ClickFix nslookup Payload Delivery via DNS
03 DNS Click Fix Nslookup Payload
Query
SecurityEvent
| where TimeGenerated > ago(1d)
| where EventID == 4688
| where Process =~ "nslookup.exe"
| where CommandLine has_any ("-server", "/server")
or CommandLine matches regex @"nslookup\s+\S+\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
or CommandLine matches regex @"nslookup\s+-type=\w+\s+\S+\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| extend
ParentIsShell = ParentProcessName in~ ("cmd.exe", "powershell.exe", "wscript.exe",
"mshta.exe", "cscript.exe", "rundll32.exe")
| project
TimeGenerated,
Computer,
Account,
CommandLine,
ParentProcessName,
ParentIsShellExplanation
This query is designed to detect a specific type of cyber attack known as the "ClickFix" attack, which was observed in February 2026. In this attack, victims are tricked into running the nslookup command with a specific DNS server controlled by attackers. This server then delivers a malicious PowerShell script through the DNS response, which is executed to install malware like ModeloRAT.
Here's a simple breakdown of the query:
-
Purpose: To identify instances where the
nslookup.execommand is used with an explicit DNS server address, which is a key indicator of the ClickFix attack. -
Data Source: The query looks at security events, specifically those with Event ID 4688, which logs process creation events.
-
Detection Criteria:
- The process name must be
nslookup.exe. - The command line must include an explicit server IP address, indicated by the presence of
-serveror/serveroptions, or match specific regex patterns that show an IP address is being used. - It checks if the parent process is a shell like
cmd.exeorpowershell.exe, which are often used to execute such commands.
- The process name must be
-
Output: The query projects details such as the time the event was generated, the computer and account involved, the command line used, and the parent process name.
-
Alerting: If such an event is detected, an alert is generated with details about the computer and account involved, highlighting that this matches the ClickFix attack pattern.
-
Severity: The severity of this detection is marked as high due to the potential for malware installation.
-
Frequency: The query runs every 15 minutes, looking back over the past day to catch any occurrences of this attack pattern.
Overall, this query helps security teams quickly identify and respond to potential ClickFix attacks by monitoring for suspicious nslookup usage patterns.
Details

David Alonso
Released: March 26, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 15m
Period: 1d