Disrupting Cracked Cobalt Strike [The Microsoft Threat Intelligence Podcast]

Richard Boscovich

Foreign.

Shera de Grippo

Welcome to the Microsoft Threat Intelligence Podcast. I'm Shera de Grippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little, little weird, but don't worry, I'm your guide to the back alleys of the threat landscape. The effort to knock Cracked Cobalt Strike offline began in 2021, when DCU, an eclectic global group of cybercrime fighters, wanted to make a bigger dent on the rise in ransomware attacks. Previous operations had targeted individual botnets like Trickbot and Neckers separately. But ransomware investigator Jason Lyons proposed a major operation targeting many malware groups and focused on what they had in common. Their use of cracked legacy Cobalt strike. Welcome to the Microsoft Threat Intelligence Podcast. And oh, boy, we're talking Cracked Cobalt Strike takedown. And I am joined by my guests, Richard Boscovich, also known as Bosco, Assistant General Counsel at Microsoft, Jason Lyons, Principal Investigator with the DCU at Microsoft, and Bob Erdmund, Associate vp, Research and Development at Fortra. Thank you for joining me.

Richard Boscovich

Thanks for having us.

Bob Erdmund

Thank you.

Shera de Grippo

There's a lot of really interesting articles written about the Cobalt strike takedown, and it happened about a year ago. So I think, Jason, since you're sort of the lead in the technical aspect of the start of this, can you kind of walk me through what happened here and why Microsoft chose to partner with Fortra to take down Cracked Cobalt Strike?

Richard Boscovich

Yeah, so there was obviously a. I think we started about two years ago and really a renewed effort to really understand the ransomware ecosystem. There was a lot of effort inside Microsoft to really understand how ransomware was impacting our customers around the world, not only from an antivirus protection or OS protection, but there was also from a digital crime scene perspective of how do we identify these threat actors, how do we possibly disrupt ransomware? And, you know, what are the possible mechanisms we could use to disrupt the distribution of ransomware? So we have a lot of different internal teams inside Microsoft that do a lot of different great work. We have our incident response folks who respond to customer environments. We have our mystic folks that are tracking and grouping threat actors together. So there's a lot of input signals inside Microsoft. And as I was, you know, examining the ransomware ecosystem, there kept being one commonality popping up, and that was the use of crack Cobalt Strike in These ransomware attacks.

Shera de Grippo

So, Bob, help me understand with Cobalt Strike, which, being in the trenches for a long time, we've battled cracked Cobalt Strike for years. Help me understand legitimately what Cobalt Strike is used for and then what threat actors were doing with it.

Bob Erdmund

So Cobalt Strike is an adversary emulation or red teaming tool. So it allows defenders to go in and test the defenses inside of the networks, look for areas that could be compromised by a threat actor, and show how they could harden that, make sure that they're giving the best protection to their enterprises that they can. And this is a tool that Fortra took over a few years ago, developed by somebody else. And then we brought that into our fold of our security tools. And what we're seeing, and I think it especially started to grow in proliferation during COVID was that threat actors were getting copies of the tool illegally and using it for the same types of purposes. They were going out and breaking into an enterprise and then using Cobalt Strike as part of their attack chain and using it to gain lateral movement and exfiltrate data from unsuspecting victims. So this is something that we had been working on, and we're, we're really happy to work with Microsoft to even have a greater effect on this.

Shera de Grippo

So I guess now is a great time to ask Bosco. I don't understand the legal mechanisms here to take something like this down. I know that it leveraged dmca, which I think is creative and wild. And the DMCA is so controversial. Whose idea with was this? Where did this come from? Help us understand from a legal perspective, like, how did this happen?

Jason Lyons

Yeah, the DMC has always polarized a lot of people on both sides. Right. It was originally meant that the Digital Millennium Copyright act came. It's been around for a long time. And its main purpose, if not its primary purpose, was to protect copyrights, copyright holders. And when you think about the statute itself, it was meant to protect music, artists, movies, things like that, and any type of copyrighted work. What we did at the DCU a couple of operations ago, so to speak, is try to expand our tool set from a legal perspective and include the DMCA in a unique way. Specifically against Zloader and Knickers, where we started looking at malware and trying to understand whether or not the malware was using any of our APIs or SDKs in their processes. And the reason why we, you know, we came up with that idea. You know, there was a case called Google vs. Oracle, which actually ended up going to Supreme Court. It was a Nine Circuit case. And one of the key issues there, if not the issue, was the use of Java by Google, which of course.

