DNS Staging Detection: ClickFix-Inspired nslookup Execution
Detects nslookup activity used for DNS-based staging, specifically targeting the pattern of querying external nameservers to retrieve and execute malicious payloads, as seen in recent ClickFix attacks. This hunt is highly valuable as it identifies a shift away from heavily-monitored tools like mshta and PowerShell toward abusing trusted network utilities to bypass standard firewalls and blend with legitimate DNS traffic. Targeting trusted binaries: Monitors nslookup.exe, which attackers now prefer because it is less likely to be blocked by security software than mshta or PowerShell. DNS Record Retrieval: Looks for nslookup commands that request TXT or ALL record types, which are commonly abused to stage content over DNS. Staging Pattern: Detects the use of findstr on the nslookup output, a known ClickFix-inspired technique to parse returned DNS content and prepare it for follow-on execution. Execution Chain: Monitors for nslookup output being piped through findstr and for /f and then into cmd, which is a strong indicator of DNS response data being transformed into executable input. Evasion Detection: DNS traffic is frequently allowed through corporate firewalls, making this a "lightweight staging channel" that effectively hides data exfiltration and payload delivery in plain sight. To test your query, run a command that matches the full pipeline pattern, for example: nslookup -q=txt google.com | findstr /i "Name" | for /f "tokens=*" %i in ('more') do cmd /c %i. Wait a few minutes for the telemetry to ingest, then run your search to confirm the activity appears in your results.
Detection Query
// Start with process execution events for performance
#event_simpleName = ProcessRollup2
// Filter for nslookup.exe
| ImageFileName = /\\nslookup\.exe$/i
// Looks for nslookup using specific record types (like TXT or ALL) and a piped parsing/execution chain associated with payload staging
| CommandLine = /(nslookup|n\^s\^l\^o\^o\^k\^u\^p).*(((-q|querytype|type)=?\s*)?(txt|all)).*\|.*findstr.*\|.*for \/f.*\|.*cmd/i
// Exclude common administrative noise if necessary
| ParentBaseFileName != /services\.exe|monitoring_agent\.exe/i
// Summarize the activity
| groupBy([ComputerName, UserName, ParentBaseFileName, CommandLine], limit=max)
Author
cap10
Data Sources
Platforms
Tags
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: "DNS Staging Detection: ClickFix-Inspired nslookup Execution"
# MITRE ATT&CK technique IDs
mitre_ids:
- T1071.004
- T1059.001
- T1204.002
# Description of what the query does and its purpose.
description: |
Detects nslookup activity used for DNS-based staging, specifically targeting the pattern of querying external nameservers to retrieve and execute malicious payloads, as seen in recent ClickFix attacks. This hunt is highly valuable as it identifies a shift away from heavily-monitored tools like mshta and PowerShell toward abusing trusted network utilities to bypass standard firewalls and blend with legitimate DNS traffic.
# The author or team that created the query.
author: cap10
# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
- Endpoint
# The CrowdStrike modules required to run this query.
cs_required_modules:
- Insight
# Tags for filtering and categorization.
tags:
- Hunting
- Detection
# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
// Start with process execution events for performance
#event_simpleName = ProcessRollup2
// Filter for nslookup.exe
| ImageFileName = /\\nslookup\.exe$/i
// Looks for nslookup using specific record types (like TXT or ALL) and a piped parsing/execution chain associated with payload staging
| CommandLine = /(nslookup|n\^s\^l\^o\^o\^k\^u\^p).*(((-q|querytype|type)=?\s*)?(txt|all)).*\|.*findstr.*\|.*for \/f.*\|.*cmd/i
// Exclude common administrative noise if necessary
| ParentBaseFileName != /services\.exe|monitoring_agent\.exe/i
// Summarize the activity
| groupBy([ComputerName, UserName, ParentBaseFileName, CommandLine], limit=max)
# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
Targeting trusted binaries: Monitors nslookup.exe, which attackers now prefer because it is less likely to be blocked by security software than mshta or PowerShell.
DNS Record Retrieval: Looks for nslookup commands that request TXT or ALL record types, which are commonly abused to stage content over DNS.
Staging Pattern: Detects the use of findstr on the nslookup output, a known ClickFix-inspired technique to parse returned DNS content and prepare it for follow-on execution.
Execution Chain: Monitors for nslookup output being piped through findstr and for /f and then into cmd, which is a strong indicator of DNS response data being transformed into executable input.
Evasion Detection: DNS traffic is frequently allowed through corporate firewalls, making this a "lightweight staging channel" that effectively hides data exfiltration and payload delivery in plain sight.
To test your query, run a command that matches the full pipeline pattern, for example: nslookup -q=txt google.com | findstr /i "Name" | for /f "tokens=*" %i in ('more') do cmd /c %i. Wait a few minutes for the telemetry to ingest, then run your search to confirm the activity appears in your results.