YellowKey and GreenPlasma: Two New Windows Zero-Days Unveiled

MITRE Techniques

• [T1068 ] Exploitation for Privilege Escalation – GreenPlasma is used to gain SYSTEM privileges from a standard user account by abusing CTFMON and attacker-controlled memory sections (‘standard user context → SYSTEM without interactive admin prompt’).
• [T1068 ] Exploitation for Privilege Escalation – RedSun and BlueHammer are both described as paths from standard user to SYSTEM through exploitation of Windows components (‘Standard user context → SYSTEM without interactive admin prompt’).
• [T1003 ] OS Credential Dumping – BlueHammer is said to yield SAM hive access and enable harvesting of NTLM hashes, LSASS, and cached domain credentials (‘SAM hive access yields NTLM hashes’ / ‘credential harvesting (SAM, LSASS, cached domain credentials)’).
• [T1078 ] Valid Accounts – Initial access is described as using compromised credentials, including FortiGate SSL VPN stolen accounts (‘compromised credentials (observed: FortiGate SSL VPN with stolen account)’).
• [T1562.001 ] Impair Defenses: Disable or Modify Tools – UnDefend blocks Microsoft Defender updates and can make Defender stop responding, weakening endpoint protections (‘silently blocks Microsoft Defender’s signature and definition updates’ / ‘Microsoft Defender stops responding entirely’).
• [T1021 ] Remote Services – The intrusion chain mentions VPN access and lateral movement using stolen credentials or pass-the-hash for continued access (‘FortiGate SSL VPN’ / ‘lateral movement using pass-the-hash or stolen credentials’).
• [T1075 ] Pass the Hash – BlueHammer is described as enabling pass-the-hash after NTLM hash acquisition (‘Pass-the-hash achieves SYSTEM’).
• [T1105 ] Ingress Tool Transfer – Attackers stage payloads such as BlueHammer, RedSun, GreenPlasma, and UnDefend from user-writable directories and USB media (‘stages the BlueHammer payload in a user-writable directory’ / ‘A USB containing the YellowKey payload is inserted’).
• [T1204 ] User Execution – YellowKey requires user actions such as rebooting into WinRE and entering a key combination to trigger the exploit (‘The attacker forces or waits for a reboot into the WinRE’ / ‘A specific key combination is entered’).
• [T1547 ] Boot or Logon Autostart Execution – The article notes persistent implant staging on disk before reboot and execution on the next user logon (‘a persistent implant or modified executable can be placed on the drive before rebooting’).
• [T1036 ] Masquerading – The toolkit includes renamed binaries like FunnyApp.exe and z.exe to blend in (‘observed: FunnyApp.exe’ / ‘z.exe’).
• [T1001 ] Data Obfuscation – The article mentions using alternative process names and renamed variants to evade straightforward detection (‘Add detection for renamed variants’).