Richard Boscovich

Is owned by Oracle.

Jason Lyons

Long story short, the concept of whether APIs fall within copyright protection was addressed in that case. And then eventually it went to the Supreme Court. And although the case itself was overruled, meaning that Google won the war in the sense that, hey, the court said that it was, it was fair use, but the underlying legal concept that APIs are in fact copyrightable remained. So that's still good law. So we wanted to check to see whether or not we could use that for one primary purpose when we did a couple of operations before the actual Cobalt Strike operation, and that was can we kind of get around the Computer decency Act section 230, which gives immunity to a lot of hosting providers. And there's a lot of good hosting providers, but there's some hosting providers that are somewhat recalcitrant in how they react.

Shera de Grippo

I love that they're recalcitrant. And mentioned is this typically referred to as the safe harbor piece or.

Jason Lyons

Yes.

Shera de Grippo

Okay. So it's the Safe harbor of DMCA, which to my understanding, it protects ISPs from. If it's automatically uploaded, then, hey, not liable as a hosting provider.

Jason Lyons

And the CDA.

Richard Boscovich

Yes.

Jason Lyons

And for the CDA, yeah, section 230, which is actually getting a lot of attention the last couple of years. So the great thing about the dmca, it's really the currently the only exception to that section 230. So there was a carve out in the DMCA. So I looked at that and said, this is what we should probably try to leverage to be much more aggressive in our takedowns when it comes down to infringing malware or command control structures. So we tested that concept in a couple of cases previously and it worked. The courts agreed. They relied on the Google Oracle case, and then they said, yes, that in fact is applicable. So fast forward now with Cobalt Strike. So we wanted to get that same type of impact, get the biggest hammer possible, which is the DMCA hammer, to take away and take down these crack versions of Cobalt Strike, which of course are copyrightable. And also we did a lot of reverse engineering. This is something that Jason Lyons could talk to on some of the ransomware that was being dropped after the leveraging of Cobalt Strike. And a lot of that reverse engineering, again identified APIs belonging to Microsoft, which are copyrightable and have been copyrighted in those ransomware samples as well. So it was kind of looking at it from a nice holistic way of getting the most leverage possible to persuade aggressively these hosting providers to take those C2s or infringing sites down which were hosting, distributing or somehow leveraging Cobalt Strike. And it was very effective because remember the dmca, and here's really the kicker is that they have. The statute itself has very serious financial penalties if it's not taken down. The fines in the DMCA go up very fast. In fact, there was a case that we filed in the Eastern District of Virginia which was interesting. We were filing one of our cases and I think I was there with Jason Lyons and it might have been Trickbot or Z Lord, I don't remember right now, but there was a jury that was about to be instructed and had just left. And little did we know that a couple of months later we find out that that was a jury that awarded in the DMCA case. I think it was something upwards of a billion dollar jury verdict against a major Internet service provider or telco company. So that shows you how big a hammer the DMCA is. So it's a very great cause of action to use in these cases.

Shera de Grippo

You could even say the DMCA is a ban hammer in a way. It's a big old ban hammer.

Jason Lyons

It's a door.

Shera de Grippo

So I guess Jason, the question for you then is it sounds like you were able to find a lot of cracked Cobalt Strike instances out there, either via beacons or servers. How did you find those?

Richard Boscovich

Yeah, so we took a multi source approach to identifying what we believe to be crack Cobalt Strike. The kicker is that the only people that really know what is cracked or compromised Cobalt Strike is Fortra. Right. So I was going through this exercise of working with our Windows Defender folks collecting beacons because Windows Defender detects any version of Cobalt Strike as malware. We were using some open source tools like Shodan and other threat intelligence companies like Risk iq, which is now a Microsoft company, some of their threat intelligence, because all these different services were out there collecting cracked Cobalt Strike beacons. And so we just started collecting as much data as we could from multiple sources and then doing the basically like a frequency analysis of like how what watermarks of Cobalt Strike do we see the most frequently? And then obviously looking and extracting the value out of those watermarks, you can quickly kind of tell what's been cracked or forged. But again, it's all theoretical exercise until we were able to partner with Fortra, who they could actually give us the definitive list of what was cracked according to them. And then we could apply that to our takedown pipeline.

