Introduction
Defenders are currently facing a new elevation of privilege (EoP) threat following the release of a proof-of-concept (PoC) exploit for a vulnerability dubbed "LegacyHive." Released by security researcher Chaotic Eclipse (Nightmare-Eclipse) just hours after Microsoft's July 2026 Patch Tuesday, this issue targets the Windows User Profile Service (ProfSvc).
Because this vulnerability is currently unpatched and a functional PoC is publicly available, the window for exploitation is open. Attackers can leverage this flaw to manipulate how Windows loads user profile registry hives, potentially allowing a standard user to execute code with SYSTEM-level privileges. This post provides the technical breakdown and detection logic required to hunt for this activity in your environment.
Technical Analysis
Affected Component: Windows User Profile Service (ProfSvc)
Vulnerability Type: Arbitrary Hive Load / Privilege Escalation
Technical Breakdown: The Windows User Profile Service is responsible for managing user profiles and loading the corresponding registry hives (NTUSER.dat) that define a user's environment. The LegacyHive vulnerability exposes a flaw in how this service handles the path resolution for these hive files.
By manipulating the registry or file system state, an attacker can trick ProfSvc into loading an arbitrary registry hive file from a location they control (e.g., a user-writable directory) rather than the secure system path. When the service loads this malicious hive, the operations are performed with the privileges of the ProfSvc (typically SYSTEM), leading to privilege escalation.
Attack Chain:
- An attacker with low-level access (standard user) prepares a malicious registry hive file.
- The attacker utilizes the LegacyHive technique to modify the profile loading behavior, pointing the User Profile Service to the malicious hive.
- The attacker triggers a profile load or system event that forces
ProfSvcto mount the rogue hive. - Malicious registry configurations or persistence mechanisms are executed with SYSTEM privileges.
Exploitation Status:
- Public PoC: Available (Released July 2026)
- Patch Status: Unpatched as of this reporting
- Active Exploitation: Theoretical (High risk given public PoC)
Detection & Response
Detecting "LegacyHive" requires monitoring for anomalies in how the User Profile Service interacts with the file system and registry. Since this vulnerability involves arbitrary hive loading, we must focus on detecting unauthorized modifications to the ProfileList registry keys and suspicious file access patterns by ProfSvc.
Sigma Rules
---
title: LegacyHive - Suspicious Modification of ProfileImagePath
id: 8a4b9c12-3d4e-4f8a-9b1c-2d3e4f5a6b7c
status: experimental
description: Detects modifications to ProfileList registry keys which may indicate an attempt to exploit arbitrary hive loading vulnerabilities like LegacyHive.
references:
- https://thehackernews.com/2026/07/researcher-drops-new-windows-zero-day.html
author: Security Arsenal
date: 2026/07/09
tags:
- attack.privilege_escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList'
TargetObject|contains: 'ProfileImagePath'
filter_standard:
Image|endswith:
- '\services.exe'
- '\svchost.exe'
- '\mmc.exe'
- '\procexp.exe'
- '\procexp64.exe'
condition: selection and not filter_standard
falsepositives:
- Legitimate administrative profile management using non-standard tools
level: high
---
title: LegacyHive - ProfSvc Accessing Suspicious File Locations
id: 9b5c0d23-4e5f-5a9b-0c2d-3e4f5a6b7c8d
status: experimental
description: Detects the Windows User Profile Service (ProfSvc) accessing registry hive files outside of standard system or user profile directories, a potential indicator of arbitrary hive loading.
references:
- https://thehackernews.com/2026/07/researcher-drops-new-windows-zero-day.html
author: Security Arsenal
date: 2026/07/09
tags:
- attack.privilege_escalation
- attack.t1548.002
logsource:
category: file_access
product: windows
detection:
selection:
Image|endswith: '\profsvc.dll'
TargetFilename|contains: '.dat'
filter_legit_paths:
TargetFilename|contains:
- '\Users\'
- '\Windows\System32\config\'
condition: selection and not filter_legit_paths
falsepositives:
- Rare; legitimate profile loads should occur within standard user directories
level: critical
KQL (Microsoft Sentinel / Defender)
// Hunt for modifications to ProfileList keys that may indicate LegacyHive activity
DeviceRegistryEvents
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where TargetObject contains @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
| where TargetObject contains @"ProfileImagePath"
| where not (InitiatingProcessFileName in~ ("services.exe", "svchost.exe", "mmc.exe", "procexp.exe"))
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, TargetObject, RegistryValueData
| order by Timestamp desc
Velociraptor VQL
-- Hunt for recent modifications to ProfileList registry keys
SELECT
Timestamp,
Sys.pathname AS KeyPath,
Sys.name AS ValueName,
Sys.data AS ValueData,
basename(Sys.pathname) AS SID
FROM read_reg_key(globs="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\*")
WHERE KeyPath =~ "ProfileList"
AND Timestamp < now() - 24h
-- Detect changes in the last 24 hours
Remediation Script (PowerShell)
<#
.SYNOPSIS
Audit script for LegacyHive vulnerability indicators.
Checks the ProfileList registry keys for suspicious ProfileImagePath values.
#>
function Test-LegacyHiveIndicators {
$regPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
$suspiciousPaths = @("\Users\Public", "\Temp", "\AppData\Local\Temp")
Write-Host "[+] Auditing User Profile Service ProfileList for anomalies..." -ForegroundColor Cyan
$profiles = Get-ChildItem -Path $regPath -ErrorAction SilentlyContinue
if (-not $profiles) {
Write-Host "[-] No profiles found or registry access denied." -ForegroundColor Red
return
}
foreach ($profile in $profiles) {
$sid = $profile.PSChildName
$profileImagePath = (Get-ItemProperty -Path $profile.PSPath -Name "ProfileImagePath" -ErrorAction SilentlyContinue).ProfileImagePath
if ($profileImagePath) {
# Check if ProfileImagePath points to non-standard locations
$isSuspicious = $false
foreach ($badPath in $suspiciousPaths) {
if ($profileImagePath -like "*$badPath*") {
$isSuspicious = $true
}
}
if ($isSuspicious) {
Write-Host "[!] SUSPICIOUS PROFILE FOUND: SID $sid" -ForegroundColor Red
Write-Host " Path: $profileImagePath" -ForegroundColor Yellow
} else {
Write-Host "[+] OK: SID $sid -> $profileImagePath" -ForegroundColor Green
}
}
}
}
Test-LegacyHiveIndicators
Remediation
Status: Currently Unpatched (Zero-Day)
As of this publication, Microsoft has not released a patch for the LegacyHive vulnerability. Defenders must rely on strict mitigation and detection strategies.
-
Monitor Official Advisories: Closely monitor the Security Update Guide and future Patch Tuesday releases for a security update addressing the Windows User Profile Service (
ProfSvc). -
Privilege Hygiene: This is a local privilege escalation vulnerability. Its impact is significantly reduced if attackers cannot gain initial access or standard user privileges. Enforce the Principle of Least Privilege (PoLP) and strictly limit local administrator memberships.
-
Audit Profile Management: Use the PowerShell script provided above to audit the
ProfileListregistry keys regularly. Establish a baseline for legitimateProfileImagePathvalues and investigate any deviations immediately. -
Application Control: Deploy Windows Defender Application Control (WDAC) or AppLocker policies to prevent standard users from executing the Proof-of-Concept code or unauthorized binaries that might attempt to exploit this vulnerability.
-
Sensor Coverage: Ensure all endpoints are forwarding Sysmon and Microsoft Defender for Endpoint (MDE) logs to your SIEM to ingest the Sigma rules provided above.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.