LAPSUS$ TTPs

Michael Koczwara
4 min readMar 31, 2022

LAPSUSS TTPs & MITRE ATT&CK Mapping

LAPSUS$ TTPs

Two interesting techniques used by LAPSUS$ (Code Signing, Disable and Modify Tools)

TA0005: Defence Evasion

T1553.002: Subvert Trust Controls: Code Signing

NVIDIA certificates used to sign malicious software

The leak includes two stolen code signing certificates used by NVIDIA developers to sign their drivers and executables.

A code signing certificate allows developers to digitally sign executables and drivers so that Windows Operating System and users can verify the owner of the file and whether a third party has tampered with it. Microsoft requires kernel-mode drivers to be code signed before they are loaded by the operating system to increase security in Windows Operating Systems.

Threat actors used stolen NVIDIA code signing certificates to sign malware to appear trustworthy/evade security controls and allow malicious drivers to load into the machine.

Mimikatz signed by NVIDIA certificate

mimikatz signed by NVIDIA

Malware signed by NVIDIA certificate

--

--