Shera de Grippo

Bob, how'd you make that decision?

Bob Erdmund

I think it was a pretty easy one for us. Fortra, on its own was kind of heading down that same path. We were doing our own surveys and investigations. We had our own set of partners that we were working with to gather data on where we were seeing these things out across the Internet. And we were actually using the DMCA in much more of a traditional fashion, looking for the places that the software is being shared, where these actors are getting their copies from, and then using the DMCA to knock down those sharing sites and those places where the files are proliferating. But once Microsoft reached out, being able to combine the telemetry data that they were seeing, which in a large part was different than the telemetry data that we were seeing, it really gave us a much broader picture of what was going on in the Internet at wide. And then it's very easy for us to tell as the license issuers which copies were legitimate and which copies weren't. You know, sometimes it's easy. Jason can look at a, at a fake watermark and it's pretty obviously fake. But a lot of times we can't really tell without going back and seeing if it had ever been issued or maybe it was issued and somebody lost control of their environment and it had been compromised. Those also go in the list. So it let us quickly make that determination. And really, Microsoft had a bigger scale than we could go after. We weren't seeing all the effects that we wanted to. And being able to partner, you know, let us combine forces and really reach out a lot farther.

Shera de Grippo

So prior to the contact from Microsoft, you were doing traditional DMCA notification submissions to ISPs that had like, forums and hosting of practical vault strike social media.

Bob Erdmund

Type sites, forums and hosting anonymous file share sites and passing IOCs out to the community. But it was really more, we see this server over here and we know it's bad. Here's an IP and a port. But we didn't have the tools to really take it down. We could just identify it and try and make everybody know that it's there. So it was really giving us one more step in the chain to really go after these providers and knock it down with the DMC theory that Bosco provided.

Shera de Grippo

So Bosco, that makes me want to ask you then it sounds like this strategy was not to just submit the traditional DMCA notification to hosts. What did we do that was different than that? That leveraged the DMCA because I saw there was like an order from a judge that gave us some kind of extra legitimacy. What is that?

Jason Lyons

The DMC itself has a statutory mechanism and it, depending how you kind of set up the program in and of itself is really, as we mentioned earlier, a big hammer. You know, there's the financial penalties, but it's kind of a series. You really have to follow the statute very carefully. It's kind of a quick interaction between where notification goes out, which has to provide a certain amount of quantum information. That information, there's going to be a response, and depending on the response, it's taken down, or there's a potential for litigation. That's the traditional statutory dmca, which is very effective, but it takes some time. What we've done is that we went ahead and we said, okay, we're going to have causes of action of the dmca, but we're going to get court orders. Now the court order changes the dynamics of that statutory know dance of, of communications back and forth and accelerates it. Because now it is a federal court order directed at the hosting provider. So you speed things up exponentially. So that process of taking things down goes much, much faster. So that's what we did. We kind of, you know, accelerate the process by seeking the court's intervention via court orders pursuant to the MCA and a host of other, both common law and other types of causes of action to accelerate the takedown process, not only on the site's hosting, but there was always a component of domain seizure which was very integral to the operation and was going in parallel also with court orders to seize domains that were also leveraging. Crack, Cobalt, Strike.

Shera de Grippo

That is so fascinating because that's not the traditional understanding that most people have to the way the DMCA is leveraged. To my understanding, like you submit a DMCA notification to a host that you're a copyright owner and that user that's uploaded has the option to take it down or submit a counter notification saying, hey, get out of here. If you really want to deal with this, take me to court. So my question is, did we get any kind of pushback or counter DMCAs or anybody that said, hey, I'm not taking this out? No, not a single one. Okay.

