Query Details
Discord Invite Hijacking Detection
Query
// Discord Invite Hijacking Detection // https://darkatlas.io/blog/discord-invite-hijacking-how-fake-links-are-delivering-infostealers let QueryPeriod = 1h; let MonitorURLs = dynamic(["discord.com","discord.gg"]); let DiscordAccess = DeviceNetworkEvents | where Timestamp > ago(QueryPeriod) | where isnotempty(RemoteUrl) | where ActionType == @"ConnectionSuccess" | where RemoteUrl has_any (MonitorURLs) | distinct DeviceName; DeviceNetworkEvents | where Timestamp > ago(QueryPeriod) | where isnotempty(RemoteUrl) | where ActionType == @"ConnectionSuccess" | where DeviceName has_any(DiscordAccess) and RemoteUrl =~ "captchaguard.me"
Explanation
This query is designed to detect potential Discord invite hijacking attempts by monitoring network events on devices. Here's a simplified explanation of what it does:
-
Define Monitoring Period and URLs:
- It sets a monitoring period of the last hour (
1h) and specifies two URLs to monitor:discord.comanddiscord.gg.
- It sets a monitoring period of the last hour (
-
Identify Devices Accessing Discord:
- It looks at network events from devices that have successfully connected to any of the specified Discord URLs within the last hour.
- It collects a list of unique device names that have made these successful connections.
-
Detect Suspicious Activity:
- It then checks network events again within the last hour for any of these devices.
- It specifically looks for successful connections to the URL
captchaguard.me, which is suspicious in this context.
The query essentially identifies devices that have accessed Discord and then checks if those same devices have also accessed a potentially malicious URL (captchaguard.me) within the same timeframe, which could indicate an attempt to hijack Discord invites.
Details
Steven Lim
Released: June 15, 2025
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEventsTimestampRemoteUrlActionTypeDeviceName
Operators
letdynamicago()isnotempty()has_any()distinctand=~