LAPSUSS TTPs & MITRE ATT&CK Mapping
Two interesting techniques used by LAPSUS$ (Code Signing, Disable and Modify Tools)
TA0005: Defence Evasion
T1553.002: Subvert Trust Controls: Code Signing
Subvert Trust Controls: Code Signing
Adversaries may create, acquire, or steal code-signing materials to sign their malware or tools. Code signing provides…
NVIDIA certificates used to sign malicious software
The leak includes two stolen code signing certificates used by NVIDIA developers to sign their drivers and executables.
A code signing certificate allows developers to digitally sign executables and drivers so that Windows Operating System and users can verify the owner of the file and whether a third party has tampered with it. Microsoft requires kernel-mode drivers to be code signed before they are loaded by the operating system to increase security in Windows Operating Systems.
Threat actors used stolen NVIDIA code signing certificates to sign malware to appear trustworthy/evade security controls and allow malicious drivers to load into the machine.
Mimikatz signed by NVIDIA certificate
Malware signed by NVIDIA certificate