KQL Search

Query Details

03 DNS Click Fix Nslookup Payload

Query

id: a1b2c3d4-0003-4a5b-8c9d-dns003clickfix
name: ClickFix nslookup Payload Delivery via DNS
description: |
  Detects the ClickFix social engineering technique observed in February 2026
  (reported by BleepingComputer and Microsoft Threat Intelligence) where victims
  are instructed to run nslookup pointed at an attacker-controlled DNS server.
  The malicious DNS server returns a PowerShell payload in the NAME: response field
  which is then executed by cmd.exe to install malware (e.g., ModeloRAT).
  This rule detects nslookup.exe invocations that specify an explicit server IP
  as a second argument, which is characteristic of this attack pattern.
  Ref: "New ClickFix attack abuses nslookup to retrieve PowerShell payload via DNS"
severity: High
requiredDataConnectors:
  - connectorId: SecurityEvents
    dataTypes:
      - SecurityEvent
queryFrequency: 15m
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - Execution
  - CommandAndControl
relevantTechniques:
  - T1059.001
  - T1071.004
  - T1204.002
tags:
  - ClickFix
  - nslookup
  - ModeloRAT
  - DNS payload staging
  - LOLBIN
  - TA577
query: |
  SecurityEvent
  | where TimeGenerated > ago(1d)
  | where EventID == 4688
  | where Process =~ "nslookup.exe"
  | where CommandLine has_any ("-server", "/server")
        or CommandLine matches regex @"nslookup\s+\S+\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
        or CommandLine matches regex @"nslookup\s+-type=\w+\s+\S+\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
  | extend
      ParentIsShell = ParentProcessName in~ ("cmd.exe", "powershell.exe", "wscript.exe",
                                             "mshta.exe", "cscript.exe", "rundll32.exe")
  | project
      TimeGenerated,
      Computer,
      Account,
      CommandLine,
      ParentProcessName,
      ParentIsShell
entityMappings:
  - entityType: Host
    fieldMappings:
      - identifier: HostName
        columnName: Computer
  - entityType: Account
    fieldMappings:
      - identifier: Name
        columnName: Account
alertDetailsOverride:
  alertDisplayNameFormat: "ClickFix DNS Payload — nslookup with explicit server on {{Computer}}"
  alertDescriptionFormat: "nslookup.exe launched with an explicit DNS server address on {{Computer}} by {{Account}}. This matches the ClickFix attack pattern (Feb 2026) that delivers PowerShell payloads via DNS NAME field. Command: {{CommandLine}}"
customDetails:
  CommandLine: CommandLine
  ParentProcess: ParentProcessName

Explanation

This query is designed to detect a specific type of cyber attack known as the "ClickFix" attack, which was observed in February 2026. In this attack, victims are tricked into running the nslookup command with a specific DNS server controlled by attackers. This server then delivers a malicious PowerShell script through the DNS response, which is executed to install malware like ModeloRAT.

Here's a simple breakdown of the query:

  1. Purpose: To identify instances where the nslookup.exe command is used with an explicit DNS server address, which is a key indicator of the ClickFix attack.

  2. Data Source: The query looks at security events, specifically those with Event ID 4688, which logs process creation events.

  3. Detection Criteria:

    • The process name must be nslookup.exe.
    • The command line must include an explicit server IP address, indicated by the presence of -server or /server options, or match specific regex patterns that show an IP address is being used.
    • It checks if the parent process is a shell like cmd.exe or powershell.exe, which are often used to execute such commands.

  4. Output: The query projects details such as the time the event was generated, the computer and account involved, the command line used, and the parent process name.

  5. Alerting: If such an event is detected, an alert is generated with details about the computer and account involved, highlighting that this matches the ClickFix attack pattern.

  6. Severity: The severity of this detection is marked as high due to the potential for malware installation.

  7. Frequency: The query runs every 15 minutes, looking back over the past day to catch any occurrences of this attack pattern.

Overall, this query helps security teams quickly identify and respond to potential ClickFix attacks by monitoring for suspicious nslookup usage patterns.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

SecurityEvent

Keywords

SecurityEventExecutionCommandAndControlClickFixNslookupModeloRATDNSPayloadStagingLOLBINTA577HostAccountComputer

Operators

SecurityEventwhereTimeGeneratedagoEventIDProcessCommandLinehas_anymatchesregexextendParentProcessNamein~projectentityMappingsentityTypefieldMappingsidentifiercolumnNamealertDetailsOverridealertDisplayNameFormatalertDescriptionFormatcustomDetails

Actions