GreenPlasma
February 18, 2026. A vendor SAS session shows a service account climbing from helpdesk laptop to domain admin in three hops. You read analyst notes and synthetic event excerpts only.
Briefing
GreenPlasma is analyst shorthand for a commodity kit observed in Q1 2026 that chains stolen interactive sessions with scheduled tasks running as NETWORK SERVICE and a legacy delegation on a maintenance account. This reconstruction contains no exploit code, only log shapes and timelines you would see in a ticket.
Your role
Incident commander reviewing outsourced MDR escalations.
Objective
Follow the simulated intrusion from helpdesk remote session to scheduled task to service-account abuse and domain-admin cleanup.
Terminal environment
- user
- responder
- host
- dfir-laptop-02
- cwd
- /home/dfir/greenplasma
- steps
- 9
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.