Jason Lyons

Not domestically. I mean, obviously we're talking within the US Jurisdiction. No. Once the court order came back in, and to the credit both the Fortra and Jason Lines and the DCU and Microsoft Teams, we presented overwhelming evidence and very specific evidence to the court. And that really assisted us in getting These orders and kind of really made the court's job easier from that perspective. And once we had those orders locked in, it was basically, you know, it goes out, the order goes out, the sites go down.

Shera de Grippo

And what do you think it was that was compelling to a judge to say, you know what, Enough is enough, I'm ready to do an order?

Bob Erdmund

Well, that's.

Jason Lyons

It's a great question, especially when it comes to the domain seizure side. One of the things that a lot of lawyers understand is that the courts are really overburdened. They're listening to a lot of cases, you know, a lot of criminal cases, a lot of cases, even at the federal level. So many times, you know, when, when a federal judge sees that the copyright or an IP type case from a civil perspective, they kind of view it, oh, my God, it's Microsoft. Oh, it's Fortra, or it could be whatever multinational coming in, trying to protect itself. It deals with the case a little bit differently. What we try to do and what we have to do, especially on the domain seizure side, because we're seizing something ex parte, that we're going to seize the domain first and then give notice to the defendant. There's a balancing test that we have to do, because that's a constitutional question, and that is a balancing test on does the public harm outweigh the defendant's right to prior notice? So what that means basically is that we have to show that, hey, yeah, this is an IP case, it's a copyright case. We want to see something, but it's not only to protect Microsoft's IP or to protect Fortress ip. There's a huge public policy, public safety component, and we always do a very good job in explaining, well, this is what's happening with the cracked Cobalt strike. It's leading to all of these bad things happening to the public, to consumers, to end users. And that's a very compelling argument. It meets our requirement into the statute, and it allows the court to view the case very differently from a standard copyright case. And it becomes a case which is really more for public good, for public welfare.

Shera de Grippo

I think that's so interesting because one of the constituents that you didn't mention that I would like to mention is detection. Engineers really benefited from this because for years, cracked Cobalt strike was just a pain in the rear for those who create detections and security products, because it was a constant battle to say, ugh, that's a cracked Cobalt strike beacon. So, Bob, my question for you is, what has been the impact from your point of view from your perspective over the past year, what's the difference today versus before this action took place for you?

Bob Erdmund

I think one of the biggest differences in the global surveys that we perform with Microsoft and what we're seeing on a daily basis, where are things being used? How much of this are we seeing? More than a 50% reduction in active systems. I mean, we're not at zero. We know this is going to be a long term effort, but the amount of systems that we're proliferating has been greatly reduced. The places that we were seeing, the software shared has been greatly reduced. People are a little bit scared now in some respects. We see people warning each other about being exposed up on the Internet and being found by this effort. We've also seen a geographic shift of where these things run from. So when you're going to stand this up, you have to host it somewhere. And just where those things are able to be hosted now because of these actions has kind of pushed it into a smaller pocket of the globe, which makes it easier for people to defend against just by knowing where it might be coming from.

Shera de Grippo

So I guess from our side, Jason, from Microsoft's point of view, what's been the impact here? I know that, you know, we've seen some botnets impacted. Have you sort of seen any difference in the past year that relates to your visibility?

Richard Boscovich

Oh yeah, there's been a dramatic drop and when we started we would observe an active thousand Cobol Strike C2 servers a day, right. And since the takedown we're down to a couple hundred a day. So it's been a dramatic increase. And I just want to point out that like the scope and scale of this operation was huge. Right. So we were not only targeting domains that were hosting crack Cobalt Strike, we were targeting also just pure IP hosting. So we had to build all this automation in the background to basically to be able to tackle this at scale. And so we built what we call crawlers and emulators that would go out and take these inputs from the different sources I had mentioned earlier. Defender, Risk, IQ Showdown, use that as input inputs. Our automation would go out, make Contact with those C2s or domains, confirm and download a beacon, and then basically extract the watermark from those beacons and determine whether it's bad or good. And then that would, if it was bad or good, it then would get kicked over to the DMCA automation email notification system, which would then kick out automatic DMCA notifications to. I think we're averaging a couple thousand a day emails of going Out. So the scale of this thing is, is, was huge.

