Back to Intelligence

LegacyHive: Windows User Profile Service Arbitrary Hive Load EoP Analysis & Detection

SA
Security Arsenal Team
July 16, 2026
6 min read

Introduction

Defenders are currently facing a new elevation of privilege (EoP) threat following the release of a proof-of-concept (PoC) exploit for a vulnerability dubbed "LegacyHive." Released by security researcher Chaotic Eclipse (Nightmare-Eclipse) just hours after Microsoft's July 2026 Patch Tuesday, this issue targets the Windows User Profile Service (ProfSvc).

Because this vulnerability is currently unpatched and a functional PoC is publicly available, the window for exploitation is open. Attackers can leverage this flaw to manipulate how Windows loads user profile registry hives, potentially allowing a standard user to execute code with SYSTEM-level privileges. This post provides the technical breakdown and detection logic required to hunt for this activity in your environment.

Technical Analysis

Affected Component: Windows User Profile Service (ProfSvc)

Vulnerability Type: Arbitrary Hive Load / Privilege Escalation

Technical Breakdown: The Windows User Profile Service is responsible for managing user profiles and loading the corresponding registry hives (NTUSER.dat) that define a user's environment. The LegacyHive vulnerability exposes a flaw in how this service handles the path resolution for these hive files.

By manipulating the registry or file system state, an attacker can trick ProfSvc into loading an arbitrary registry hive file from a location they control (e.g., a user-writable directory) rather than the secure system path. When the service loads this malicious hive, the operations are performed with the privileges of the ProfSvc (typically SYSTEM), leading to privilege escalation.

Attack Chain:

  1. An attacker with low-level access (standard user) prepares a malicious registry hive file.
  2. The attacker utilizes the LegacyHive technique to modify the profile loading behavior, pointing the User Profile Service to the malicious hive.
  3. The attacker triggers a profile load or system event that forces ProfSvc to mount the rogue hive.
  4. Malicious registry configurations or persistence mechanisms are executed with SYSTEM privileges.

Exploitation Status:

  • Public PoC: Available (Released July 2026)
  • Patch Status: Unpatched as of this reporting
  • Active Exploitation: Theoretical (High risk given public PoC)

Detection & Response

Detecting "LegacyHive" requires monitoring for anomalies in how the User Profile Service interacts with the file system and registry. Since this vulnerability involves arbitrary hive loading, we must focus on detecting unauthorized modifications to the ProfileList registry keys and suspicious file access patterns by ProfSvc.

Sigma Rules

YAML
---
title: LegacyHive - Suspicious Modification of ProfileImagePath
id: 8a4b9c12-3d4e-4f8a-9b1c-2d3e4f5a6b7c
status: experimental
description: Detects modifications to ProfileList registry keys which may indicate an attempt to exploit arbitrary hive loading vulnerabilities like LegacyHive.
references:
  - https://thehackernews.com/2026/07/researcher-drops-new-windows-zero-day.html
author: Security Arsenal
date: 2026/07/09
tags:
  - attack.privilege_escalation
  - attack.t1548.002
logsource:
  category: registry_set
  product: windows
detection:
  selection:
    TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList'
    TargetObject|contains: 'ProfileImagePath'
  filter_standard:
    Image|endswith:
      - '\services.exe'
      - '\svchost.exe'
      - '\mmc.exe'
      - '\procexp.exe'
      - '\procexp64.exe'
  condition: selection and not filter_standard
falsepositives:
  - Legitimate administrative profile management using non-standard tools
level: high
---
title: LegacyHive - ProfSvc Accessing Suspicious File Locations
id: 9b5c0d23-4e5f-5a9b-0c2d-3e4f5a6b7c8d
status: experimental
description: Detects the Windows User Profile Service (ProfSvc) accessing registry hive files outside of standard system or user profile directories, a potential indicator of arbitrary hive loading.
references:
  - https://thehackernews.com/2026/07/researcher-drops-new-windows-zero-day.html
author: Security Arsenal
date: 2026/07/09
tags:
  - attack.privilege_escalation
  - attack.t1548.002
logsource:
  category: file_access
  product: windows
detection:
  selection:
    Image|endswith: '\profsvc.dll'
    TargetFilename|contains: '.dat'
  filter_legit_paths:
    TargetFilename|contains:
      - '\Users\'
      - '\Windows\System32\config\'
  condition: selection and not filter_legit_paths
falsepositives:
  - Rare; legitimate profile loads should occur within standard user directories
level: critical

