discord.exeCOMMUNICATION APPdiscord.exe - Discord Application Security Analysis
discord.exe is the **Discord communication platform** client, widely used for gaming and communities. Attackers abuse Discord's **CDN for malware hosting**, **webhook API for C2 communication**, and steal **Discord tokens** for account takeover. Discord's ubiquity makes it an attractive target for credential theft.
Risk Summary
MEDIUM priority for SOC triage. discord.exe is a legitimate communication app frequently abused by attackers. Monitor for token theft attempts, webhook-based C2, CDN abuse for malware delivery, and process injection targeting Discord.
Overview
What is discord.exe?
Discord is a popular voice, video, and text communication platform.
Core Functions
Communication:
- Text, voice, video chat
- Server/channel organization
- Screen sharing
- File sharing
Security Significance
Attacker Value:
- CDN for hosting malware
- Webhooks for C2
- Token theft for account takeover
- Electron-based (JavaScript injection risk)
Architecture
Discord uses Electron (Chromium + Node.js), making it susceptible to JavaScript-based attacks.
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | %LOCALAPPDATA%\Discord\app-*\Discord.exe |
| Parent | explorer.exe |
| User | Logged-in user |
| Network | Discord servers |
| Children | Discord.exe (multiple) |
Multi-Process Architecture
Discord.exe (main)
├── Discord.exe --type=gpu-process
├── Discord.exe --type=renderer
└── Discord.exe --type=utility
Token Location
%APPDATA%\Discord\Local Storage\leveldb\
Common Locations
C:\Users\*\AppData\Local\Discord\app-*\Discord.exeSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE
Path: %LOCALAPPDATA%\Discord\app-*\Discord.exe
Parent: explorer.exe, Discord.exe
Network: discord.com, discordapp.com
Behavior: Normal chat operations
SUSPICIOUS
Path: C:\Temp\Discord.exe
C:\Users\Public\Discord.exe
Parent: cmd.exe, powershell.exe
Behavior: Reading leveldb without Discord
Webhook POST requests
CDN downloads to exe files
Abuse Techniques
Attack Techniques
Technique #1: Token Theft (T1528)
Stealing Discord Tokens:
# Malware targets leveldb files
$tokenPath = "$env:APPDATA\Discord\Local Storage\leveldb"
# Extracts authentication tokens
Technique #2: Webhook C2 (T1102)
Using Webhooks for Command & Control:
POST /api/webhooks/<id>/<token>
# Exfiltrate data or receive commands
Technique #3: CDN Malware Hosting (T1105)
Hosting Payloads on Discord CDN:
https://cdn.discordapp.com/attachments/.../malware.exe
Technique #4: Process Injection (T1055)
Injecting into Discord for:
- Token theft from memory
- Keylogging chat messages
- Screen capture
Detection Guidance
Detection Strategies
Priority #1: Token File Access
Process != "Discord.exe" AND
FileAccess CONTAINS "Discord\Local Storage\leveldb"
→ ALERT: CRITICAL - Token theft attempt
Priority #2: Webhook Traffic
Network CONTAINS "discord.com/api/webhooks" AND
Process != "Discord.exe"
→ ALERT: HIGH - Potential C2
Priority #3: CDN Downloads
Download FROM "cdn.discordapp.com" AND
FileExtension IN [".exe", ".dll", ".ps1", ".bat"]
→ ALERT: HIGH - Potential malware download
Priority #4: Path Verification
Process = "Discord.exe" AND
Path NOT CONTAINS "AppData\Local\Discord"
→ ALERT: HIGH
Remediation Steps
Protection and Remediation
Defense: Network Monitoring
Monitor Discord CDN downloads for executables.
Defense: Token Protection
Monitor access to Discord leveldb files.
If Compromise Suspected
- Change Discord password immediately
- Enable 2FA if not enabled
- Revoke all sessions
- Check for unauthorized bots
- Review connected applications
- Scan for token stealers
Investigation Checklist
Investigation Checklist
- Verify Discord.exe path is legitimate
- Check for leveldb access by other processes
- Review webhook API traffic
- Check for CDN downloads of executables
- Examine process injection
- Review installed Discord plugins/BetterDiscord
- Check account for unauthorized activity