Shera de Grippo

I love that it's automated. So essentially we're like just, we're using a bot to find and destroy, to search and destroy for cracked cobalt strike. Bob, you're laughing. Why do you think that? Don't you think that's kind of a good characterization or no, no, I do think it's good.

Bob Erdmund

I was going to throw even more in the automation. The messaging that's going out is actually targeted by the place that we're seeing, the infrastructure. So there's even more automation that Jason's team has built so that a message that might go out to a US provider is different than a message that might go out to a European provider based on where we're seeing things.

Richard Boscovich

Yeah, that's a good point. We had like, I think we're up to like over 30 different email notification templates depending on, for different countries. Yes. So try. And Bosco did a lot of work on researching what laws we could use in certain countries and areas that would basically affect some takedown.

Shera de Grippo

Okay, well, that's a super nerdy thing that you've just walked me into, Bosco. What's the global DMCA equivalent looking like?

Jason Lyons

I mean, there really is no exact equivalent now. I mean, there's, there's some EU regulations and security rules and in the EU that were very helpful and that act almost as fast. And I think there's some new legislation now since then that's just passed. That's really good. But we had to take a look and see what if there are any unique notification processes and templates that we'd have to. And I'll give an example. You know, for example, in the case of Crack Cobalt strike that were located in China, you know, there are very specific ways and who you have to notify. And so we had to make sure that our templates were consistent with the local rules and laws in that jurisdiction and made sure that all of our notifications went directly into that particular mailbox. So it took some time. There were a lot of templates, but we've gotten some very good results. Even in a lot of the foreign jurisdictions which are outside of us. The ability of US courts to uphold any law simply by kind of leveraging their local regulations and notification processes.

Shera de Grippo

That's incredible that you're essentially automating a global notification and takedown of a threat actor infrastructure partnered with the legitimate software publisher of Fortra. So I guess like kind of the next question is, where do we go from here? And Jason, I'LL I'll ask you, like it sounds like cracked Cobalt Strike is a much reduced level than it was before. From, from a volume perspective. What are, what's the criminals doing now? Like what's the next thing.

Richard Boscovich

You know, there's always some new thing on, on the scene, right. And it just really depends on these actor groups and what they're comfortable with. You know, when you talk about the more sophisticated groups, you know, there's usually custom stuff that they create. They also, you know, utilize basically, you know, cybercrime as a service. You know, you have these different service level providers that provide, you know, usage of botnets. You know, we got Dark Gate out there. There's always another tool to replace the last thing we took down. We also see also use of other post exploit tools that are commercially available as well. Not as prolific as what we saw, but there's always a mixed bag of people taking open source tools that are used for contesting and then using them for cybercrime.

Shera de Grippo

Very cool. And Bob, tell me, what are you seeing in terms of your next frontier on dealing with practical belt strike or other kinds of abuse that threat actors might do? Leveraging your work?

Bob Erdmund

Yeah, we work in a lot of areas other than Cobalt Strike and we're trying to take these same kind of techniques that we've seen here and how successful this has been and apply them to things like phishing kits as a service and other larger ecosystems like this. And I think it's really encouraging that we're seeing more and more of these law enforcement operations going after these larger sources, knocking down whole environments, whole threat actor groups, all in one shot. It's been great having the publicity around this because we're also getting more inputs and I think that's helping all of our jobs. We're getting more reach out from private investigator type parties, we're getting more reach out from public law enforcement type sources, feeding indicators and bringing those into the pool so we can run them through the pipeline and add them to the list. So that's been a really great thing to see and we're going to continue doing the same kind of work. This will be a multi year effort. As far as the Cobalt strike, you know, as the product's changing to make it harder to abuse and then we're pushing on the other end to anything that we find to be able to shut it down, you know, we're going to keep pushing towards that zero number in the future here.

Shera de Grippo

Can you tell me just a little bit more about that? Is there any specific points that are noteworthy. You want to mention that you've done to make Cobalt Strike harder to abuse.

