Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2020-17103 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability ... patched back in December 2020 ... To address issues recently uncovered in that patch, Microsoft recommends applying the new update. | Microsoft connects these four CVEs to specific items disclosed by the Chaotic Eclipse researcher earlier this month – respectively, these touch MiniPlasma, RedSun, YellowKey, and GreenPlasma.
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Запуск пользователем задачи по расписанию \Microsoft\Windows\Windows Error Reporting\QueueReporting.
Modify environment variable: windir → attacker-controlled directory ... Drop payload: wermgr.exe (renamed exploit binary) ... Trigger scheduled task: \Microsoft\Windows\Windows Error Reporting\QueueReporting ... Task executes under SYSTEM context and loads attacker-controlled wermgr.exe from redirected path.
Запуск пользователем задачи по расписанию \Microsoft\Windows\Windows Error Reporting\QueueReporting.
MiniPlasma — эксплойт нулевого дня, который позволяет локальным пользователям повысить свои привилегии до максимального уровня SYSTEM.
Stage 7: Token Duplication ├── Duplicate SYSTEM token ├── Assign token to current user session ... Rapidly toggles thread impersonation state ... Valid user token / Anonymous token.
The vulnerability allows unprivileged users to create arbitrary registry keys .DEFAULT user hive without proper access checks.
When a standard user triggers a UAC prompt, Windows switches to a secure desktop where processes like consent.exe run as SYSTEM... GreenPlasma exploits that predictability. The attacker pre-plants a symbolic link, at that exact path... The attacker’s unprivileged process grabs that handle the moment it appears...
Появление wermgr.exe вне стандартных путей... Запуск нестандартного процесса от имени wermgr.exe.
Stage 7: Token Duplication ├── Duplicate SYSTEM token ├── Assign token to current user session ... Rapidly toggles thread impersonation state ... Valid user token / Anonymous token.
Запуск системных бинарников или их имитаций из нестандартных директорий.
Modify environment variable: windir → attacker-controlled directory ... Drop payload: wermgr.exe (renamed exploit binary) ... Trigger scheduled task: \Microsoft\Windows\Windows Error Reporting\QueueReporting ... Task executes under SYSTEM context and loads attacker-controlled wermgr.exe from redirected path.
MiniPlasma targets a race condition in cldflt.sys, the kernel-mode driver responsible for managing placeholder files in OneDrive and other cloud-synchronized directories... The core of the technique is a race condition: by aborting a hydration while simultaneously forcing thread token state to change between a valid and an anonymous impersonation token, the kernel-mode handler can be reached in a context where its access check logic behaves unexpectedly.
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named item tied to CVE-2020-17103 in the Chaotic Eclipse disclosures; Sophos lists detection as Troj/MiPlasma-A.
A named variant discussed in the context of detection-rule bypasses. The article references MiniPlasma rules and variants alongside Green Plasma, but provides limited direct technical detail on MiniPlasma itself.
Mentioned as a variant related to GreenPlasma, but the content does not provide technical detail beyond naming it alongside GreenPlasma.
A .NET proof-of-concept exploit for a race condition in cldflt.sys during cloud file hydration operations. It uses CfAbortOperation and token-state manipulation to bypass access checks, redirect registry paths, and trigger SYSTEM execution via Windows Error Reporting scheduled tasks.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.