YellowKey & GreenPlasma: New Zero-Days from Chaotic Eclipse Target BitLocker & CTFMON
Just saw the latest drop from Chaotic Eclipse regarding two new zero-days, codenamed YellowKey and GreenPlasma. Given their track record with the Microsoft Defender vulnerabilities last month, these deserve immediate attention.
Technical Breakdown
YellowKey is a BitLocker bypass that undermines the encryption trust model. If the PoC is verifiable, it likely manipulates the TPM's state validation or recovery key handling, allowing an attacker with physical access to decrypt the drive without the original credentials.
GreenPlasma impacts the Windows Collaborative Translation Framework (CTFMON). Since ctfmon.exe runs with high privileges (often SYSTEM), this vulnerability facilitates a privilege escalation from a standard user context.
Immediate Mitigations & Detection
Until Microsoft releases an out-of-band patch, we need to focus on detection and reducing the attack surface.
For GreenPlasma, we should be alert for ctfmon.exe spawning unusual child processes. You can hunt for this behavior using KQL:
DeviceProcessEvents
| where InitiatingProcessFileName =~ "ctfmon.exe"
| where ProcessFileName !~ "werfault.exe" // Allow crash reporting
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
For **YellowKey**, verify your BitLocker recovery keys are backed up to Active Directory (if applicable) and ensure drives require a password on resume:
# Check BitLocker status
manage-bde -status C:
# Force TPM password on resume (if supported by BIOS)
# Note: This requires BIOS/UEFI configuration usually
Has anyone successfully reproduced the BitLocker bypass yet? Also, are there any GPO settings to harden CTFMON while we wait for a patch?
We've disabled the Text Services Framework via GPO on our high-security workstations as a temporary stopgap for GreenPlasma. It breaks some touch keyboard features and input method editors, but it's better than a PrivEsc.
# Disable CTF via Registry
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CTF" /v "DisableCTF" /t REG_DWORD /d 1 /f
As for YellowKey, if it affects the sleep state, enforcing 'Require password on wakeup' in Power Options is a must, though that might not stop a sophisticated TPM bypass.
The BitLocker one is terrifying. I'm auditing our physical access controls today because if this bypasses the TPM handshake, standard Full Disk Encryption is effectively useless against a sophisticated attacker with hardware access.
Does anyone know if this affects BitLocker-to-Go (encrypted USB drives) or just OS volumes?
I saw the write-up on this. For GreenPlasma, you can also monitor for non-Microsoft signed binaries loading into ctfmon.exe memory space. Sysmon's ImageLoad event is great for this:
ctfmon.exe
Just flip that logic to include and alert on unsigned DLLs.
Solid advice from everyone. To complement Nico's local monitoring, you can hunt for this behavior in Microsoft Sentinel using KQL. This filters DeviceProcessEvents for any unusual child processes spawned by ctfmon.exe that might indicate a payload injection.
DeviceProcessEvents
| where InitiatingProcessFileName == "ctfmon.exe"
| where ProcessVersionInfoCompanyName != "Microsoft Corporation"
Regarding YellowKey, while physical security is paramount, enforcing a BitLocker Startup PIN adds a crucial factor that doesn't rely solely on the TPM. Even if the handshake is bypassed, the attacker needs the PIN. You can enforce this via PowerShell:
Enable-BitLocker -MountPoint "C:" -Pin $SecurePin -TPMProtector
It creates a "defense in depth" layer for the encryption trust model.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access