GreenPlasma: Arbitrary Section Creation on Windows – Analysis and Detection | Blackfort Technology

Background and Context

GreenPlasma is a proof-of-concept published on May 12, 2026 by the researcher Nightmare-Eclipse (GitHub: Nightmare-Eclipse/GreenPlasma). The PoC demonstrates a privilege escalation on Windows 11, Windows Server 2022 and Windows Server 2026 through two combined techniques: an Object Manager symlink placement on a CTF session object, followed by registry link abuse via the CloudFiles policy structure.

Scope: Stripped PoC, not a complete exploit

Nightmare-Eclipse explicitly released the PoC as a CTF challenge – the code does not contain the complete attack chain. The researcher states: "I stripped off the necessary code for a full SYSTEM shell. This is a huge challenge for CTF lovers out there." This analysis describes only what is observable in the published source code and controlled lab tests.

GreenPlasma is part of a series of unpatched Windows vulnerabilities by the same researcher (BlueHammer, RedSun, UnDefend, YellowKey). Microsoft had not released a patch at the time of this analysis. External reports from May 12–13, 2026 (Born City, Het Mehta) consistently classify GreenPlasma as "CTFMON Arbitrary Section Creation Elevation of Privileges" – named after the Windows Text Services Framework (CTF), whose session objects serve as the attack surface.

The conceptual roots lie in James Forshaw's (Google Project Zero) CTF protocol research (2019), which documented that the CTF protocol contains no sender authentication and enables various privilege escalation paths. GreenPlasma targets the same attack surface but uses a fundamentally different exploit primitive (section interception rather than ALPC protocol manipulation) – covered in Section 4.

Abstract visualization of the GreenPlasma attack mechanism — Object Manager symlink placement before Winlogon desktop activation – the core of the GreenPlasma mechanism

CTF Subsystem and the Winlogon Desktop

ctfmon.exe coordinates the Text Services Framework (TSF) – IMEs, speech recognition, accessibility services – and runs in a standard Windows desktop session under the security context of the logged-in user, not as SYSTEM. This distinction is critical to understanding the attack.

SYSTEM Context in the Winlogon Desktop

The Winlogon desktop (login screen, UAC prompt, lock screen) runs its own CTF server instance in SYSTEM context. Processes such as consent.exe and LogonUI.exe on this desktop run as SYSTEM and interact with the CTF session object (documented by James Forshaw, Google Project Zero, 2019). GreenPlasma forces a switch to the Winlogon desktop (via conhost.exe runas) to reach exactly this SYSTEM context. The PoC source code makes this explicit: it fails with the message "Either ctfmon is running as SYSTEM or an instance of the PoC is already running" when prerequisites are not met.

The target object is a named section object in the Windows Object Manager:

Object Manager – Target Path (from GreenPlasma.cpp)

\Sessions\<N>\BaseNamedObjects\CTF.AsmListCache.FMPWinlogon<N>

This object is created by a Winlogon desktop context component during the desktop switch. If a symlink has been pre-placed at this location, lab observations indicate that the section is redirected to the specified target via that symlink – consistent with the publicly described concept of Arbitrary Section Creation.

Attack Mechanism Step by Step

The following sequence is derived directly from the published source code (GreenPlasma.cpp). All API calls mentioned are verifiable in the code.

Attack Chain (derived from source code)

1
Session Check
ProcessIdToSessionId() verifies that the attacker is running in Session ≥ 1. Session 0 (service context) is explicitly rejected ("Seriously...?"). Prerequisite: interactive desktop session.
2
Place Object Manager Symlink
NtCreateSymbolicLinkObject() creates a symlink at \Sessions\<N>\BaseNamedObjects\CTF.AsmListCache.FMPWinlogon<N>. The default target in the published code is \BaseNamedObjects\CTFMON_DEAD. If this step fails (Name Collision), ctfmon is already running and the race condition is lost.
3
Activate Winlogon Desktop
ShellExecuteEx() launches C:\Windows\System32\conhost.exe with the verb "runas". This forces a UAC prompt on the Winlogon desktop. According to lab observations, a SYSTEM context component there creates the CTF.AsmListCache section object; the observed artifacts indicate redirection via the pre-placed symlink.
4
Intercept Section Handle
NtOpenSection() is called in a polling loop until a handle to the section object at the symlink target is obtained. This handle represents a memory object created by a SYSTEM component – an indicator that the interception succeeded.
5
SetPolicyVal() – Registry Manipulation
CfAbortOperation() (cldapi.dll, Cloud Filter API) is called to abort pending cloud filter callbacks. Then: TreeSetNamedSecurityInfo() sets the DACL of HKCU\...\CloudFiles to Everyone:GENERIC_ALL. The BlockedApps key is deleted and re-created as a volatile REG_LINK (undocumented Windows registry symbolic link type) pointing to ...\Policies\System. TreeSetNamedSecurityInfo() also resets the DACL of Policies\System to Everyone:GENERIC_ALL. DisableLockWorkstation=1 is written.
6
Desktop Switch
OpenInputDesktop() is polled; once the desktop switches, the PoC calls LockWorkStation(). In the published stripped code the chain ends here – the handle is printed, and after a keypress the symlink and registry changes are cleaned up.

