Detection rules › Splunk
Suspicious Process With Discord DNS Query
The following analytic identifies a process making a DNS query to Discord, excluding legitimate Discord application paths. It leverages Sysmon logs with Event ID 22 to detect DNS queries containing "discord" in the QueryName field. This activity is significant because Discord can be abused by adversaries to host and download malicious files, as seen in the WhisperGate campaign. If confirmed malicious, this could indicate malware attempting to download additional payloads from Discord, potentially leading to further code execution and compromise of the affected system.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.005 Command and Scripting Interpreter: Visual Basic |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 22 | DNSEvent (DNS query) |
Stages and Predicates
Stage 1: search
search EventCode=22 Image!="*\\AppData\\Local\\Discord\\*" Image!="*\\Program Files*" Image!="discord.exe" QueryName="*discord*"
Stage 2: stats
stats BY answer, answer_count, dvc, process_exec, process_guid, process_name, query, query_count, reply_code_id, signature, signature_id, src, user_id, vendor_product, QueryName, QueryResults, QueryStatus
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Image | ne |
|
QueryName | in |
|