Back to Intelligence

LegacyHive Zero-Day: Detecting and Mitigating Windows ProfSvc Privilege Escalation

SA
Security Arsenal Team
July 17, 2026
6 min read

Introduction

Hours after Microsoft released the July 2026 Patch Tuesday updates, security researcher "Nightmare Eclipse" (Chaotic Eclipse) dropped a proof-of-concept (PoC) for a critical vulnerability dubbed LegacyHive. This flaw specifically targets the Windows User Profile Service (ProfSvc) and allows for unauthorized privilege escalation on systems that were believed to be fully patched.

For defenders, this is a worst-case scenario: a Day Zero exploit dropped immediately after the industry-standard patching cycle concludes, leaving a window of exposure until Microsoft addresses the issue. Because the vulnerability leverages a core service responsible for loading user profiles, the attack surface is significant across both desktop and server SKUs. This post provides the technical analysis and detection logic required to hunt for exploitation attempts while a patch is pending.

Technical Analysis

Affected Products:

  • Microsoft Windows 10 and later (Client)
  • Microsoft Windows Server 2019 and later (Server)
  • Status: Fully patched systems as of July 2026 are vulnerable.

Vulnerability Details:

  • Name: LegacyHive
  • Component: User Profile Service (ProfSvc)
  • Impact: Local Privilege Escalation (LPE)
  • CVE: Unassigned at time of publication.

Attack Chain: The vulnerability exploits a logic flaw in how ProfSvc handles legacy user profile hive files. By manipulating the structure or symbolic links associated with these hive files, an attacker can trick the service into loading a malicious registry hive or executing code with SYSTEM-level privileges.

Exploitation Status:

  • PoC Availability: Public (PoC released by Chaotic Eclipse)
  • Active Exploitation: While widespread in-the-wild exploitation has not been confirmed, the public release of a PoC significantly lowers the barrier for threat actors and ransomware gangs to incorporate this into their tooling immediately.

Detection & Response

Given the public availability of the PoC, defenders must assume that adversaries are attempting to weaponize this exploit. The User Profile Service (profsvc.exe) is a standard Windows component; however, its behavior regarding child process creation is strictly defined. Abnormal process spawning from this service is the primary indicator of compromise (IoC).

SIGMA Rules

YAML
---
title: LegacyHive - Suspicious Child Process of ProfSvc
id: 550d9a23-0f72-4e3a-a8c5-1d2f3b4c5d6e
status: experimental
description: Detects potential exploitation of LegacyHive or similar ProfSvc vulnerabilities by identifying unusual child processes spawned by the User Profile Service.
references:
  - https://securityaffairs.com/195418/hacking/chaotic-eclipse-unveils-legacyhive-exploit-affecting-fully-patched-windows-systems.html
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\profsvc.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection
falsepositives:
  - Unknown (ProfSvc should not spawn shells)
level: critical
---
title: LegacyHive - ProfSvc Accessing Suspicious File Paths
id: 7a3f1c82-9e4b-4d67-bc12-3e5a8f901234
status: experimental
description: Detects ProfSvc accessing files outside of standard profile directories, which may indicate an attempt to load a malicious hive or DLL.
references:
  - https://securityaffairs.com/195418/hacking/chaotic-eclipse-unveils-legacyhive-exploit-affecting-fully-patched-windows-systems.html
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  category: file_access
  product: windows
detection:
  selection:
    Image|endswith: '\profsvc.exe'
    TargetFileName|contains:
      - '\\Temp\'
      - '\\Public\'
      - '\\Downloads\'
  filter:
    TargetFileName|contains: 'C:\\Users\\'
  condition: selection and not filter
falsepositives:
  - Legitimate profile management scripts (rare)
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious child processes spawned by profsvc.exe
DeviceProcessEvents
| where InitiatingProcessFileName =~ "profsvc.exe"
| where not(FolderPath has @"C:\Windows\System32\") // Exclude legit system binaries if any, though usually profsvc spawns nothing interactive
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for processes spawned by profsvc.exe (LegacyHive indicator)
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime, Parent.Pid AS ParentPid, Parent.Name AS ParentName
FROM pslist()
WHERE Parent.Name =~ "profsvc.exe"
  AND Name NOT IN ("conhost.exe")

Remediation Script (PowerShell)

This script audits the User Profile Service configuration and checks for the presence of active exploitation attempts by analyzing recent process trees.

