A Proof of Concept (PoC) exploit has been released for a critical, unpatched Windows security issue dubbed "MiniPlasma." This vulnerability allows attackers to escalate privileges from standard user rights to SYSTEM level on fully patched versions of Windows. The public availability of exploit code significantly increases the risk of active exploitation in the wild. Defenders must assume that threat actors are already incorporating this technique into initial access payloads and post-exploitation frameworks.
Technical Analysis
- Affected Products: Microsoft Windows 10, Windows 11, and Windows Server versions (specific details pending vendor advisory, but broadly applicable to recent builds).
- CVE Identifier: None assigned at the time of writing (Zero-Day).
- CVSS Score: TBD (Estimated High/Critical due to Privilege Escalation impact).
- Vulnerability Mechanics: MiniPlasma exploits a logic flaw in Windows components (potentially related to Windows Error Reporting or AppLocker bypasses common in this exploit class) to execute arbitrary code with SYSTEM privileges. The attack typically requires local execution or user interaction, effectively bypassing standard security controls on updated endpoints.
- Exploitation Status: Proof of Concept (PoC) code has been publicly released. While widespread in-the-wild exploitation has not been confirmed at this scale, the barrier to entry is now negligible.
Detection & Response
Immediate detection is critical given the lack of an official patch. The following rules and queries target behaviors associated with the MiniPlasma exploit chain and common Privilege Escalation (LPE) tactics.
Sigma Rules
YAML
---
title: Potential MiniPlasma Zero-Day PoC Execution
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects the execution of a binary named 'MiniPlasma' or similar variations, indicating the use of the public PoC exploit.
references:
- https://www.bleepingcomputer.com/news/microsoft/new-windows-miniplasma-zero-day-exploit-gives-system-access-poc-released/
author: Security Arsenal
date: 2025/02/18
tags:
- attack.privilege_escalation
- attack.t1068
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- 'MiniPlasma'
- 'miniplasma'
condition: selection
falsepositives:
- Unlikely, name is specific to the exploit.
level: critical
---
title: Suspicious Command Shell Spawned by WER (MiniPlasma Vector)
id: b2c3d4e5-6789-01ab-cdef-2345678901bc
status: experimental
description: Detects Windows Error Reporting (werfault.exe) spawning cmd.exe or powershell.exe, a common tactic in recent LPE exploits including Plasma variants.
references:
- https://www.bleepingcomputer.com/news/microsoft/new-windows-miniplasma-zero-day-exploit-gives-system-access-poc-released/
author: Security Arsenal
date: 2025/02/18
tags:
- attack.privilege_escalation
- attack.t1068
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\werfault.exe'
- '\wermgr.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: selection
falsepositives:
- Rare, legitimate troubleshooting usually does not spawn shells from WER directly.
level: high
---
title: Unusual SYSTEM Shell Spawned by Service Process
id: c3d4e5f6-7890-12bc-def1-3456789012cd
status: experimental
description: Detects cmd.exe or powershell.exe running as SYSTEM spawned by a service process (svchost.exe), indicative of successful LPE.
references:
- https://attack.mitre.org/techniques/T1068/
author: Security Arsenal
date: 2025/02/18
tags:
- attack.privilege_escalation
- attack.t1068
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\svchost.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
User|contains:
- 'AUTHORITY\SYSTEM'
condition: selection
falsepositives:
- Legitimate system administration or automated maintenance scripts.
level: medium
Microsoft Sentinel / Defender KQL
Hunt for suspicious process creation patterns indicative of the MiniPlasma exploit or similar LPE techniques.
KQL — Microsoft Sentinel / Defender
// Hunt for MiniPlasma PoC execution or suspicious SYSTEM shells
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe") or FileName contains "MiniPlasma"
| where AccountSid == "S-1-5-18" // Running as SYSTEM
| where InitiatingProcessFileName in~ ("werfault.exe", "svchost.exe", "explorer.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256
| order by Timestamp desc
Velociraptor VQL
Hunt endpoint process memory for indicators of the MiniPlasma exploit or suspicious parent-child process relationships.
VQL — Velociraptor
-- Hunt for suspicious process lineage indicative of LPE
SELECT Pid, Name, CommandLine, Exe, Username, Parent.Pid as ParentPid, Parent.Name as ParentName, Parent.Username as ParentUser
FROM pslist()
WHERE Name =~ "cmd"
OR Name =~ "powershell"
OR Name =~ "MiniPlasma"
OR (Name =~ "cmd" AND ParentName =~ "werfault")
OR (Name =~ "cmd" AND ParentName =~ "svchost" AND Username =~ "SYSTEM")
Remediation Script (PowerShell)
Use this script to audit the environment for the presence of the PoC file and check for vulnerable configurations.
PowerShell
# Audit Script for MiniPlasma Zero-Day Indicators
Write-Host "[+] Scanning for MiniPlasma PoC indicators..." -ForegroundColor Cyan
# Scan common download and temp directories for the PoC executable
$paths = @("C:\Users\", "C:\Temp\", "C:\Windows\Temp\")
$found = $false
foreach ($path in $paths) {
if (Test-Path $path) {
$results = Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Name -like "*MiniPlasma*" -or $_.Name -like "*miniplasma*" }
if ($results) {
$results | ForEach-Object {
Write-Host "[!] SUSPICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
$found = $true
}
}
}
}
if (-not $found) {
Write-Host "[+] No MiniPlasma files found in common directories." -ForegroundColor Green
}
# Check for recent unusual WER activity (Event Log Check)
Write-Host "[+] Checking Application Event Log for suspicious WER activity..." -ForegroundColor Cyan
$events = Get-WinEvent -LogName Application -FilterXPath "*[System[(EventID=1001 or EventID=1002)]] and *[Data[Data]='werfault.exe']]" -ErrorAction SilentlyContinue -MaxEvents 10
if ($events) {
Write-Host "[!] Recent WER events found. Review manually." -ForegroundColor Yellow
$events | Select-Object TimeCreated, Message | Format-List
} else {
Write-Host "[+] No significant WER anomalies found." -ForegroundColor Green
}
Write-Host "[+] Audit complete." -ForegroundColor Cyan
Remediation
- Patch Management: Monitor the Microsoft Security Response Center (MSRC) and Windows Update closely for a security patch addressing this vulnerability. Apply it immediately upon release.
- PoC Removal: If the audit script above detects "MiniPlasma" binaries, isolate the affected endpoint and remove the files immediately.
- User Privilege Review: Enforce the principle of least privilege. Ensure standard users do not have local administrator rights to limit the impact of local privilege escalation attempts.
- Network Segmentation: Restrict lateral movement capabilities in case a host is compromised.
- Vendor Advisory: Refer to the official BleepingComputer report for updates on Microsoft's response timeline.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
managed-socmdrsecurity-monitoringthreat-detectionsiemwindowszero-dayminiplasma
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.