Query Details

ClickFix nslookup Payload Delivery via DNS

03 DNS Click Fix Nslookup Payload

Query

SecurityEvent
| where TimeGenerated > ago(1d)
| where EventID == 4688
| where Process =~ "nslookup.exe"
| where CommandLine has_any ("-server", "/server")
      or CommandLine matches regex @"nslookup\s+\S+\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
      or CommandLine matches regex @"nslookup\s+-type=\w+\s+\S+\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| extend
    ParentIsShell = ParentProcessName in~ ("cmd.exe", "powershell.exe", "wscript.exe",
                                           "mshta.exe", "cscript.exe", "rundll32.exe")
| project
    TimeGenerated,
    Computer,
    Account,
    CommandLine,
    ParentProcessName,
    ParentIsShell

Explanation

This query is designed to detect a specific type of cyber attack known as the "ClickFix" attack, which was observed in February 2026. In this attack, victims are tricked into running the nslookup command with a specific DNS server controlled by attackers. This server then delivers a malicious PowerShell script through the DNS response, which is executed to install malware like ModeloRAT.

Here's a simple breakdown of the query:

  1. Purpose: To identify instances where the nslookup.exe command is used with an explicit DNS server address, which is a key indicator of the ClickFix attack.

  2. Data Source: The query looks at security events, specifically those with Event ID 4688, which logs process creation events.

  3. Detection Criteria:

    • The process name must be nslookup.exe.
    • The command line must include an explicit server IP address, indicated by the presence of -server or /server options, or match specific regex patterns that show an IP address is being used.
    • It checks if the parent process is a shell like cmd.exe or powershell.exe, which are often used to execute such commands.
  4. Output: The query projects details such as the time the event was generated, the computer and account involved, the command line used, and the parent process name.

  5. Alerting: If such an event is detected, an alert is generated with details about the computer and account involved, highlighting that this matches the ClickFix attack pattern.

  6. Severity: The severity of this detection is marked as high due to the potential for malware installation.

  7. Frequency: The query runs every 15 minutes, looking back over the past day to catch any occurrences of this attack pattern.

Overall, this query helps security teams quickly identify and respond to potential ClickFix attacks by monitoring for suspicious nslookup usage patterns.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

SecurityEvent

Keywords

SecurityEventExecutionCommandAndControlClickFixNslookupModeloRATDNSPayloadStagingLOLBINTA577HostAccountComputer

Operators

SecurityEventwhereTimeGeneratedagoEventIDProcessCommandLinehas_anymatchesregexextendParentProcessNamein~projectentityMappingsentityTypefieldMappingsidentifiercolumnNamealertDetailsOverridealertDisplayNameFormatalertDescriptionFormatcustomDetails

Severity

High

Tactics

ExecutionCommandAndControl

Frequency: 15m

Period: 1d

Actions

GitHub