discord.exeCOMMUNICATION APPdiscord.exe - Discord Application Security Analysis
discord.exe is the Discord communication platform client, widely used for gaming and communities. Attackers abuse Discord's CDN for malware hosting, webhook API for C2 communication, and steal Discord tokens for account takeover. Discord's ubiquity makes it an attractive target for credential theft.
Risk Summary
MEDIUM priority for SOC triage. discord.exe is a legitimate communication app frequently abused by attackers. Monitor for token theft attempts, webhook-based C2, CDN abuse for malware delivery, and process injection targeting Discord.
Overview
What is discord.exe?
Discord is a popular voice, video, and text communication platform.
Core Functions
Communication:
- Text, voice, video chat
- Server/channel organization
- Screen sharing
- File sharing
Security Significance
Attacker Value:
- CDN for hosting malware
- Webhooks for C2
- Token theft for account takeover
- Electron-based (JavaScript injection risk)
Architecture
Discord uses Electron (Chromium + Node.js), making it susceptible to JavaScript-based attacks.
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | %LOCALAPPDATA%\Discord\app-*\Discord.exe |
| Parent | explorer.exe |
| User | Logged-in user |
| Network | Discord servers |
| Children | Discord.exe (multiple) |
Multi-Process Architecture
Discord.exe (main)
├── Discord.exe --type=gpu-process
├── Discord.exe --type=renderer
└── Discord.exe --type=utility
Token Location
%APPDATA%\Discord\Local Storage\leveldb\
Common Locations
C:\Users\*\AppData\Local\Discord\app-*\Discord.exeSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE
Path: %LOCALAPPDATA%\Discord\app-*\Discord.exe
Parent: explorer.exe, Discord.exe
Network: discord.com, discordapp.com
Behavior: Normal chat operations
SUSPICIOUS
Path: C:\Temp\Discord.exe
C:\Users\Public\Discord.exe
Parent: cmd.exe, powershell.exe
Behavior: Reading leveldb without Discord
Webhook POST requests
CDN downloads to exe files
Abuse Techniques
Attack Techniques
Technique #1: Token Theft (T1528)
Stealing Discord Tokens:
# Malware targets leveldb files
$tokenPath = "$env:APPDATA\Discord\Local Storage\leveldb"
# Extracts authentication tokens
Technique #2: Webhook C2 (T1102)
Using Webhooks for Command & Control:
POST /api/webhooks/<id>/<token>
# Exfiltrate data or receive commands
Technique #3: CDN Malware Hosting (T1105)
Hosting Payloads on Discord CDN:
https://cdn.discordapp.com/attachments/.../malware.exe
Technique #4: Process Injection (T1055)
Injecting into Discord for:
- Token theft from memory
- Keylogging chat messages
- Screen capture
Detection Guidance
Detection Strategies
Priority #1: Token File Access
Process != "Discord.exe" AND
FileAccess CONTAINS "Discord\Local Storage\leveldb"
→ ALERT: CRITICAL - Token theft attempt
Priority #2: Webhook Traffic
Network CONTAINS "discord.com/api/webhooks" AND
Process != "Discord.exe"
→ ALERT: HIGH - Potential C2
Priority #3: CDN Downloads
Download FROM "cdn.discordapp.com" AND
FileExtension IN [".exe", ".dll", ".ps1", ".bat"]
→ ALERT: HIGH - Potential malware download
Priority #4: Path Verification
Process = "Discord.exe" AND
Path NOT CONTAINS "AppData\Local\Discord"
→ ALERT: HIGH
Remediation Steps
Protection and Remediation
Defense: Network Monitoring
Monitor Discord CDN downloads for executables.
Defense: Token Protection
Monitor access to Discord leveldb files.
If Compromise Suspected
- Change Discord password immediately
- Enable 2FA if not enabled
- Revoke all sessions
- Check for unauthorized bots
- Review connected applications
- Scan for token stealers