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for modifications to ProfileList keys that may indicate LegacyHive activity
DeviceRegistryEvents
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where TargetObject contains @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
| where TargetObject contains @"ProfileImagePath"
| where not (InitiatingProcessFileName in~ ("services.exe", "svchost.exe", "mmc.exe", "procexp.exe"))
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, TargetObject, RegistryValueData
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for recent modifications to ProfileList registry keys
SELECT 
  Timestamp, 
  Sys.pathname AS KeyPath, 
  Sys.name AS ValueName, 
  Sys.data AS ValueData,
  basename(Sys.pathname) AS SID
FROM read_reg_key(globs="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\*")
WHERE KeyPath =~ "ProfileList"
  AND Timestamp < now() - 24h
-- Detect changes in the last 24 hours

Remediation Script (PowerShell)

PowerShell
<#
.SYNOPSIS
    Audit script for LegacyHive vulnerability indicators.
    Checks the ProfileList registry keys for suspicious ProfileImagePath values.
#>

function Test-LegacyHiveIndicators {
    $regPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
    $suspiciousPaths = @("\Users\Public", "\Temp", "\AppData\Local\Temp")
    
    Write-Host "[+] Auditing User Profile Service ProfileList for anomalies..." -ForegroundColor Cyan
    
    $profiles = Get-ChildItem -Path $regPath -ErrorAction SilentlyContinue
    
    if (-not $profiles) {
        Write-Host "[-] No profiles found or registry access denied." -ForegroundColor Red
        return
    }

    foreach ($profile in $profiles) {
        $sid = $profile.PSChildName
        $profileImagePath = (Get-ItemProperty -Path $profile.PSPath -Name "ProfileImagePath" -ErrorAction SilentlyContinue).ProfileImagePath
        
        if ($profileImagePath) {
            # Check if ProfileImagePath points to non-standard locations
            $isSuspicious = $false
            foreach ($badPath in $suspiciousPaths) {
                if ($profileImagePath -like "*$badPath*") {
                    $isSuspicious = $true
                }
            }

            if ($isSuspicious) {
                Write-Host "[!] SUSPICIOUS PROFILE FOUND: SID $sid" -ForegroundColor Red
                Write-Host "    Path: $profileImagePath" -ForegroundColor Yellow
            } else {
                Write-Host "[+] OK: SID $sid -> $profileImagePath" -ForegroundColor Green
            }
        }
    }
}

Test-LegacyHiveIndicators

Remediation

Status: Currently Unpatched (Zero-Day)

As of this publication, Microsoft has not released a patch for the LegacyHive vulnerability. Defenders must rely on strict mitigation and detection strategies.

  1. Monitor Official Advisories: Closely monitor the Security Update Guide and future Patch Tuesday releases for a security update addressing the Windows User Profile Service (ProfSvc).

  2. Privilege Hygiene: This is a local privilege escalation vulnerability. Its impact is significantly reduced if attackers cannot gain initial access or standard user privileges. Enforce the Principle of Least Privilege (PoLP) and strictly limit local administrator memberships.

  3. Audit Profile Management: Use the PowerShell script provided above to audit the ProfileList registry keys regularly. Establish a baseline for legitimate ProfileImagePath values and investigate any deviations immediately.

  4. Application Control: Deploy Windows Defender Application Control (WDAC) or AppLocker policies to prevent standard users from executing the Proof-of-Concept code or unauthorized binaries that might attempt to exploit this vulnerability.

  5. Sensor Coverage: Ensure all endpoints are forwarding Sysmon and Microsoft Defender for Endpoint (MDE) logs to your SIEM to ingest the Sigma rules provided above.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

criticalzero-daycvepatch-tuesdayexploitvulnerability-disclosurewindowsprivilege-escalationprofsvclegacyhive

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.