Query Details

Click Fix Nslookup DNS Staging

Query

// ClickFix: Nslookup DNS Staging
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where FileName =~ "nslookup.exe"
| where InitiatingProcessFileName =~ "explorer.exe"
// Exclusions
| where ProcessCommandLine != "\\??\\C:\\windows\\system32\\conhost.exe 0xffffffff -ForceV1"

About this query

ClickFix: Nslookup DNS Staging

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1204.001User Execution: Malicious Linkhttps://attack.mitre.org/techniques/T1204/001/
T1204.004User Execution: Malicious Copy and Pastehttps://attack.mitre.org/techniques/T1204/004/

Description

Detects instances where 'nslookup.exe' is initiated by 'explorer.exe'. This activity can be indicative of an adversary performing DNS queries for reconnaissance or command and control (C2) staging, especially when not part of a legitimate administrative script or user action. The rule excludes a common false positive related to conhost.exe.

Author <Optional>

References

Defender XDR

Explanation

This query is designed to detect potentially suspicious activity on a computer system. Specifically, it looks for instances where the program nslookup.exe is started by explorer.exe. This could indicate that someone is using DNS queries for reconnaissance or setting up command and control (C2) operations, which are common tactics used by attackers. The query filters out a known false positive involving conhost.exe to reduce noise in the results. It examines events from the past seven days to identify any such occurrences.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: February 23, 2026

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsTimestampFileNameInitiatingCommandLine

Operators

DeviceProcessEvents|whereTimestamp>=ago(7d)FileName=~"nslookup.exe"InitiatingProcessFileName"explorer.exe"ProcessCommandLine!="\\??\\C:\\windows\\system32\\conhost.exe 0xffffffff -ForceV1"

MITRE Techniques

Actions

GitHub