EXPLORE
← Back to Explore
crowdstrike_cqlHunting

DNS Staging Detection: ClickFix-Inspired nslookup Execution

Detects nslookup activity used for DNS-based staging, specifically targeting the pattern of querying external nameservers to retrieve and execute malicious payloads, as seen in recent ClickFix attacks. This hunt is highly valuable as it identifies a shift away from heavily-monitored tools like mshta and PowerShell toward abusing trusted network utilities to bypass standard firewalls and blend with legitimate DNS traffic. Targeting trusted binaries: Monitors nslookup.exe, which attackers now prefer because it is less likely to be blocked by security software than mshta or PowerShell. DNS Record Retrieval: Looks for nslookup commands that request TXT or ALL record types, which are commonly abused to stage content over DNS. Staging Pattern: Detects the use of findstr on the nslookup output, a known ClickFix-inspired technique to parse returned DNS content and prepare it for follow-on execution. Execution Chain: Monitors for nslookup output being piped through findstr and for /f and then into cmd, which is a strong indicator of DNS response data being transformed into executable input. Evasion Detection: DNS traffic is frequently allowed through corporate firewalls, making this a "lightweight staging channel" that effectively hides data exfiltration and payload delivery in plain sight. To test your query, run a command that matches the full pipeline pattern, for example: nslookup -q=txt google.com | findstr /i "Name" | for /f "tokens=*" %i in ('more') do cmd /c %i. Wait a few minutes for the telemetry to ingest, then run your search to confirm the activity appears in your results.

MITRE ATT&CK

command-and-controlexecution

Detection Query

// Start with process execution events for performance
#event_simpleName = ProcessRollup2
// Filter for nslookup.exe
| ImageFileName = /\\nslookup\.exe$/i
// Looks for nslookup using specific record types (like TXT or ALL) and a piped parsing/execution chain associated with payload staging
| CommandLine = /(nslookup|n\^s\^l\^o\^o\^k\^u\^p).*(((-q|querytype|type)=?\s*)?(txt|all)).*\|.*findstr.*\|.*for \/f.*\|.*cmd/i
// Exclude common administrative noise if necessary
| ParentBaseFileName != /services\.exe|monitoring_agent\.exe/i
// Summarize the activity
| groupBy([ComputerName, UserName, ParentBaseFileName, CommandLine], limit=max)

Author

cap10

Data Sources

Endpoint

Platforms

windowslinux

Tags

HuntingDetectioncs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: "DNS Staging Detection: ClickFix-Inspired nslookup Execution"

# MITRE ATT&CK technique IDs
mitre_ids:
  - T1071.004
  - T1059.001
  - T1204.002

# Description of what the query does and its purpose.
description: |
  Detects nslookup activity used for DNS-based staging, specifically targeting the pattern of querying external nameservers to retrieve and execute malicious payloads, as seen in recent ClickFix attacks. This hunt is highly valuable as it identifies a shift away from heavily-monitored tools like mshta and PowerShell toward abusing trusted network utilities to bypass standard firewalls and blend with legitimate DNS traffic.

# The author or team that created the query.
author: cap10

# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
  - Endpoint

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Insight

# Tags for filtering and categorization.
tags:
  - Hunting
  - Detection

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  // Start with process execution events for performance
  #event_simpleName = ProcessRollup2
  // Filter for nslookup.exe
  | ImageFileName = /\\nslookup\.exe$/i
  // Looks for nslookup using specific record types (like TXT or ALL) and a piped parsing/execution chain associated with payload staging
  | CommandLine = /(nslookup|n\^s\^l\^o\^o\^k\^u\^p).*(((-q|querytype|type)=?\s*)?(txt|all)).*\|.*findstr.*\|.*for \/f.*\|.*cmd/i
  // Exclude common administrative noise if necessary
  | ParentBaseFileName != /services\.exe|monitoring_agent\.exe/i
  // Summarize the activity
  | groupBy([ComputerName, UserName, ParentBaseFileName, CommandLine], limit=max)

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  Targeting trusted binaries: Monitors nslookup.exe, which attackers now prefer because it is less likely to be blocked by security software than mshta or PowerShell.
  
  DNS Record Retrieval: Looks for nslookup commands that request TXT or ALL record types, which are commonly abused to stage content over DNS.
  
  Staging Pattern: Detects the use of findstr on the nslookup output, a known ClickFix-inspired technique to parse returned DNS content and prepare it for follow-on execution.
  
  Execution Chain: Monitors for nslookup output being piped through findstr and for /f and then into cmd, which is a strong indicator of DNS response data being transformed into executable input.
  
  Evasion Detection: DNS traffic is frequently allowed through corporate firewalls, making this a "lightweight staging channel" that effectively hides data exfiltration and payload delivery in plain sight.
  
  To test your query, run a command that matches the full pipeline pattern, for example: nslookup -q=txt google.com | findstr /i "Name" | for /f "tokens=*" %i in ('more') do cmd /c %i. Wait a few minutes for the telemetry to ingest, then run your search to confirm the activity appears in your results.