Cache Smuggle
Query
// Title: Windows Process Start – Encoded URLs + Click-Fix Paths (Cache-Smuggling Chain)
// ID: cachefix-unified-001
// Status: Testing
// Description: Unified detection for Sysmon Event ID 1 and Windows Security 4688. Flags processes invoking web/LOLBIN clients with encoded delimiters (possible cache smuggling + click-fix chaining).
// Author: Shanholo (then converted to KQL with GROK by mrr3b00t)
// Date: 2025/10/12
// Tags: attack.T1204, attack.T1105, detection.cache_smuggling, detection.clickjacking
DeviceProcessEvents
| where
// Image/Process name across common schemas (Sysmon, 4688 raw, ECS/Winlogbeat)
(
InitiatingProcessFileName has_any ("curl.exe", "wget.exe", "powershell.exe", "pwsh.exe", "python.exe", "mshta.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe", "chrome.exe", "msedge.exe", "firefox.exe")
or FileName has_any ("curl.exe", "wget.exe", "powershell.exe", "pwsh.exe", "python.exe", "mshta.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe", "chrome.exe", "msedge.exe", "firefox.exe")
)
and
(
// Command line with encoded delimiters
(
ProcessCommandLine has_any ("%3f", "%253f", "%2f", "%252f", "%3b", "%253b", "%2e%2e", "%00")
and
(
// Click-fix style endpoints
ProcessCommandLine has_any ("/fix", "/quick-fix", "/reactivate", "/reset", "/account/enable", "/user/enable", "/profile/fix", "/session/refresh")
or
// Smuggling headers
ProcessCommandLine has_any ("X-Original-URL", "X-Rewrite-URL", "X-Forwarded-Host", "X-Forwarded-Prefix", "--header", "-H ", "Invoke-WebRequest", "Invoke-RestMethod", "requests.get(", "urllib.request")
)
)
or
(
// Click-fix style endpoints and smuggling headers
ProcessCommandLine has_any ("/fix", "/quick-fix", "/reactivate", "/reset", "/account/enable", "/user/enable", "/profile/fix", "/session/refresh")
and
ProcessCommandLine has_any ("X-Original-URL", "X-Rewrite-URL", "X-Forwarded-Host", "X-Forwarded-Prefix", "--header", "-H ", "Invoke-WebRequest", "Invoke-RestMethod", "requests.get(", "urllib.request")
)
or
// Classic LOLBINs URL
ProcessCommandLine has_any ("url.dll,FileProtocolHandler http", "mshta http", "mshta https", "rundll32 url.dll", "certutil -urlcache")
)
| project
Timestamp,
FileName,
InitiatingProcessFileName,
ProcessCommandLine,
InitiatingProcessCommandLine,
AccountName,
ProcessId,
InitiatingProcessId,
MD5
| extend Level = "high"
// False Positives: Legit admin/dev/API workflows using encoded URLs or custom headers, internal tools legitimately hitting /reset or session refresh endpoints, security scanners, and red-team exercises.Explanation
This KQL query is designed to detect potentially suspicious processes on Windows systems that might be involved in cache smuggling or clickjacking attacks. Here's a simplified breakdown of what the query does:
-
Target Processes: It looks for processes that are known to be used for web interactions or scripting, such as
curl.exe,wget.exe,powershell.exe,python.exe, and various web browsers likechrome.exe,msedge.exe, andfirefox.exe. -
Encoded Delimiters: The query checks if the command line used to start these processes contains encoded characters like
%3f,%2f, or%00, which might indicate URL encoding used in attacks. -
Click-Fix Endpoints and Smuggling Headers: It searches for command lines that include specific endpoints (like
/fix,/reset) or HTTP headers (X-Original-URL,X-Rewrite-URL) that are often associated with cache smuggling or clickjacking techniques. -
LOLBINs URLs: It also looks for classic Living Off the Land Binaries (LOLBINs) that are used to handle URLs, such as
url.dll,FileProtocolHandler httpormshta http. -
Output: The query projects key information about these processes, such as the timestamp, file names, command lines, account names, process IDs, and MD5 hashes.
-
Risk Level: It assigns a "high" risk level to these detections.
-
False Positives: The query acknowledges that legitimate administrative, development, or API workflows might trigger these detections, as well as internal tools, security scanners, or red-team exercises.
Overall, this query is part of a testing phase for detecting potentially malicious activities involving encoded URLs and specific web interactions on Windows systems.
