Access to Windows User Profile Hive Files
Hunts audited Windows object-access events for ntuser.dat or UsrClass.dat. Compare the subject account with the username in the object path and correlate explicit-credential use, logon, and process creation in the same short window before escalation.
Sigma source
Raw YAMLtitle: Access to Windows User Profile Hive Files
id: 820e3bb8-7fae-4986-a897-ba38b97c140f
status: experimental
author: FRAME ZERO
date: 2026-07-16
description: Hunts audited Windows object-access events for ntuser.dat or UsrClass.dat. Compare the subject account with the username in the object path and correlate explicit-credential use, logon, and process creation in the same short window before escalation.
references:
- https://www.threatlocker.com/blog/legacyhive-video-demo-and-analysis-of-windows-0-day-from-nightmareeclipse
- https://git.projectnightcrawler.dev/NightmareEclipse/LegacyHive
logsource:
product: windows
service: security
detection:
selection:
EventID: 4663
ObjectName|endswith:
- '\ntuser.dat'
- '\AppData\Local\Microsoft\Windows\UsrClass.dat'
condition: selection
falsepositives:
- Normal Windows profile loading and unloading activity
- Authorized backup, migration, forensic acquisition, endpoint security, or support tooling that accesses user hive files
- Administrators investigating or repairing a user profile
level: medium
tags:
- attack.collection
- attack.t1005
related_publication: legacyhive-windows-profile-hive-path-switching
telemetry_assumptions:
- SACLs are narrowly configured on ntuser.dat and UsrClass.dat to produce Windows Security event 4663 without excessive noise.
- Event records preserve SubjectUserName, ObjectName, access type, process context, and logon identifiers for cross-user comparison.
- Analysts can correlate event IDs 4648, 4624, and 4688 within the same short time window.