Modified version of Nightmare-Eclipse/MiniPlasma (CVE-2020-17103) adapted for C2 usage.
Original PoC runs from disk only. This version runs entirely from memory via execute-assembly, with a split-binary approach to avoid detection.
This tool is provided for authorized security testing and educational purposes only. Use of this tool against systems without explicit written permission is illegal and unethical. The author assumes no liability for misuse or damage caused by this tool. Always obtain proper authorization before conducting any security testing.
- Refactored multi-process stages into single-process threaded execution (no more self-relaunch via
Assembly.Location) - Removed
Environment.Exit()calls that kill the hosting process - Split into two binaries: main exploit (runs in memory) + MiniRunner (tiny SYSTEM callback dropped to disk briefly)
- MiniRunner is embedded as a .NET resource and extracted at runtime
- Unique named pipe per run (no more pipe collisions on repeated execution)
- Config passed via
C:\ProgramData(accessible by both user and SYSTEM contexts) - Custom payload path via command line argument
- Retargeted to .NET Framework 4.8
- Removed manifest signing requirement
- Flattened project structure
csc /platform:x64 /optimize /out:runner.bin MiniRunner.cs
msbuild MiniPlasma.sln /p:Configuration=Release
NOTE: runner.bin must be compiled first - it gets embedded into the main exe during build.
execute-assembly MiniPlasma-Runner.exe C:\Path\To\payload.exe
Without arguments it defaults to conhost.exe.
- Target must have Cloud Files filter driver available (
sc start cldfltif not running) - Standard user context (this is a local privilege escalation)
- .NET Framework 4.8 on target
Only MiniRunner touches disk (~5KB) as wermgr.exe inside a temporary directory under C:\ProgramData. Cleaned up automatically after execution. The main exploit never touches disk.
- Nightmare-Eclipse - original MiniPlasma PoC
- CVE-2020-17103 - Cloud Files abort hydration arbitrary registry key write