KQL Search

Query Details

HomeAI ToolsDevice Query

Mini Plasma Privilege Escalation Detection CVE 2020 17103

Query

# *MiniPlasma Privilege Escalation Detection CVE-2020-17103*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1068 | Exploitation for Privilege Escalation | https://attack.mitre.org/techniques/T1068 |
| T1059 | Command and Scripting Interpreter | https://attack.mitre.org/techniques/T1059 |


#### Description

This rule detects potential MiniPlasma privilege escalation activity, which is associated with a regression of CVE-2020-17103. It correlates two suspicious behaviors: SYSTEM-level shell spawns from unexpected parent processes and non-system account access to the .DEFAULT registry hive within a 5-minute window. This combination indicates an attempt to elevate privileges to SYSTEM.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References


## Defender XDR
```KQL
// MiniPlasma Privilege Escalation Detection (cldflt.sys / CVE-2020-17103 regression)
let LookbackWindow = 24h;
let ExecutablesToWatch = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe"]);
let KnownServiceParents = dynamic(["services.exe", "msiexec.exe", "tiworker.exe", "svchost.exe"]);
// SYSTEM shell spawns from unexpected parents
let SuspiciousShells = DeviceProcessEvents
| where TimeGenerated > ago(LookbackWindow)
| where FileName in~ (ExecutablesToWatch)							
| where AccountName =~ "SYSTEM"
| where InitiatingProcessAccountName !in~ ("system", "local service", "network service")
| where InitiatingProcessParentFileName !in~ (KnownServiceParents)
| project
	TimeGenerated,
	DeviceName,
	ProcessId,
	FileName,
	ProcessCommandLine,
	AccountName,
	InitiatingProcessFileName,
	InitiatingProcessId,											
	InitiatingProcessCommandLine,
	InitiatingProcessAccountName;
// .DEFAULT Hive accesses from non-system accounts
let DefaultHiveAccess = DeviceRegistryEvents
| where TimeGenerated > ago(LookbackWindow)
| where RegistryKey has @"\.DEFAULT"
| where InitiatingProcessAccountName !in~ ("system", "local service", "network service")
| summarize
	RegistryHits = count(),
	RegistryKeys = make_set(RegistryKey, 10),
	FirstSeen = min(TimeGenerated),
	LastSeen = max(TimeGenerated)
	by DeviceName, InitiatingProcessFileName, InitiatingProcessId;	
SuspiciousShells
| join kind=inner (DefaultHiveAccess)
	on DeviceName,
	$left.InitiatingProcessFileName == $right.InitiatingProcessFileName,
	$left.InitiatingProcessId == $right.InitiatingProcessId			
| where abs(datetime_diff('minute', TimeGenerated, FirstSeen)) < 5	// Max 5 min time window
| project
	TimeGenerated,
	DeviceName,
	SuspiciousProcess		= FileName,
	CommandLine				= ProcessCommandLine,
	EscalatedTo				= AccountName,
	TriggeringProcess		= InitiatingProcessFileName,
	TriggeringUser			= InitiatingProcessAccountName,
	RegistryHits,
	AffectedRegistryKeys	= RegistryKeys,
	CorrelationWindowMin	= datetime_diff('minute', TimeGenerated, FirstSeen)
| sort by TimeGenerated desc

```

Explanation

This query is designed to detect potential privilege escalation activities related to the MiniPlasma vulnerability (CVE-2020-17103). It focuses on identifying suspicious behavior that might indicate an attempt to gain elevated privileges on a system. Here's a simple breakdown of what the query does:

  1. Time Frame: It looks at events from the past 24 hours.

  2. Suspicious Shells: The query identifies instances where command-line interpreters (like cmd.exe, powershell.exe, etc.) are executed with SYSTEM-level privileges but are initiated by unexpected parent processes. This is unusual because SYSTEM-level processes typically have specific, known parent processes.

  3. Registry Access: It also checks for access to the .DEFAULT registry hive by accounts that are not system-level accounts (like "system", "local service", or "network service"). This is suspicious because the .DEFAULT hive is usually accessed by system processes.

  4. Correlation: The query correlates these two suspicious activities (unexpected SYSTEM shell spawns and non-system account registry access) if they occur on the same device and are initiated by the same process within a 5-minute window. This correlation suggests a potential privilege escalation attempt.

  5. Output: The results include details such as the time of the event, device name, the suspicious process, command line used, the account to which privileges were escalated, the triggering process and user, the number of registry hits, affected registry keys, and the time window of correlation.

Overall, this query helps security analysts identify and investigate potential privilege escalation attempts that exploit the MiniPlasma vulnerability.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: May 28, 2026

Tables

DeviceProcessEventsDeviceRegistryEvents

Keywords

DeviceProcessEventsDeviceRegistryEventsTimeGeneratedFileNameAccountNameProcessCommandLineInitiatingProcessFileNameInitiatingProcessCommandLineInitiatingProcessAccountNameRegistryKeyDeviceNameProcessIdRegistryHitsRegistryKeysFirstSeenLastSeenSuspiciousProcessCommandLineEscalatedToTriggeringProcessTriggeringUserAffectedRegistryKeysCorrelationWindowMin

Operators

letdynamicin~=~!in~!in~projectwhereagohassummarizecountmake_setminmaxbyjoinkind=inneron==absdatetime_diff<sort by

Actions