Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-DiscordWebhook-InfostealerExfil.
Upgrade to ProDetect Infostealer Credential Exfiltration via Discord Webhook in Splunk
Commodity infostealer malware (RedLine, Raccoon, Vidar, Lumma) and remote access trojans (AsyncRAT) overwhelmingly favor Discord webhooks as a C2-less exfiltration drop for stolen browser credential stores, cookies, cryptocurrency wallet files, and Discord/Telegram session tokens. The webhook URL is hardcoded into the compiled binary, requires no attacker-side listener infrastructure, and the resulting HTTPS traffic to discord.com blends into normal collaboration-tool egress that most enterprises never restrict. Because Discord is rarely blocked and the destination is a legitimate, widely-trusted SaaS domain, this vector routinely bypasses proxy category blocking and simple domain-reputation controls. The most reliable detection opportunity is not the network connection alone (Discord traffic is common) but the temporal pairing of a locked browser credential database being staged/copied by a non-browser process immediately before an outbound POST to a Discord webhook API path from that same process.
MITRE ATT&CK
- Tactic
- Exfiltration
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(
(EventCode=11
(TargetFilename="*\\Login Data" OR TargetFilename="*\\Login Data For Account"
OR TargetFilename="*\\Cookies" OR TargetFilename="*\\Local State"
OR TargetFilename="*\\Web Data" OR TargetFilename="*wallet.dat" OR TargetFilename="*keystore.json")
NOT TargetFilename="*\\User Data\\*"
(TargetFilename="*\\Temp\\*" OR TargetFilename="*\\AppData\\Roaming\\*" OR TargetFilename="*\\ProgramData\\*")
NOT (Image="*\\chrome.exe" OR Image="*\\msedge.exe" OR Image="*\\brave.exe" OR Image="*\\firefox.exe")
)
OR
(EventCode=3
(DestinationHostname="discord.com" OR DestinationHostname="discordapp.com")
NOT (Image="*\\discord.exe" OR Image="*\\Slack.exe" OR Image="*\\Teams.exe")
)
OR
(EventCode=1
CommandLine="*discord*com/api/webhooks/*"
)
)
| eval SignalType=case(
EventCode=11, "StagedCredentialCopy",
EventCode=3, "DiscordNetworkConnection",
EventCode=1, "WebhookURLInCommandLine",
true(), "Other"
)
| eval RiskScore=case(SignalType="StagedCredentialCopy", 80, SignalType="WebhookURLInCommandLine", 85, true(), 55)
| stats values(SignalType) as Signals, max(RiskScore) as MaxRisk, values(TargetFilename) as StagedFiles,
values(CommandLine) as CommandLines, values(DestinationHostname) as Destinations,
earliest(_time) as FirstSeen, latest(_time) as LastSeen
by host, User, Image
| eval MultiSignal=if(mvcount(Signals) > 1, 1, 0)
| sort - MaxRisk MultiSignal Detects Discord-webhook infostealer exfiltration via three Sysmon-derived signals: (1) Event ID 11 file creation of a browser credential-store filename outside its live profile directory by a non-browser process, matching the classic stealer file-staging behavior; (2) Event ID 3 network connections to discord.com/discordapp.com from processes other than the Discord client, Slack, or Teams; (3) Event ID 1 process command lines that directly embed a Discord webhook API path, covering script-based loaders. Sysmon network events do not capture the HTTP path, so the webhook-path match is scoped to command-line telemetry; hostname-only matches are lower confidence and flagged via MultiSignal when paired with a staged-copy event on the same host/process.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate Discord bot frameworks (discord.py, discord.js apps) run as scheduled services that post to webhooks as part of their normal function
- IT or DevOps automation scripts posting deployment/status notifications to a Discord webhook
- Endpoint backup or migration agents copying browser profile data as part of an approved user-profile migration workflow
- Security analysts running authorized triage tooling that stages copies of browser artifact files for forensic review
Other platforms for THREAT-DiscordWebhook-InfostealerExfil
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Staged Credential Copy Followed by Discord Webhook POST
Expected signal: Sysmon Event ID 11: File Create for '...\df00tech-staged\Login Data' outside any '\User Data\' path. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Invoke-RestMethod' and 'webhook.site'. Sysmon Event ID 3: Network Connection to webhook.site on port 443.
- Test 2Command-Line Discord Webhook Invocation (Script-Based Exfil Simulation)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'discord.com/api/webhooks/'. Sysmon Event ID 3: Network Connection attempted to discord.com:443 (fails with 401 due to invalid token, but telemetry is still generated).
References (6)
- https://attack.mitre.org/techniques/T1567/004/
- https://www.recordedfuture.com/research
- https://blog.talosintelligence.com/collab-app-abuse/
- https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord
- https://research.checkpoint.com/2023/discord-and-slack-malware-a-growing-threat/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.004/T1567.004.md
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-DiscordWebhook-InfostealerExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month
Related Detections
Tactic Hub
Detection Variants (1)
Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.