PowerShell
<#
.SYNOPSIS
    Audit and Harden against LegacyHive (ProfSvc LPE).
.DESCRIPTION
    Checks the status of ProfSvc and hunts for suspicious child processes.
#>

Write-Host "[+] Starting LegacyHive Audit and Hardening Check..." -ForegroundColor Cyan

# 1. Check ProfSvc Status
$profSvc = Get-Service -Name ProfSvc -ErrorAction SilentlyContinue
if ($profSvc) {
    Write-Host "[INFO] User Profile Service Status: $($profSvc.Status)" -ForegroundColor Green
} else {
    Write-Host "[WARN] Could not retrieve ProfSvc status." -ForegroundColor Yellow
}

# 2. Hunt for Suspicious Child Processes
Write-Host "[+] Checking for processes spawned by profsvc.exe..." -ForegroundColor Cyan
$suspiciousProcesses = Get-WmiObject Win32_Process | Where-Object { 
    $_.ParentProcessId -ne 0 -and 
    (Get-WmiObject Win32_Process -Filter "ProcessId = $($_.ParentProcessId)").Name -eq 'profsvc.exe'
}

if ($suspiciousProcesses) {
    Write-Host "[ALERT] Found potential exploit activity! ProfSvc spawned child processes:" -ForegroundColor Red
    $suspiciousProcesses | Format-Table Name, ProcessId, ParentProcessId, CommandLine -AutoSize
    
    # Optional: Kill process (Use with caution in production)
    # $suspiciousProcesses | ForEach-Object { Stop-Process -Id $_.ProcessId -Force }
} else {
    Write-Host "[INFO] No suspicious child processes detected." -ForegroundColor Green
}

# 3. Mitigation: Local Admin Audit
Write-Host "[+] Auditing Local Administrators (Defense in Depth)..." -ForegroundColor Cyan
$localAdmins = Get-LocalGroupMember -Group "Administrators" -ErrorAction SilentlyContinue
if ($localAdmins) {
    Write-Host "[INFO] Current Local Administrators (Ensure these are authorized):" -ForegroundColor Yellow
    $localAdmins | Select-Object Name, PrincipalSource
} else {
    Write-Host "[WARN] Could not enumerate local admins." -ForegroundColor Yellow
}

Write-Host "[+] Audit complete." -ForegroundColor Cyan

Remediation

As of this publication, Microsoft has not released a patch for the LegacyHive vulnerability. Defenders should implement the following mitigations immediately:

  1. Principle of Least Privilege: This is an LPE vulnerability; it requires initial access to execute. Ensure standard users do not have local administrator rights. If an attacker cannot gain an initial foothold or execute code as a standard user, the LPE cannot be triggered.

  2. Implementation of Detection Rules: Deploy the provided Sigma rules and KQL queries immediately. Since profsvc.exe should rarely, if ever, spawn interactive shells like PowerShell or CMD, alerts on this behavior should be treated as critical.

  3. Network Segmentation: Limit lateral movement capabilities for workstations. If a workstation is compromised via LegacyHive, segmentation prevents the attacker from moving immediately to domain controllers.

  4. Monitor Vendor Advisory: Closely monitor the Microsoft Security Response Center (MSRC) blog for an out-of-band patch or an update in the next Patch Tuesday cycle (August 2026). Once a CVE is assigned and a patch is released, prioritize testing and deployment immediately.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurewindowsprivilege-escalationlegacyhiveprofsvc

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.