Click Fix Nslookup DNS Staging
Query
// ClickFix: Nslookup DNS Staging
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where FileName =~ "nslookup.exe"
| where InitiatingProcessFileName =~ "explorer.exe"
// Exclusions
| where ProcessCommandLine != "\\??\\C:\\windows\\system32\\conhost.exe 0xffffffff -ForceV1"About this query
ClickFix: Nslookup DNS Staging
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1204.001 | User Execution: Malicious Link | https://attack.mitre.org/techniques/T1204/001/ |
| T1204.004 | User Execution: Malicious Copy and Paste | https://attack.mitre.org/techniques/T1204/004/ |
Description
Detects instances where 'nslookup.exe' is initiated by 'explorer.exe'. This activity can be indicative of an adversary performing DNS queries for reconnaissance or command and control (C2) staging, especially when not part of a legitimate administrative script or user action. The rule excludes a common false positive related to conhost.exe.
Author <Optional>
- Name: Benjamin Zulliger
- Github: https://github.com/benscha/KQLAdvancedHunting
- LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/
References
Defender XDR
Explanation
This query is designed to detect potentially suspicious activity on a computer system. Specifically, it looks for instances where the program nslookup.exe is started by explorer.exe. This could indicate that someone is using DNS queries for reconnaissance or setting up command and control (C2) operations, which are common tactics used by attackers. The query filters out a known false positive involving conhost.exe to reduce noise in the results. It examines events from the past seven days to identify any such occurrences.
Details

Benjamin Zulliger
Released: February 23, 2026
Tables
Keywords
Operators