Inside the Latest Chaotic-Eclipse Releases: Mini-Plasma, GreenPlasma, and YellowKey

MITRE Techniques

• [T1057 ] Process Discovery – GreenPlasma relies on ctfmon.exe activity in the interactive session to reach the privileged trust path (‘ctfmon becomes active’).
• [T1068 ] Exploitation for Privilege Escalation – GreenPlasma and MiniPlasma are both local privilege escalation exploits that obtain SYSTEM-level access through vulnerable Windows components (‘can allow an attacker to obtain SYSTEM-level privileges’, ‘deliver an interactive SYSTEM shell’).
• [T1078 ] Valid Accounts – YellowKey leverages the TPM-only BitLocker trust path in WinRE to access an already decrypted volume without recovery credentials (‘no recovery key, password, or PIN required’).
• [T1548.002 ] Abuse Elevation Control Mechanism: Bypass User Account Control – GreenPlasma launches an elevated conhost.exe through UAC to activate privileged behavior (‘launches an elevated conhost.exe through UAC’).
• [T1112 ] Modify Registry – All three chains modify registry values or keys, including DisableLockWorkstation and windir, to redirect behavior or disable protections (‘setting DisableLockWorkstation=1’, ‘overwrite the windir environment variable’).
• [T1014 ] Rootkit – YellowKey abuses WinRE/BootExecute behavior to obtain an unrestricted command prompt before normal protections load (‘runs very early in boot’, ‘handing the attacker a raw command prompt’).
• [T1556.002 ] Modify Authentication Process: Pluggable Authentication Modules – Not present.
• [T1036 ] Masquerading – MiniPlasma stages a malicious wermgr.exe outside standard Windows paths to masquerade as a legitimate binary (‘places a malicious wermgr.exe in an attacker-controlled location’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – Not present.
• [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – YellowKey abuses the BootExecute registry value to launch autofstx.exe during boot (‘launched through the BootExecute registry value’).
• [T1055 ] Process Injection – Not present.
• [T1021.004 ] Remote Services: SSH – Not present.
• [T1552.001 ] Unsecured Credentials: Credentials In Files – Not present.
• [T1205 ] Traffic Signaling – MiniPlasma uses a named pipe for coordination between the rogue wermgr.exe and the exploit controller (‘creates a named pipe MiniPlasmaWERPipe’).
• [T1105 ] Ingress Tool Transfer – The exploit places crafted FsTx logs, malicious binaries, and other payload artifacts onto removable media or attacker-controlled locations (‘copies the crafted FsTx folder structure to System Volume InformationFsTx on a USB stick’).
• [T1127 ] Trusted Developer Utilities Proxy Execution – MiniPlasma triggers Windows Error Reporting to execute the attacker’s copy of wermgr.exe (‘triggers the built-in scheduled task … which executes as NT AUTHORITYSYSTEM’).
• [T1543.003 ] Create or Modify System Process: Windows Service – Not present.
• [T1027 ] Obfuscated Files or Information – YellowKey uses crafted transactional NTFS log files to manipulate recovery behavior (‘By planting specially crafted Transactional NTFS (TxF) log files’).
• [T1556.002 ] Abuse Elevation Control Mechanism: Bypass User Account Control – MiniPlasma and GreenPlasma both use privileged Windows behavior to cross from user context into SYSTEM execution (‘obtain SYSTEM access’).
• [T1611 ] Escape to Host – Not present.
• [T1546.015 ] Event Triggered Execution: Winlogon Helper DLL – Not present.