What the stripped PoC does not contain

Steps 1–4 (section interception) and the registry manipulation block (step 5) are complete in the published code. What is missing is the use of the section handle for actual code execution as SYSTEM. That part was deliberately removed. The PoC demonstrates the prerequisites and indicators, not the complete exploitation.

Distinction: Forshaw 2019 vs. GreenPlasma

Both attacks target the CTF subsystem – but their exploit primitives are fundamentally different. This distinction is critical for correct classification and targeted detection.

Characteristic	Forshaw 2019 (ctftool)	GreenPlasma 2026
Exploit Primitive	ALPC protocol manipulation (MSG_CALLSTUB, pointer marshaling)	Object Manager symlink + registry link abuse
ALPC port used?	Yes – msctf.server<Desktop><Session>	The published PoC contains no direct ALPC calls
Target Object	CTF ALPC port (message injection)	CTF.AsmListCache.FMPWinlogon<N> (section interception)
ctfmon.exe role	Direct manipulation via ALPC	Indirect – Winlogon desktop context process (SYSTEM) is the target
Registry manipulation	Not part of the attack	Core component (CloudFiles DACL, BlockedApps REG_LINK)
Affected Windows versions	Windows 10 1903 (EDB-ID 47258, patched)	Windows 11, Server 2022, Server 2026 (unpatched, as of May 2026)

Common ground: LockWorkStation() as trigger

Both Forshaw (2019) and GreenPlasma use LockWorkStation() or a forced Winlogon desktop switch as a trigger to activate SYSTEM-context processes. This step is detection-relevant: an unusual activation of the Winlogon desktop from a non-privileged process context warrants investigation.

Comparison Forshaw 2019 vs GreenPlasma 2026 — Two different exploit primitives on the same attack surface: ALPC injection (Forshaw) vs. section interception (GreenPlasma)

Empirical Lab Observations

The following observations come from a controlled test environment (Windows 11, Sysmon 15, interactive desktop session). All entries relate directly to observable artifacts of the published PoC code.

Observation	Result	Significance
NtCreateSymbolicLinkObject on CTF.AsmListCache	OK (Session ≥ 1, ctfmon not yet started)	Race condition won – symlink placed
NtCreateSymbolicLinkObject on CTF.AsmListCache	Error (Name Collision)	Race lost – ctfmon already running; restart required
NtOpenSection – polling loop	Handle obtained after UAC prompt	Artifacts indicate that a SYSTEM context process created the section via the symlink
cldapi.dll load event	Confirmed (CfAbortOperation call)	Cloud Filter API as prerequisite for registry manipulation
HKCU\...\CloudFiles\BlockedApps as REG_LINK	Confirmed (volatile registry symlink)	Strongest GreenPlasma-specific IOC in tests to date
SymbolicLinkValue → ...\Policies\System	Confirmed	Redirect to Policies\System key
DisableLockWorkstation = 1	Confirmed (SetPolicyVal phase)	Part of attack chain; very high false-positive rate in isolation
wmiprvse.exe ProcessAccess (0x1400)	Several times (baseline)	WMI read access – not an attack signal; GrantedAccess=0x1400 only

DisableLockWorkstation: part of the chain, but not a reliable standalone IOC

The PoC explicitly sets DisableLockWorkstation=1 in SetPolicyVal(). However, this value is also set by kiosk software, GPO rollouts, IT management tools and other legitimate applications. As a standalone IOC it generates too much noise for production use. It is only useful in combination with the registry link IOCs (BlockedApps REG_LINK + SymbolicLinkValue).

Countermeasures and Their Limitations

Since GreenPlasma requires an active interactive session and a Winlogon desktop switch, no single measure blocks the attack completely without side effects.

IFEO – Block ctfmon.exe Start

A Debugger entry in HKLM\...\Image File Execution Options\ctfmon.exe prevents the process from starting – confirmed in our lab. Side effect: IME, speech recognition, on-screen keyboard and accessibility services are permanently disabled. Not suitable for systems with non-Latin character sets or accessibility requirements.

Disable MsCtfMonitor Service

MsCtfMonitor is a watchdog service that restarts ctfmon.exe. Disabling it alone showed no effect in our lab as long as Winlogon is active. Not an effective standalone countermeasure.

