Query Details
Click Fix Nslookup DNS Staging
Query
# *ClickFix: Nslookup DNS Staging* ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1204.001 | User Execution: Malicious Link| https://attack.mitre.org/techniques/T1204/001/ | | T1204.004 | User Execution: Malicious Copy and Paste | https://attack.mitre.org/techniques/T1204/004/ | #### Description Detects instances where 'nslookup.exe' is initiated by 'explorer.exe'. This activity can be indicative of an adversary performing DNS queries for reconnaissance or command and control (C2) staging, especially when not part of a legitimate administrative script or user action. The rule excludes a common false positive related to conhost.exe. #### Author <Optional> - **Name: Benjamin Zulliger** - **Github: https://github.com/benscha/KQLAdvancedHunting** - **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/** #### References - https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html ## Defender XDR ```KQL // ClickFix: Nslookup DNS Staging DeviceProcessEvents | where Timestamp >= ago(7d) | where FileName =~ "nslookup.exe" | where InitiatingProcessFileName =~ "explorer.exe" // Exclusions | where ProcessCommandLine != "\\??\\C:\\windows\\system32\\conhost.exe 0xffffffff -ForceV1" ```
Explanation
This query is designed to detect potentially suspicious activity on a computer system. Specifically, it looks for instances where the program nslookup.exe is started by explorer.exe. This could indicate that someone is using DNS queries for reconnaissance or setting up command and control (C2) operations, which are common tactics used by attackers. The query filters out a known false positive involving conhost.exe to reduce noise in the results. It examines events from the past seven days to identify any such occurrences.
Details
Benjamin Zulliger
Released: February 23, 2026
Tables
DeviceProcessEvents
Keywords
DeviceProcessEventsTimestampFileNameInitiatingProcessFileNameProcessCommandLine
Operators
DeviceProcessEvents|whereTimestamp>=ago(7d)|whereFileName=~"nslookup.exe"|whereInitiatingProcessFileName=~"explorer.exe"|whereProcessCommandLine!="\\??\\C:\\windows\\system32\\conhost.exe 0xffffffff -ForceV1"