with --allow-net against internal registries
INVESTIGATION NOTES:
1. Check if the Deno binary is signed and from a known developer location.
2. Review the CommandLine for --allow-all or remote URLs (http/https).
3. Correlate klist usage with recent logins or network connections to Domain Controllers.
4. Inspect the parent process of klist.exe; interactive shells are higher risk.
5. Verify if the user is a known developer or DevOps engineer.
6. Cross-reference SHA256HashData against known-good Deno release hashes.
TUNING RECOMMENDATIONS:
- Add specific exclusion for local 'dev' or 'git' directories.
- Filter out known-good service accounts that use klist for health checks.
- Baseline Deno usage by SHA256 if a standard version is deployed.
- Add UserName exclusions for known developer accounts if discovery clause is noisy.
REMEDIATION:
Priority: MEDIUM (Context Dependent)
Action: Quarantine suspicious Deno binaries found in AppData/Temp.
Patches: Ensure Deno is updated to the latest version to prevent engine exploits.
QUERY LOGIC:
1. Filters for ProcessRollup2 events.
2. Checks for Deno in writable paths (Local/Roaming/Temp/ProgramData).
3. Flags klist.exe when spawned by common shells or script hosts.
4. Monitors Deno spawning living-off-the-land and discovery binaries.
5. Identifies dangerous Deno flags or remote fetch commands in the command line.
6. Applies a global noise reduction for standard Program Files or developer paths.