Bob Erdmund

So one of the things probably not everybody knows Cobalt Strike in itself is actually fairly well regulated. There's a lot of export restrictions on these types of tools. There's a huge vetting process that goes on in the background. We deny about as many requests for license as we fulfill because they don't meet the the background when we check out, you know, check out a different system. That's why you see so many of these being stolen, copied. It's hard to purchase it the right way. And as part of the efforts that we had going on before we joined up with this action, as we were finding these things out on, you know, a file share site or a social media share, a telegram channel, what have you, we were pulling them apart internally and then closing off loopholes in the product where we might have seen a threat actor was able to crack a copy and make an adjustment and use it illegitimately by a certain method. Then we could shut that down and make changes in the actual software to make it harder for the next time. And we're continuing to improve the resiliency of that front end process from torches perspective, clothes and the things that they've been able to abuse, making it harder to obtain copies illegitimately and make it easier to detect from the outside for defenders so that we can push this whole process forward.

Shera de Grippo

Awesome. I love that it's like this continually evolving thing to make sure that cracked Cobalt Strike is kind of kept off the streets. Bosco, I want to ask you just sort of, I think for my own curiosity, can you rate the creativity level of using the DMCA for this? Is this something. For me, I find this wildly creative. But in your world that's full of lawyers and DCU people, was this kind of a Lego? Yeah, that's fine.

Jason Lyons

I mean, I think, I think the most interesting aspect of it was we were, we always, for the past, you know, 15 years, we prided ourselves in developing, you know, and leveraging what would the standard either common law causes of action or any type of civil causes of action which were not necessarily meant to address cybercrime, but that we've been able to apply it in novel ways. So it really was novel in its application, especially when it came to the point of utilizing the copyrightability of APIs after the Google and Oracle case came out. So from that perspective, I think it's pretty novel, it's pretty unique, but it is consistent with what we've done in the past and We've developed our toolkit over the past decade to address these types of questions. In fact, I think in the very near future you're going to see some additional cases in which we're going to be leveraging some very unique application of civil law, again within the cybercrime context. So the short answer is yes, it's a unique application of a statute. And I always like to say sometimes you don't necessarily need new law to address a problem. You just have to be able to use what you have and use it in a unique and novel way because the courts and common law are very receptive and are able to adapt very quickly, as we've seen over the past decade or so.

Shera de Grippo

I love it. I've never heard such a creative use of the dmca, so that's been a really fascinating thing to see. So, Jason, I'm always worried about focusing on Microsoft being secure. That's really important to me. And so did we find any cracked Cobalt strike hanging out on Microsoft infrastructure? How do we handle that?

Richard Boscovich

Yeah, that was really the first operational phase of this operation was to make sure that our own house was clean before we started going out and sending takedown notices to other providers. As you can imagine, that can be kind of a PR nightmare if. If we had a bunch of. If Azure was hosting a bunch of crack Cobalt strike. Right. So yeah, really the first phase is really to work with CDOC and get a really efficient takedown process. We build a lot of.

Shera de Grippo

What is cdoc?

Richard Boscovich

CDOC is our cyber defense center. It's really an organization of multiple organizations that protect Azure and the different properties and products Office, different things like that in Microsoft. So it's really kind of our central point of being able to do some internal takedowns. We, like I mentioned earlier, we built a lot of automation to make this stuff happen in real time. So it was really a really important point for us to make sure that we were keeping our own household.

Shera de Grippo

And can you just give me just a little bit of detail on that? Does that mean that we scanned Azure to find Craft cobolt strike?

Richard Boscovich

That is correct, yep.

Shera de Grippo

Awesome. And when we found them, what did we do?

Richard Boscovich

Well, there's several different processes in Microsoft, as you can imagine, depending on who the client is, what kind of subscription is in Azure. But we, we really had to work out basically a terms of service takedown notice in Azure for different versions of COBOL Strike. So the CDOC was very important for us and was really our central point of contact in trying to keep Azure clean.

Shera de Grippo

Love that okay. So, Baska, something else I want to understand is you kept mentioning common law, civil stuff. I know the DMCA has criminal aspects to it. How did you kind of work with law enforcement versus civil versus criminal courts? How did all that shake out?

