Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-DiscordWebhook-InfostealerExfil.
Upgrade to ProDetect Infostealer Credential Exfiltration via Discord Webhook in Microsoft Sentinel
Commodity infostealer malware (RedLine, Raccoon, Vidar, Lumma) and remote access trojans (AsyncRAT) overwhelmingly favor Discord webhooks as a C2-less exfiltration drop for stolen browser credential stores, cookies, cryptocurrency wallet files, and Discord/Telegram session tokens. The webhook URL is hardcoded into the compiled binary, requires no attacker-side listener infrastructure, and the resulting HTTPS traffic to discord.com blends into normal collaboration-tool egress that most enterprises never restrict. Because Discord is rarely blocked and the destination is a legitimate, widely-trusted SaaS domain, this vector routinely bypasses proxy category blocking and simple domain-reputation controls. The most reliable detection opportunity is not the network connection alone (Discord traffic is common) but the temporal pairing of a locked browser credential database being staged/copied by a non-browser process immediately before an outbound POST to a Discord webhook API path from that same process.
MITRE ATT&CK
- Tactic
- Exfiltration
KQL Detection Query
let DiscordWebhookRegex = @"discord(app)?\.com/api/webhooks/\d{17,20}/[A-Za-z0-9_-]{60,90}";
let CredFileNames = dynamic([
"Login Data", "Login Data For Account", "Cookies", "Local State",
"Web Data", "wallet.dat", "keystore.json", "Ledger Live"
]);
let BrowserProcesses = dynamic(["chrome.exe", "msedge.exe", "brave.exe", "opera.exe", "firefox.exe"]);
// Signal 1: a non-browser process creates a copy of a locked browser credential-store
// filename outside the live profile directory — the standard stealer technique for
// bypassing Chromium's SQLite file lock on "Login Data"/"Cookies"/"Web Data"
let StagedCredentialCopy = DeviceFileEvents
| where Timestamp > ago(2h)
| where ActionType == "FileCreated"
| where FileName in~ (CredFileNames)
| where FolderPath !has "User Data" and FolderPath !has "Mozilla"
| where FolderPath has_any (@"\Temp\", @"\AppData\Local\Temp", @"\ProgramData\", @"\AppData\Roaming\")
| where InitiatingProcessFileName !in~ (BrowserProcesses)
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessSHA256;
// Signal 2: outbound HTTPS request whose path matches the Discord webhook API pattern
let DiscordWebhookPost = DeviceNetworkEvents
| where Timestamp > ago(2h)
| where RemoteUrl matches regex DiscordWebhookRegex
| project Timestamp, DeviceName, AccountName, RemoteUrl,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessSHA256, BytesSent, RemotePort;
// High-confidence: same device + same process image hash, staged credential copy
// followed within 15 minutes by a webhook POST
let CorrelatedTheft = StagedCredentialCopy
| join kind=inner (DiscordWebhookPost) on DeviceName, InitiatingProcessSHA256
| where Timestamp1 - Timestamp between (0min .. 15min)
| extend Signal = "CredentialTheftThenWebhookPost", RiskScore = 90
| project WebhookPostTime=Timestamp1, DeviceName, AccountName, FileName, FolderPath,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessSHA256,
RemoteUrl, BytesSent, Signal, RiskScore;
// Lower-confidence standalone signal: any non-collaboration-client process posting
// directly to a Discord webhook path
let StandaloneWebhookPost = DiscordWebhookPost
| where InitiatingProcessFileName !in~ ("discord.exe", "slack.exe", "teams.exe", "chrome.exe", "msedge.exe")
| extend Signal = "StandaloneDiscordWebhookPost", RiskScore = 60
| project WebhookPostTime=Timestamp, DeviceName, AccountName, FileName="", FolderPath="",
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessSHA256,
RemoteUrl, BytesSent, Signal, RiskScore;
union CorrelatedTheft, StandaloneWebhookPost
| sort by RiskScore desc, WebhookPostTime desc Two-signal detection for infostealer exfiltration via Discord webhooks. High-confidence signal correlates a non-browser process staging a copy of a locked browser credential-store file (Login Data, Cookies, Web Data, wallet.dat) with an HTTPS POST from that same process hash to a Discord webhook API path within a 15-minute window — the hallmark RedLine/Raccoon/Vidar/Lumma pattern. A lower-confidence standalone signal flags any non-collaboration-client process contacting a Discord webhook path even without the correlated staging event, to catch stealer variants that read credential databases in-memory without dropping a staged copy to disk.
Data Sources
Required Tables
False Positives & Tuning
- Discord bots, moderation tools, or CI/CD integrations legitimately posting build/status notifications to a Discord webhook from a scripted or scheduled process
- Password manager or browser-sync utilities that legitimately stage a temporary copy of a credential store during migration or backup operations
- Security or forensic tooling that intentionally copies browser artifact files for authorized investigation, triggering the staged-copy signal
- Developer workstations testing a Discord bot integration that posts JSON payloads to a webhook.site or personal Discord server for debugging
Other platforms for THREAT-DiscordWebhook-InfostealerExfil
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Staged Credential Copy Followed by Discord Webhook POST
Expected signal: Sysmon Event ID 11: File Create for '...\df00tech-staged\Login Data' outside any '\User Data\' path. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Invoke-RestMethod' and 'webhook.site'. Sysmon Event ID 3: Network Connection to webhook.site on port 443.
- Test 2Command-Line Discord Webhook Invocation (Script-Based Exfil Simulation)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'discord.com/api/webhooks/'. Sysmon Event ID 3: Network Connection attempted to discord.com:443 (fails with 401 due to invalid token, but telemetry is still generated).
References (6)
- https://attack.mitre.org/techniques/T1567/004/
- https://www.recordedfuture.com/research
- https://blog.talosintelligence.com/collab-app-abuse/
- https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord
- https://research.checkpoint.com/2023/discord-and-slack-malware-a-growing-threat/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.004/T1567.004.md
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-DiscordWebhook-InfostealerExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month
Related Detections
Tactic Hub
Detection Variants (1)
Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.