Distrace is a collection of python scripts that are designed to assist in tracking, analysing, and disrupting malware campaigns that utilise Discord for command & control (C2).
Note
This is intended for use by threat intelligence analysts, researchers, and security professionals.
Before starting use pip install -r requirements.txt to make sure that all requirements are installed.
There are 6 scripts included in DisTrace:
Click any of the scripts to learn more about them.
Note
If you use DisTrace in any research or anything published, credit or a shoutout would be appreciated!
DisTrace was inspired by TeleTracker.
bot.py is designed for working with Discord Bot tokens. It's capabilities depend on what privileged intents were enabled by the bot creator.
Run by python bot.py -t DISCORD_BOT_TOKEN
This script can retrieve:
- Application
- Name
- ID
- Description
- Tags
- Application Owner
- Username
- Display name
- ID
- Privileged Intents
- Presence
- Guild members
- Message content
- Bot
- Name
- ID
- Token
- Public
- List of guilds the bot is in
Then after selecting a guild you can retrieve:
- Guild
- Name
- ID
- Creation date and time
- Approx presence count
- Approx member count
- Icon
- Splash
- Banner
- Owner (If server members privileged intent is enabled)
- Username
- Display name
- Nickname
- ID
- Channels (Can only get channels that are visible to the bot)
- Type
- Text
- Voice
- Announcement
- Stage
- Forum
- ID
- Type
- Members (If server members privileged intent is enabled)
- Presence (If presences privileged intent is enabled)
- Bot/Owner
A few options are then available:
- Creating a temporary invite to a channel (If bot has permission to create invites for the channel)
- Sending a text message in a selected channel
Warning
Creating an invite is logged to the servers audit log. Joining a server may also result in a welcome message.
webhook.py is designed for analyzing Discord Webhooks.
Run by python webhook.py -w DISCORD_WEBHOOK_URL
Due to the limited nature of webhooks, no messages can be retrieved. However certain data can be retrieved:
- Webhook
- Name
- ID
- Token
- Avatar
- Guild
- ID
- Channel
- ID
- Creator
- Username
- Display name
- ID
- Avatar
- Nitro type
There are then a few options available:
- Sending a text message to the channel
- Sending a JSON message to the channel (allows for embeds and more advanced messages)
- Deleting the webhook
user.py is designed to assist with discovering information about a user from their user id.
Run by python user.py -u USER_ID -a DISCORD_ACCOUNT_TOKEN -b DISCORD_BOT_TOKEN
Note
This script works with either an account token or a bot token. (Both can be provided but the account token will be used) An account token can provide more detail if you have a common guild or are friends however.
Caution
NEVER share your account (or bot token) with others as this will allow them access to your account (or bot).
This script can retrieve:
- Username
- Display name
- ID
- Avatar
- Nitro type
If you have provided a account token and either have a common guild or are friends with the user then the script can also retrieve:
- Bio
- Connected accounts
- Type
- ID
application.py is designed to assist with discovering information about an application from its application id.
Run by python application.py -a APPLICATION_ID
This script can retrieve:
- Application
- Name
- ID
- Description
- Tags
- Icon
- Bot
- Public
- Privileged Intents
- Presence
- Guild members
- Message content
guild.py is designed to help identify guilds from their guild IDs.
It works by taking a guild ID and checking:
- Server Discovery
- Discord Widget
This means that it will not work with all guilds.
Run by python guild.py -g GUILD_ID
If a server has discovery on then it can retrieve:
- Name
- ID
- Invite
- Locale
- Creation date and time
- Keywords
- Approx presence count
- Approx member count
- Premium subs count
- Icon
- Splash
- Banner
If the server has the discord widget enabled then it can retrieve:
- Name
- ID
- Invite (If invite channel is enabled)
- Widget HTML link
- Approx presence count
file.py is designed to assist with discovering information about a file that has been uploaded to Discord from its URL.
Run by python file.py -f FILE_URL
This script can retrieve:
- URL
- Type
- Upload date and time
requests and discord.py are required. All other libraries are standard libraries that come with python.
This tool is solely designed to be used for threat intelligence purposes. Use these tools responsibly and ensure compliance with all laws and Discord's terms of service.
I take no responsibility for the actions of users of this tool or what they do with it.
This project was inspired by TeleTracker by tsale which was showcased by John Hammond in Tracking Cybercriminals on Telegram.