Jason Lyons

Yeah, I mean, that's a good question. And it's a question. We got a lot of those questions back when we started the program over a decade ago. Right. One of the things that you know, as a private litigant, both Microsoft and Fortune in this case, obviously private, private litigants, our main concern obviously, is to protect not only our customers and our intellectual property, and we have to do it very quickly and aggressively. So from a civil perspective, one of the great things about civil law in this case is that our main focus is stop the harm immediately, identify any potential victims and remediate the problem. But to do that, you also don't want to interfere with any criminal investigations because the criminal law, of course, their objective is to not deter by attribution, in other words, identifying who the bad players are, the criminals trying to indict, bring them to justice, which of course that brings a deterrent effect. So we try to kind of do two of these things at the same time to get the biggest impact possible, stop the harm immediately, start remediating, whilst at the same time allow law enforcement to go out and do their job in attribution, arrest for deterrence. So what we developed in this case, and we've been doing this manually, so to speak, until ultimately we've automated this process as well. And that is in real time deconfliction. And what I mean by that, if you go back to what Jason and Bob were talking about, identifying the crack, cobalt, cobalt strike, where it's located and so forth, we wanted to make sure that our visibility was also visible to law enforcement for the main purpose of the confliction. In other words, we didn't want to interfere in any ongoing criminal investigation by taking a site down via our civil process, which is very fast, as I mentioned, it goes quick, and then not allowing law enforcement to complete their work in terms of attribution for the criminal investigation. So we developed a process where law enforcement would be able to come back and say, you know, pause, wait to give them time to do their job, whilst at the same time allowing us to clean up as much of the ecosystem as possible. And it worked out brilliantly well and we're very happy with that relationship and the ability to deconflict and partner with law enforcement. And it was interesting because we were talking to Law enforcement, as was Fortrail. So we just got all of it together and made it into one automated system. And we're really happy about the results.

Shera de Grippo

I love that. I love that it really is such a coordinated effort between so many different groups and organizations and being able to protect the Internet better. So, Jason, I know that We've seized about 170 domains so far in this focused operation and several even this week. So how does that work? And help me understand too, I know that we set up some sinkholes. So can you kind of help us understand what sinkholes are and how they played into this particular project?

Richard Boscovich

Yeah. So what we do is the term sinkhole is DNS sinkhole, right? So domain name system sinkhole. So when, you know, we'll just use badguy.com, right? For instance, so bad guy.com has got to resolve to an IP address. And so what we do is during the course of the investigation, as we're crawling and scanning infrastructure, identifying crack versions of Cobalt strike, if that C2, that crack cobalt strikes team server is actually using a domain as infrastructure, we'll be able to capture that, right? And then we'll be able to verify the watermark and verify that the domain is hosting crack Cobalt Strike. So part of the disruption process is then to legally take down that domain. And really the main purpose, one is to disrupt, obviously stop the harm of the infrastructure of the command and control server. But two, we then get the corp to award us that domain as Microsoft. We seize that domain, it now becomes property of Microsoft. Now we can change the IP address on that domain. And now all the victims of that particular command and control server of bad guy.com for instance, is now communicating to Microsoft. And so really the point of that is really to gain visibility into the victims, right? To really understand, hey, grandma's computer is infected and they're over at that XYZ isp. And that's really one of the, one of the really staples of I think DCU is we don't sell this as cyber, we don't sell this as threat intelligence, right? We take this intelligence and we give it out to the del cos the ISPs to basically identify critical infrastructure and for, you know, the responders to be able to respond to this and get it cleaned up.

Shera de Grippo

Jason, I love how community focused that is. This has been amazing. Thank you so much. Bob Erdman from Fortra, Bosco from Microsoft, Jason Lyons from Microsoft. Thank you for joining me. This was a fascinating thing and I hope we get to hear back from you. Soon on all of the cool things that you guys are working on. I appreciate you coming on the podcast.

Richard Boscovich

Thanks for having us.

Jason Lyons

Thank you.

Bob Erdmund

Thank you.

Shera de Grippo

Thanks for listening to the Microsoft Threat Intelligence podcast. We'd love to hear from you. Email us with your ideas@tipodcasticrosoft.com Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out mstreatintelpodcast.com for more and subscribe on your favorite podcast.

Jason Lyons

Apparently.