Adversaries may be using compromised NVIDIA certificates linked to the Lapsus$ group to sign malicious files and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential supply chain attacks and mitigate lateral movement risks.
KQL Query
DeviceFileCertificateInfo
| where CertificateSerialNumber == "43BB437D609866286DD839E1D00309F5" or CertificateSerialNumber == "14781bc862e8dc503a559346f5dcc518"
| join DeviceFileEvents on SHA1
| distinct DeviceName, FileName, FolderPath, SHA1, SHA256, IsTrusted, IsRootSignerMicrosoft, SignerHash
//| distinct DeviceName
//| distinct FileName
//| summarize mylist = make_list(FileName) by DeviceName
id: fa2db236-b846-45b7-b161-00da96717051
name: compromised NVIDIA certificates[Lapsus$]
description: |
Search for the files that are using a compromised certificate associated with the Lapsus$ group.
You can remove the comments to:
1. get the list of devices where there is at least one file signed with the certificate
2. get the list of files signed with the certificate
3. get the list of files signed with the certificate group by Devices
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
- DeviceFileEvents
tactics:
- Privilege escalation
- Vulnerability
tags:
- Lapsus$
- Nvidia
query: |
DeviceFileCertificateInfo
| where CertificateSerialNumber == "43BB437D609866286DD839E1D00309F5" or CertificateSerialNumber == "14781bc862e8dc503a559346f5dcc518"
| join DeviceFileEvents on SHA1
| distinct DeviceName, FileName, FolderPath, SHA1, SHA256, IsTrusted, IsRootSignerMicrosoft, SignerHash
//| distinct DeviceName
//| distinct FileName
//| summarize mylist = make_list(FileName) by DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate NVIDIA Driver Updates
Description: A system running a scheduled job to update NVIDIA drivers may install a driver package signed with a certificate that matches the compromised NVIDIA certificate used by Lapsus$.
Filter/Exclusion: Exclude files signed by NVIDIA’s legitimate certificate authority (e.g., NVIDIA Corporation or NVIDIA Inc.) using the signer field in the detection logic.
Example: signer != "NVIDIA Corporation"
Scenario: Admin Task Using NVIDIA Tools
Description: An administrator may be performing a routine task using NVIDIA tools (e.g., nvidia-smi, Nsight, or CUDA utilities) that are signed with the compromised certificate.
Filter/Exclusion: Exclude processes or files associated with known administrative tools or NVIDIA software using the process.name or file.name fields.
Example: process.name != "nvidia-smi" AND file.name != "Nsight.exe"
Scenario: Scheduled Job for GPU Monitoring
Description: A scheduled job (e.g., GPU Monitor or NVIDIA System Monitor) may be running on a system and triggering the rule due to the use of a certificate used in the NVIDIA driver stack.
Filter/Exclusion: Exclude processes related to GPU monitoring or system diagnostics using the process.name field.
Example: process.name != "nvidia-smi" AND process.name != "Nsight.exe"
Scenario: Third-Party Tool Using NVIDIA Certificates
Description: A third-party application (e.g., CUDA Toolkit, TensorRT, or Deep Learning Frameworks) may be using NVIDIA-signed components that are mistakenly flagged by the rule.
Filter/Exclusion: Exclude files or processes associated with known third-party tools that use NVIDIA certificates.