Adversaries may use compromised certificates associated with the Nobelium campaign to sign malicious files and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control activities or lateral movement attempts.
KQL Query
DeviceFileCertificateInfo
| where Signer == 'Solarwinds Worldwide, LLC' and SignerHash == '47d92d49e6f7f296260da1af355f941eb25360c4'
| join DeviceFileEvents on SHA1
| distinct DeviceName, FileName, FolderPath, SHA1, SHA256, IsTrusted, IsRootSignerMicrosoft, SignerHash
//| distinct DeviceName
//| distinct FileName
//| summarize mylist = make_list(FileName) by DeviceName
id: 8d8a5c56-54b8-4cd9-9a9b-83d0325bf802
name: compromised-certificate[Nobelium]
description: |
Search for the files that are using a compromised certificate associated with the Nobelium campaign.
You can remove the comments to:
1. get the list of devices where there is at least one file signed with the certificate
2. get the list of files signed with the certificate
3. get the list of files signed with the certificate group by Devices
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
- DeviceFileEvents
tactics:
- Privilege escalation
- Vulnerability
tags:
- Nobelium
query: |
DeviceFileCertificateInfo
| where Signer == 'Solarwinds Worldwide, LLC' and SignerHash == '47d92d49e6f7f296260da1af355f941eb25360c4'
| join DeviceFileEvents on SHA1
| distinct DeviceName, FileName, FolderPath, SHA1, SHA256, IsTrusted, IsRootSignerMicrosoft, SignerHash
//| distinct DeviceName
//| distinct FileName
//| summarize mylist = make_list(FileName) by DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Signed Scripts
Description: A legitimate scheduled backup job may use scripts signed with a certificate that coincidentally matches a known Nobelium certificate.
Filter/Exclusion: Exclude files signed by certificates associated with known enterprise backup tools (e.g., Veeam, Commvault, Veritas NetBackup) or files with timestamps matching scheduled backup windows.
Scenario: Admin Task Using Signed PowerShell Scripts
Description: System administrators may run signed PowerShell scripts (e.g., PowerShell.exe) for routine maintenance or configuration tasks, which could trigger the rule if the script is signed with a compromised certificate.
Filter/Exclusion: Exclude files executed by user accounts with administrative privileges or files with execution paths in known admin directories (e.g., C:\Windows\System32, C:\Program Files\).
Scenario: Certificate Used for Internal Code Signing
Description: An internal code-signing certificate, used by developers to sign internal tools or utilities, may be flagged if it shares characteristics with the Nobelium certificate.
Filter/Exclusion: Exclude files signed by internal CA certificates or files with subject names containing internal domains (e.g., internal.company.com).
Scenario: Legitimate Software Update Process
Description: A software update process may involve files signed with a certificate that is mistakenly identified as compromised.
Filter/Exclusion: Exclude files signed by known software vendors (e.g., Microsoft, VMware, Cisco) or files with file extensions associated with updates (e.g., .msu, .msp, .exe).
Scenario: Certificate Used for Secure Communication (e.g., TLS/SSL)
Description: A certificate used for secure communication (e.g., between a web server and client) may be flagged if it shares attributes with the Nobelium certificate