KQL Search

Query Details

HomeAI ToolsDevice Query

Cache Smuggle

Query

// Title: Windows Process Start – Encoded URLs + Click-Fix Paths (Cache-Smuggling Chain)
// ID: cachefix-unified-001
// Status: Testing
// Description: Unified detection for Sysmon Event ID 1 and Windows Security 4688. Flags processes invoking web/LOLBIN clients with encoded delimiters (possible cache smuggling + click-fix chaining).
// Author: Shanholo (then converted to KQL with GROK by mrr3b00t)
// Date: 2025/10/12
// Tags: attack.T1204, attack.T1105, detection.cache_smuggling, detection.clickjacking

DeviceProcessEvents
| where
    // Image/Process name across common schemas (Sysmon, 4688 raw, ECS/Winlogbeat)
    (
        InitiatingProcessFileName has_any ("curl.exe", "wget.exe", "powershell.exe", "pwsh.exe", "python.exe", "mshta.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe", "chrome.exe", "msedge.exe", "firefox.exe")
        or FileName has_any ("curl.exe", "wget.exe", "powershell.exe", "pwsh.exe", "python.exe", "mshta.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe", "chrome.exe", "msedge.exe", "firefox.exe")
    )
    and
    (
        // Command line with encoded delimiters
        (
            ProcessCommandLine has_any ("%3f", "%253f", "%2f", "%252f", "%3b", "%253b", "%2e%2e", "%00")
            and
            (
                // Click-fix style endpoints
                ProcessCommandLine has_any ("/fix", "/quick-fix", "/reactivate", "/reset", "/account/enable", "/user/enable", "/profile/fix", "/session/refresh")
                or
                // Smuggling headers
                ProcessCommandLine has_any ("X-Original-URL", "X-Rewrite-URL", "X-Forwarded-Host", "X-Forwarded-Prefix", "--header", "-H ", "Invoke-WebRequest", "Invoke-RestMethod", "requests.get(", "urllib.request")
            )
        )
        or
        (
            // Click-fix style endpoints and smuggling headers
            ProcessCommandLine has_any ("/fix", "/quick-fix", "/reactivate", "/reset", "/account/enable", "/user/enable", "/profile/fix", "/session/refresh")
            and
            ProcessCommandLine has_any ("X-Original-URL", "X-Rewrite-URL", "X-Forwarded-Host", "X-Forwarded-Prefix", "--header", "-H ", "Invoke-WebRequest", "Invoke-RestMethod", "requests.get(", "urllib.request")
        )
        or
        // Classic LOLBINs URL
        ProcessCommandLine has_any ("url.dll,FileProtocolHandler http", "mshta http", "mshta https", "rundll32 url.dll", "certutil -urlcache")
    )
| project
    Timestamp,
    FileName,
    InitiatingProcessFileName,
    ProcessCommandLine,
    InitiatingProcessCommandLine,
    AccountName,
    ProcessId,
    InitiatingProcessId,
    MD5
| extend Level = "high"
// False Positives: Legit admin/dev/API workflows using encoded URLs or custom headers, internal tools legitimately hitting /reset or session refresh endpoints, security scanners, and red-team exercises.

Explanation

This KQL query is designed to detect potentially suspicious processes on Windows systems that might be involved in cache smuggling or clickjacking attacks. Here's a simplified breakdown of what the query does:

  1. Target Processes: It looks for processes that are known to be used for web interactions or scripting, such as curl.exe, wget.exe, powershell.exe, python.exe, and various web browsers like chrome.exe, msedge.exe, and firefox.exe.

  2. Encoded Delimiters: The query checks if the command line used to start these processes contains encoded characters like %3f, %2f, or %00, which might indicate URL encoding used in attacks.

  3. Click-Fix Endpoints and Smuggling Headers: It searches for command lines that include specific endpoints (like /fix, /reset) or HTTP headers (X-Original-URL, X-Rewrite-URL) that are often associated with cache smuggling or clickjacking techniques.

  4. LOLBINs URLs: It also looks for classic Living Off the Land Binaries (LOLBINs) that are used to handle URLs, such as url.dll,FileProtocolHandler http or mshta http.

  5. Output: The query projects key information about these processes, such as the timestamp, file names, command lines, account names, process IDs, and MD5 hashes.

  6. Risk Level: It assigns a "high" risk level to these detections.

  7. False Positives: The query acknowledges that legitimate administrative, development, or API workflows might trigger these detections, as well as internal tools, security scanners, or red-team exercises.

Overall, this query is part of a testing phase for detecting potentially malicious activities involving encoded URLs and specific web interactions on Windows systems.

Details

Daniel Card profile picture

Daniel Card

Released: October 14, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

DeviceProcessEvents|wherehas_anyorandprojectextend

Actions