GPO: Restrict Third-Party TSF

Group Policy can restrict third-party Text Service Providers. Reduces the attack surface per Windows TSF documentation; full lab validation of this measure is pending. Side effect: specialized IMEs and accessibility tools may be disabled.

Focus on Detection

Since no preventive measure is without side effects, we recommend a detection-centric approach: the registry-based IOCs (BlockedApps REG_LINK, SymbolicLinkValue) showed a favourable signal-to-noise ratio in tests to date and are deployable without system restrictions.

Detection Rules for Sysmon and Wazuh

Detection rules are grouped into two categories: GreenPlasma-specific IOCs (derived directly from the published source code) and class IOCs for the broader CTF attack path (Forshaw technique and variants).

Sysmon Event	EventID	Wazuh	Level	Description
RegistryEvent (BlockedApps CREATE)	12	100100	15	GreenPlasma-specific: HKCU\...\CloudFiles\BlockedApps created (volatile REG_LINK)
RegistryEvent (SymbolicLinkValue SET)	13	100101	14	GreenPlasma-specific: SymbolicLinkValue → ...\Policies\System set
RegistryEvent (BlockedApps DELETE)	12	100102	12	GreenPlasma-specific: BlockedApps key deleted (cleanup phase)
ImageLoad cldapi.dll	7	100103	10	GreenPlasma-specific: CfAbortOperation call – unusual cldapi.dll load
RegistryEvent (DisableLockWorkstation)	13	100104	8	Combination IOC: too noisy in isolation; meaningful only with 100100/100101
ProcessCreate (ctfmon child)	1	100110	12	CTFMON anomaly: child process from ctfmon.exe – not observed in standard baselines; validate against your environment
ProcessAccess ctfmon (access rights)	10	100109	12	CTFMON anomaly: handle with process-manipulation-relevant access rights (PROCESS_VM_WRITE / PROCESS_CREATE_THREAD) on ctfmon.exe
CreateRemoteThread in ctfmon	8	100108	12	CTFMON injection heuristic: CreateRemoteThread into ctfmon.exe – not GreenPlasma-specific; relevant for related process manipulation scenarios

sysmon.xml – GreenPlasma-specific registry rules (excerpt)

<!-- PRIMARY IOC: BlockedApps created as volatile REG_LINK -->
<RuleGroup name="" groupRelation="or">
  <RegistryEvent onmatch="include">
    <Rule name="GP_BlockedApps_create" groupRelation="and">
      <TargetObject condition="contains">CloudFiles\BlockedApps</TargetObject>
      <EventType condition="is">CreateKey</EventType>
    </Rule>
  </RegistryEvent>
</RuleGroup>

<!-- SECONDARY IOC: SymbolicLinkValue set under CloudFiles\BlockedApps -->
<!-- Sysmon EID 13: value name appears in the TargetObject field (full path), not in Details -->
<RuleGroup name="" groupRelation="or">
  <RegistryEvent onmatch="include">
    <Rule name="GP_SymbolicLinkValue" groupRelation="and">
      <TargetObject condition="contains">CloudFiles\BlockedApps</TargetObject>
      <TargetObject condition="contains">SymbolicLinkValue</TargetObject>
    </Rule>
  </RegistryEvent>
</RuleGroup>

<!-- cldapi.dll loaded by unusual processes (CfAbortOperation call) -->
<RuleGroup name="" groupRelation="or">
  <ImageLoad onmatch="include">
    <Rule name="GP_cldapi_unusual" groupRelation="and">
      <ImageLoaded condition="end with">cldapi.dll</ImageLoaded>
      <Image condition="does not contain">OneDrive</Image>
      <Image condition="does not contain">svchost</Image>
      <Image condition="does not contain">FileCoAuth</Image>
    </Rule>
  </ImageLoad>
</RuleGroup>

<!-- CTF class: ProcessAccess with injection bits; wmiprvse (0x1400) excluded -->
<RuleGroup name="" groupRelation="or">
  <ProcessAccess onmatch="exclude">
    <Rule name="FP_wmi_readonly" groupRelation="and">
      <SourceImage condition="end with">wmiprvse.exe</SourceImage>
      <GrantedAccess condition="is">0x1400</GrantedAccess>
    </Rule>
    <SourceImage condition="end with">MsMpEng.exe</SourceImage>
  </ProcessAccess>
</RuleGroup>

wazuh_greenplasma_rules.xml – Key rules (excerpt)

