LegacyHive: The Windows User Profile Service Bug That Loads Another User’s Registry Hive Nightmare
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
LegacyHive is an unpatched local privilege escalation vulnerability in the Windows User Profile Service (ProfSvc). An attacker can use a combination of registry poisoning, object-manager symbolic links, and a TOCTOU race condition via oplocks to force a SYSTEM-level service to load a target user’s registry hive. This allows a low-privileged user to gain unauthorized access to sensitive registry data or potentially achieve full SYSTEM compromise.
Investigation
The researcher Nightmare-Eclipse developed a proof-of-concept (PoC) that exploits the mismatch between SYSTEM-level file operations and user-controlled pathing. The investigation demonstrates how modifying the Local AppData registry value can redirect the service to the NT object-manager namespace. By using an opportunistic lock (oplock) on a decoy file, the attacker can swap a symbolic link at the exact moment the service attempts to load the hive.
Mitigation
Microsoft must implement path canonicalization to ensure resolved paths remain within the legitimate user profile directory and reject device/object-manager prefixes. Additionally, developers should use reparse protection (FILE_FLAG_OPEN_REPARSE_POINT) and perform I/O within the user’s security context rather than the SYSTEM context to prevent confused deputy scenarios.
Response
Defenders should immediately monitor for unusual registry loads (RegLoadKey) for non-interactively logged-on accounts and watch for the creation of object directories under BaseNamedObjectsRestricted. Application control tools like WDAC or AppLocker should be used to prevent the execution of unsigned binaries. Once Microsoft releases an official patch, it should be prioritized for deployment across all Windows desktop and server installations.
Attack Flow
Detections
Possible LegacyHive Exploitation Behavior (via registry_event)
View
Possible LegacyHive Exploitation Behavior (via file_event)
View
Possible LegacyHive Exploitation Behavior (via cmdline)
View
Probable Use of Windows Hacktools [Part3] (via file_event)
View
Probable Use of Windows Hacktools [Part3] (via cmdline)
View
Detection of LegacyHive Privilege Escalation Attack [Windows Registry Event]
View
Detect LegacyHive Exploit Attempt via CreateProcessWithLogonW and Suspended Notepad [Windows Process Creation]
View
Executive Summary
- Test Case ID: TC-20240522-K9P2L
- TTPs: T1068, T1548
- Detection Rule Logic Summary: Detects attempts to exploit the LegacyHive vulnerability by monitoring for
notepad.exebeing launched with theCreateProcessWithLogonWAPI pattern in the command line. - Detection Rule Language/Format: yaml
- Target Security Environment: Windows OS, Windows Event Logs (Process Creation), EDR/SIEM.
- Resilience Score (1-5): 2
- Justification: The rule relies heavily on a specific string (
CreateProcessWithLogonW) appearing in theCommandLinefield. An adversary can easily bypass this by using different API calls that achieve the same result or by using different process names instead ofnotepad.exe. - Key Findings: The detection is highly specific to a single exploit implementation and is extremely fragile against minor variations in the attack vector.
- Recommendation: Expand the detection to monitor for suspicious
CreateProcessvariants across multiple common binaries (e.g.,calc.exe,cmd.exe) and monitor for User Profile Service (ProfSvc) anomalies.
Simulation Environment & Context
- TTPs Under Test:
- T1068: Exploitation for Privilege Escalation
- T1548: Abuse of Privilege Escalation Mechanisms
- TTP Context & Relevance: The LegacyHive exploit relies on coercing a SYSTEM-level service to perform actions on behalf of a user. By using
CreateProcessWithLogonWto spawn a process in a suspended state, an attacker can manipulate the environment to load a malicious registry hive. Monitoring the specific command-line artifacts of this API call is intended to catch the exploitation phase. - Target Environment:
- OS: Windows 10/11 or Windows Server 2019/2022
- Logging: Sysmon (Event ID 1) or Windows Security Event Log (Event ID 4688) with Command Line Auditing enabled.
- Security Stack: SIEM (e.g., Splunk, Microsoft Sentinel)
Telemetry & Baseline Pre-flight Check
Rationale: Before simulating the attack, we must confirm that the target host is configured to generate the necessary logs, that these logs are ingested by the SIEM, and that the detection rule does not fire on benign activity. Without this validation, any test outcome is unreliable.
-
1. Telemetry Configuration Instructions:
-
- Ensure “Audit Process Creation” is enabled via Group Policy (Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Detailed Tracking).
-
- Ensure “Include command line in process creation events” is enabled (via Registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemAuditProcessCreationIncludeCmdLine).
- Ensure “Include command line in process creation events” is enabled (via Registry:
-
- Install Sysmon and ensure Event ID 1 (Process Creation) is being collected.
-
-
2. Ingestion & Baseline Validation:
-
Action (Benign Telemetry): Launch a standard instance of Notepad to ensure process creation logging is functional without triggering the exploit detection.
Start-Process "notepad.exe" -
Validation Query (Ingestion):
DeviceProcessEvents | where FileName =~ "notepad.exe" | where ProcessCommandLine !contains "CreateProcessWithLogonW"
-
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The attacker aims to exploit the LegacyHive vulnerability to escalate privileges to SYSTEM. To do this, they utilize a script that calls the
CreateProcessWithLogonWWindows API. The goal is to launchnotepad.exein a suspended state. The simulation uses a PowerShell wrapper to mimic the command-line argument pattern that the detection rule is looking for, specifically targeting the stringCreateProcessWithLogonWwithin the execution context ofnotepad.exe. -
Regression Test Script:
# Simulation of LegacyHive Exploit attempt via Command Line artifact injection # Note: This script simulates the command line string pattern for detection testing. $targetProcess = "notepad.exe" $fakeArgument = "CreateProcessWithLogonW" Write-Host "[+] Starting simulation of LegacyHive exploit attempt..." # We use cmd /c to ensure the command line string is explicitly passed # and appears in the process creation telemetry. Start-Process "cmd.exe" -ArgumentList "/c $targetProcess $fakeArgument" Write-Host "[+] Simulation command sent. Check SIEM for notepad.exe with CreateProcessWithLogonW in command line." -
Cleanup Commands:
# Terminate any lingering notepad or cmd processes created by the simulation Stop-Process -Name "notepad" -ErrorAction SilentlyContinue Stop-Process -Name "cmd" -ErrorAction SilentlyContinue