Share
## https://sploitus.com/exploit?id=2EC3D06F-616D-5241-853D-154D108F0DA7
# MiniPlasma Detection (CVE-2020-17103)

Sigma detection rule for MiniPlasma, a Windows local privilege escalation exploit abusing a race condition in cldflt.sys to hijack the windir environment variable for the SYSTEM account, redirecting the WER QueueReporting scheduled task to execute an attacker controlled binary as SYSTEM.

CVE-2020-17103 was originally reported by James Forshaw from Google Project Zero in 2020 and supposedly patched by Microsoft. As of May 2026 it is fully exploitable on completely patched Windows 11 systems.

The rule detects the core exploit primitive โ€” a registry write to USER\.DEFAULT\Volatile Environment\windir, which no legitimate software ever performs.
## Usage

```bash
sigma convert -t  -p  miniplasma_wer_windir_hijack.yml
```

## References

- https://github.com/Nightmare-Eclipse/MiniPlasma
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17103
- https://www.bleepingcomputer.com/news/microsoft/new-windows-miniplasma-zero-day-exploit-gives-system-access-poc-released/