Attack Chain
- Initial Access: The attacker must interact with the recovery environment to initiate the exploit.
- Persistence: The attacker modifies the EFI partition or NTFS logs to facilitate exploitation.
- Privilege Escalation: The attacker leverages GreenPlasma to escalate privileges to SYSTEM level.
- Defense Evasion: The attacker disables or modifies system recovery tools to evade detection.
- Impact: The attacker abuses WinRE to bypass BitLocker encryption, gaining access to protected data.
TrendAI Platform Monitoring and Defenses
As information about these vulnerabilities are still evolving, TrendAI is closely monitoring and will continue to update as more information becomes available.TrendAI Vision One customers can use the following as it develops to monitor and look for suspicious activity:
Threat Intelligence Hub
TrendAI has added information into the Vision One Threat Intelligence Hub that provides relevant background information including Tactics, Techniques and Procedures (TTPs), Risk Management Guidance, and Threat Hunting Queries.
TrendAI Vision One Endpoint Security (and any solution that utilizes VSAPI detection)
TrendAI has released a VSAPI pattern detection that detects known exploit code for GreenPlasma - these are detected as Trojan.Win32.GREENPLASMA.A and Trojan.Win64.GREENPLASMA.A
TrendAI Vision One XDR Threat Investigation
Monitor the Observed Attack Techniques (OAT) module for suspicious executions:
Workbenches
- YellowKey: FsTx Folder Creation In System Volume Information
- GreenPlasma: Anomalous Discovery Commands
Observed Attack Techniques (OAT)
- YellowKey: FsTx Folder Creation In System Volume Information
- GreenPlasma: Anomalous Discovery Commands