<!-- 100100: BlockedApps key created as REG_LINK (Level 15 = Critical) -->
<rule id="100100" level="15">
  <if_group>windows</if_group>
  <field name="win.system.eventID">^12$</field>
  <field name="win.system.providerName">Microsoft-Windows-Sysmon</field>
  <field name="win.eventdata.targetObject" type="pcre2">(?i)CloudFiles\\BlockedApps$</field>
  <field name="win.eventdata.eventType">CreateKey</field>
  <description>GreenPlasma: CloudFiles\BlockedApps created as volatile registry link</description>
  <mitre><id>T1112</id><id>T1548</id></mitre>
</rule>

<!-- 100101: SymbolicLinkValue set (Level 14) -->
<rule id="100101" level="14">
  <if_group>windows</if_group>
  <field name="win.system.eventID">^13$</field>
  <field name="win.system.providerName">Microsoft-Windows-Sysmon</field>
  <field name="win.eventdata.targetObject" type="pcre2">(?i)CloudFiles\\BlockedApps.*SymbolicLinkValue</field>
  <description>GreenPlasma: Registry symlink (SymbolicLinkValue) set under CloudFiles\BlockedApps</description>
  <mitre><id>T1112</id></mitre>
</rule>

<!-- 100105: Correlation BlockedApps-Create + SymbolicLinkValue (300s) – full registry chain -->
<rule id="100105" level="15" timeframe="300">
  <if_matched_sid>100100</if_matched_sid>
  <same_field>win.system.computer</same_field>
  <field name="win.system.eventID">^13$</field>
  <field name="win.eventdata.targetObject" type="pcre2">(?i)CloudFiles\\BlockedApps.*SymbolicLinkValue</field>
  <description>GreenPlasma: BlockedApps REG_LINK + SymbolicLinkValue – full registry chain confirmed</description>
</rule>

<!-- 100109: ProcessAccess with injection bits on ctfmon.exe; wmiprvse (0x1400) excluded -->
<rule id="100109" level="12">
  <if_group>windows</if_group>
  <field name="win.system.eventID">^10$</field>
  <field name="win.system.providerName">Microsoft-Windows-Sysmon</field>
  <field name="win.eventdata.targetImage" type="pcre2">(?i)\\ctfmon\.exe$</field>
  <field name="win.eventdata.grantedAccess" type="pcre2" negate="yes">^0x(1400|1000|0400|1410)$</field>
  <description>CTF class: injection-relevant handle on ctfmon.exe</description>
  <mitre><id>T1055</id></mitre>
</rule>

<!-- 100110: ctfmon.exe child process (CTFMON anomaly, Level 12) – generic heuristic; validate against your environment -->
<rule id="100110" level="12">
  <if_group>windows</if_group>
  <field name="win.system.eventID">^1$</field>
  <field name="win.system.providerName">Microsoft-Windows-Sysmon</field>
  <field name="win.eventdata.parentImage" type="pcre2">(?i)\\ctfmon\.exe$</field>
  <description>CTF class: ctfmon.exe spawns child process (not observed in standard baselines)</description>
  <mitre><id>T1055</id></mitre>
</rule>

Deployment Notes

Sysmon: Schema version 4.90+, separate RuleGroup for Include and Exclude per event type
Wazuh: Rules 100100–100110 in custom_rules.xml, restart agent
Detection rules require an interactive desktop session (Session ≥ 1) – ctfmon.exe does not run in service contexts (Session 0)
For rule 100109: a matching ProcessAccess onmatch="include" rule targeting ctfmon.exe must be present in sysmon.xml (separate RuleGroup from the exclude block)
Before production: create a cldapi.dll load baseline; OneDrive/FileCoAuth are legitimate loaders
DisableLockWorkstation (100104) should only be used as a correlation signal, not a standalone alert
Sysmon Event ID 8 (CreateRemoteThread / rule 100108) is disabled in many production environments for performance reasons – treat as an optional supplement

Conclusion

GreenPlasma demonstrates how a seemingly peripheral Windows mechanism – the CTF session object in the Object Manager – can serve as a pivot for privilege escalation. The actual exploit primitive is not ALPC protocol manipulation (Forshaw 2019) but an Object Manager symlink placed before the Winlogon desktop switch, combined with registry link abuse via the CloudFiles policy structure.

Important for classification: ctfmon.exe itself runs as a normal user. The SYSTEM privileges arise through interaction with Winlogon desktop context processes that are activated by the UAC prompt. The published PoC is deliberately incomplete – actual code execution as SYSTEM is not included.

On the detection side, the registry-based IOCs (BlockedApps REG_LINK, SymbolicLinkValue) showed the best signal-to-noise ratio in testing: they produced very few false positives in lab and standard baseline environments and should be validated against the target environment before production use. The Sysmon and Wazuh rules presented were iteratively tested in the lab for obvious false positives and can serve as a starting point for your own detection engineering pipeline.