SOC Prime Bias: Critical

16 Jul 2026 13:54 UTC

LegacyHive: The Windows User Profile Service Bug That Loads Another User’s Registry Hive Nightmare

Author Photo
SOC Prime Team linkedin icon Follow
LegacyHive: The Windows User Profile Service Bug That Loads Another User’s Registry Hive Nightmare
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

LegacyHive is an unpatched local privilege escalation vulnerability in the Windows User Profile Service (ProfSvc). An attacker can use a combination of registry poisoning, object-manager symbolic links, and a TOCTOU race condition via oplocks to force a SYSTEM-level service to load a target user’s registry hive. This allows a low-privileged user to gain unauthorized access to sensitive registry data or potentially achieve full SYSTEM compromise.

Investigation

The researcher Nightmare-Eclipse developed a proof-of-concept (PoC) that exploits the mismatch between SYSTEM-level file operations and user-controlled pathing. The investigation demonstrates how modifying the Local AppData registry value can redirect the service to the NT object-manager namespace. By using an opportunistic lock (oplock) on a decoy file, the attacker can swap a symbolic link at the exact moment the service attempts to load the hive.

Mitigation

Microsoft must implement path canonicalization to ensure resolved paths remain within the legitimate user profile directory and reject device/object-manager prefixes. Additionally, developers should use reparse protection (FILE_FLAG_OPEN_REPARSE_POINT) and perform I/O within the user’s security context rather than the SYSTEM context to prevent confused deputy scenarios.

Response

Defenders should immediately monitor for unusual registry loads (RegLoadKey) for non-interactively logged-on accounts and watch for the creation of object directories under BaseNamedObjectsRestricted. Application control tools like WDAC or AppLocker should be used to prevent the execution of unsigned binaries. Once Microsoft releases an official patch, it should be prioritized for deployment across all Windows desktop and server installations.

Attack Flow

Executive Summary

  • Test Case ID: TC-20240522-K9P2L
  • TTPs: T1068, T1548
  • Detection Rule Logic Summary: Detects attempts to exploit the LegacyHive vulnerability by monitoring for notepad.exe being launched with the CreateProcessWithLogonW API pattern in the command line.
  • Detection Rule Language/Format: yaml
  • Target Security Environment: Windows OS, Windows Event Logs (Process Creation), EDR/SIEM.
  • Resilience Score (1-5): 2
  • Justification: The rule relies heavily on a specific string (CreateProcessWithLogonW) appearing in the CommandLine field. An adversary can easily bypass this by using different API calls that achieve the same result or by using different process names instead of notepad.exe.
  • Key Findings: The detection is highly specific to a single exploit implementation and is extremely fragile against minor variations in the attack vector.
  • Recommendation: Expand the detection to monitor for suspicious CreateProcess variants across multiple common binaries (e.g., calc.exe, cmd.exe) and monitor for User Profile Service (ProfSvc) anomalies.

Simulation Environment & Context

  • TTPs Under Test:
    • T1068: Exploitation for Privilege Escalation
    • T1548: Abuse of Privilege Escalation Mechanisms
  • TTP Context & Relevance: The LegacyHive exploit relies on coercing a SYSTEM-level service to perform actions on behalf of a user. By using CreateProcessWithLogonW to spawn a process in a suspended state, an attacker can manipulate the environment to load a malicious registry hive. Monitoring the specific command-line artifacts of this API call is intended to catch the exploitation phase.
  • Target Environment:
    • OS: Windows 10/11 or Windows Server 2019/2022
    • Logging: Sysmon (Event ID 1) or Windows Security Event Log (Event ID 4688) with Command Line Auditing enabled.
    • Security Stack: SIEM (e.g., Splunk, Microsoft Sentinel)

Telemetry & Baseline Pre-flight Check

Rationale: Before simulating the attack, we must confirm that the target host is configured to generate the necessary logs, that these logs are ingested by the SIEM, and that the detection rule does not fire on benign activity. Without this validation, any test outcome is unreliable.

  • 1. Telemetry Configuration Instructions:

      1. Ensure “Audit Process Creation” is enabled via Group Policy (Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Detailed Tracking).
      1. Ensure “Include command line in process creation events” is enabled (via Registry: HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemAuditProcessCreationIncludeCmdLine).
      1. Install Sysmon and ensure Event ID 1 (Process Creation) is being collected.
  • 2. Ingestion & Baseline Validation:

    • Action (Benign Telemetry): Launch a standard instance of Notepad to ensure process creation logging is functional without triggering the exploit detection.

      Start-Process "notepad.exe"
    • Validation Query (Ingestion):

      DeviceProcessEvents
      | where FileName =~ "notepad.exe"
      | where ProcessCommandLine !contains "CreateProcessWithLogonW"

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The attacker aims to exploit the LegacyHive vulnerability to escalate privileges to SYSTEM. To do this, they utilize a script that calls the CreateProcessWithLogonW Windows API. The goal is to launch notepad.exe in a suspended state. The simulation uses a PowerShell wrapper to mimic the command-line argument pattern that the detection rule is looking for, specifically targeting the string CreateProcessWithLogonW within the execution context of notepad.exe.

  • Regression Test Script:

    # Simulation of LegacyHive Exploit attempt via Command Line artifact injection
    # Note: This script simulates the command line string pattern for detection testing.
    
    $targetProcess = "notepad.exe"
    $fakeArgument = "CreateProcessWithLogonW"
    
    Write-Host "[+] Starting simulation of LegacyHive exploit attempt..."
    
    # We use cmd /c to ensure the command line string is explicitly passed 
    # and appears in the process creation telemetry.
    Start-Process "cmd.exe" -ArgumentList "/c $targetProcess $fakeArgument"
    
    Write-Host "[+] Simulation command sent. Check SIEM for notepad.exe with CreateProcessWithLogonW in command line."
  • Cleanup Commands:

    # Terminate any lingering notepad or cmd processes created by the simulation
    Stop-Process -Name "notepad" -ErrorAction SilentlyContinue
    Stop-Process -Name "cmd" -ErrorAction SilentlyContinue