Detection Logic Bugs, Developing Context to Bypass MiniPlasma Rules

This report examines how the GreenPlasma/MiniPlasma UAC escalation exploits a predictable shared-memory object path and attacker-planted symbolic links to gain SYSTEM privileges and shows how brittle detection rules (e.g., string-matching on conhost.exe) can be bypassed via process cloning and context manipulation; it recommends focusing on reliable IOCs such as volatile registry artifacts (CloudFiles\BlockedApps with SymbolicLinkValue pointing to Policies\System) and applies an ADE3 taxonomy for context-development detection bugs.