Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-DiscordWebhook-InfostealerExfil.

Upgrade to Pro
THREAT-DiscordWebhook-InfostealerExfil IBM QRadar · QRadar

Detect Infostealer Credential Exfiltration via Discord Webhook in IBM QRadar

Commodity infostealer malware (RedLine, Raccoon, Vidar, Lumma) and remote access trojans (AsyncRAT) overwhelmingly favor Discord webhooks as a C2-less exfiltration drop for stolen browser credential stores, cookies, cryptocurrency wallet files, and Discord/Telegram session tokens. The webhook URL is hardcoded into the compiled binary, requires no attacker-side listener infrastructure, and the resulting HTTPS traffic to discord.com blends into normal collaboration-tool egress that most enterprises never restrict. Because Discord is rarely blocked and the destination is a legitimate, widely-trusted SaaS domain, this vector routinely bypasses proxy category blocking and simple domain-reputation controls. The most reliable detection opportunity is not the network connection alone (Discord traffic is common) but the temporal pairing of a locked browser credential database being staged/copied by a non-browser process immediately before an outbound POST to a Discord webhook API path from that same process.

MITRE ATT&CK

Tactic
Exfiltration

QRadar Detection Query

IBM QRadar (QRadar)
sql
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource,
  "sourceip" as SourceIP, hostname as Hostname, username as UserName,
  "Process Name" as ProcessName, "Command Line" as CommandLine,
  "TargetFilename" as StagedFile, "DestinationHostname" as WebhookHost,
  CASE WHEN LOWER("TargetFilename") ILIKE ANY ('%login data%','%cookies%','%web data%','%wallet.dat%')
         AND LOWER("TargetFilename") NOT ILIKE '%user data%' THEN 80
       WHEN LOWER("CommandLine") ILIKE '%discord%api/webhooks%' THEN 85
       WHEN LOWER("DestinationHostname") ILIKE ANY ('%discord.com%','%discordapp.com%') THEN 55
       ELSE 0 END as RiskScore
FROM events
WHERE (
  (LOWER("TargetFilename") ILIKE ANY ('%login data%','%cookies%','%web data%','%local state%','%wallet.dat%','%keystore.json%')
    AND LOWER("TargetFilename") NOT ILIKE '%user data%'
    AND LOWER(coalesce("Process Name","")) NOT ILIKE ANY ('%chrome.exe%','%msedge.exe%','%brave.exe%','%firefox.exe%'))
  OR LOWER("CommandLine") ILIKE '%discord%api/webhooks%'
  OR (LOWER("DestinationHostname") ILIKE ANY ('%discord.com%','%discordapp.com%')
      AND LOWER(coalesce("Process Name","")) NOT ILIKE ANY ('%discord.exe%','%slack.exe%','%teams.exe%'))
)
GROUP BY hostname, username, "Process Name", "Command Line", "TargetFilename", "DestinationHostname", devicetime
HAVING RiskScore > 0
ORDER BY RiskScore DESC
critical severity high confidence

Detects staged browser credential-store copies and Discord webhook contact indicative of infostealer exfiltration, with a risk score prioritizing the correlated staging+webhook pattern over hostname-only Discord contact.

Data Sources

Windows Sysmon Events via WinCollectMicrosoft Defender for Endpoint (via API integration)

Required Tables

events

False Positives & Tuning

  • Discord bot service accounts and CI/CD notification scripts
  • Authorized profile migration or forensic tooling copying browser artifact filenames

Other platforms for THREAT-DiscordWebhook-InfostealerExfil


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Staged Credential Copy Followed by Discord Webhook POST

    Expected signal: Sysmon Event ID 11: File Create for '...\df00tech-staged\Login Data' outside any '\User Data\' path. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Invoke-RestMethod' and 'webhook.site'. Sysmon Event ID 3: Network Connection to webhook.site on port 443.

  2. Test 2Command-Line Discord Webhook Invocation (Script-Based Exfil Simulation)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'discord.com/api/webhooks/'. Sysmon Event ID 3: Network Connection attempted to discord.com:443 (fails with 401 due to invalid token, but telemetry is still generated).

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-DiscordWebhook-InfostealerExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections