Volver al hub

DNS Staging Detection: ClickFix-Inspired nslookup Execution

Detects nslookup activity used for DNS-based staging, specifically targeting the pattern of querying external nameservers to retrieve and execute malicious payloads, as seen in recent ClickFix attacks. This hunt is highly valuable as it identifies a shift away from heavily-monitored tools like mshta and PowerShell toward abusing trusted network utilities to bypass standard firewalls and blend with legitimate DNS traffic.

EDRhuntingdetectionT1071.004T1059.001T1204.002
FDR intermediatepor cap10 (cql-hub.com) 1 min read

Query

// Start with process execution events for performance
#event_simpleName = ProcessRollup2
// Filter for nslookup.exe
| ImageFileName = /\\nslookup\.exe$/i
// Look for nslookup querying a non-default server or using specific record types (like TXT)
| CommandLine = /nslookup.*(-q|querytype)=(txt|all)/i or CommandLine = /nslookup.* \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/
// Exclude common administrative noise if necessary
| ParentBaseFileName != /services\.exe|monitoring_agent\.exe/i
// Summarize the activity
| groupBy([ComputerName, UserName, CommandLine], function=count())
| table([ComputerName, UserName, CommandLine, _count])

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.