Using Discord as a C2
It’s good for gaming, streaming, hacking…
(Note: Please also see my followup companion piece where I go deeper into the theory of weaponizing Discord and also release a new tool, Sowing Discord: Weaponizing Discord’s CDN and Webhooks.)
Just for the hell of it, I decided to see if I could run Discord as a C2. It hit me on a whim, so I started researching this when I had a free moment to myself. I personally love Discord and have used it for almost a decade. I use it for D&D, streaming games, general catching up, etc.
You know who else loves Discord? Threat actors. It has a long and storied history of being abused to:
It certainly seemed like a worthy topic to research, so for $#!+’s and giggles…
Setting Up the Infrastructure
Before we get started, we have to setup our infrastructure to utilize Discord as our C2. You will need a few things:
- Discord account (with Developer Mode enabled)
- Discord server (where you are the owner/admin)
- Discord bot
To follow along with this specific writeup, you’ll need to have Golang installed and git clone DiscordGo, an open-source tool I found during my research:
This tool uses Discord’s API to give you the ability to:
- Retrieve system information
- Run arbitrary commands
- Download and upload files via command line (e.g.
wget) - Take screenshots
All within your Discord server!
I love the fact that this tool was released because it was exactly what I was looking for. However, there are major gaps in the Installation and Usage documentation, which is what actually prompted me to write this article.
Please note that there are other options that simply weren’t explored in this writeup.
Creating the Server
This is the easy part. First, look for the + sign on the left side panel:
From there, just pick any options you want. The important thing is to have a server ID, which all options will provide.
Creating the Bot
You’ll first want to have Developer Mode enabled for your Discord account:
Next, go to the developer portal and log into your account. It can be found here:
From there, you’ll want to create a new application and name it to whatever you want:
Select the newly created application:
You’ll now want to go to the OAuth2 tab to assign it’s Scope and Permissions:
You don’t need to give it full Administrator access like I did. I just did that for the purposes of this writeup. Per DiscordGo’s repo you only need the following permissions:
- Send Messages
- Read Messages
- Attach Files
- Manage Server
Visit the URL and authorize the connection, and you should see the bot show as a user in your Discord server:
DiscordGo
To get this setup, do a simple git clone to your favorite directory (I went with /opt):
cd /opt
git clone https://github.com/emmaunel/DiscordGo.git && cd DiscordGoNow we have to modify the pkg/util/variables.go config file to add our ServerID and BotToken. I just use the default text editor for Kali:
mousepad pkg/util/variables.go
You can get your ServerID by going to your settings > Widget:
To get the token, go to your bot’s page in the development portal, then go to the Bot tab to reset your token, enter your Discord credentials, then copy it down immediately:
Save the ServerID and the BotToken to the file, and make the payloads:
make
Now we’re finally ready to go!
Payload Delivery
How you actually get the payload to the target is up to you, but I’ll show a simple and manual method using ChatGPT. I’ll just flat out ask it to write me an email:
Taking this, I’ll now send this as a spearphishing attachment to one of my test accounts:
Another method is sending a payload right in the middle of a Discord DM:
As Testy, I lean into the RP a bit:
As my Testy victim, I download and execute the malicious attachment:
C&C
Back at my attacker machine a new channel is created for my compromised user. The channel is named after the compromised user’s IP address without the octet separators. It also has a pinned initial message with my user’s hostname, IP, and OS:
I can show that it easily works in Linux as well (while skipping the payload delivery and using a different bot):
You can now use Discord to issue commands on the host and drop additional payloads. To do so, you simply type in your server’s channel as if you would to a group of people and it will return the appropriate output as if you have a BASH or cmd shell.
Note: If you’re having trouble with the following error, “Command didn’t return anything,” this is a known issue that has a pretty easy fix:
On your developer page, go to your bot’s page > select Bot from the side tabs > enable Message Content Intent:
After following that user’s directions, I try the same command:
Just to give you an idea of what you can do, I can see that right in my Debian VM’s Downloads directory, I still have the initial payload:
From my attacker server, I do some basic file and directory enumeration, then delete the file:
While it says it didn’t return anything, that’s because there is no longer anything there:
(Edit: Thanks for pointing out my mistake, ****…)
Thankfully, you can use basic BASH commands to do things like upload files to the target system:
And just to confirm:
Note that I also downloaded a fork with recent updates (as recent as 3 weeks ago as of this writing):
Per that repo’s notes, it was updated to include screenshot and display sharing functionality, so I test that:
It works!
Conclusion
I’m sure most would opt for the more tried and true Sliver, Mythic C2, or Covenant, but this shows that Discord can definitely be used as a C2. While I think there are some minor kinks to iron out, I think DiscordGo works with relatively easy setup.
Unfortunately, as of this writing, the main project’s latest commits were in 2022. I wanted to see when they would add the upload and download functions, which are listed as work-in-progress on their README.md, and the realization set in that it’s been a while... However, I still commend the effort and this is definitely a working C2.
Thankfully, while researching this topic, I did find a Medium article where the author used Mythic C2 in conjunction with Discord, so I’ll probably be trying that at later date. I also eventually want to work on using more malicious Discord webhooks.
References
Main
- https://github.com/emmaunel/DiscordGo
- https://discord.com/developers/applications
- https://github.com/benimoor/DiscordC2 (fork of main)
