Detection / HNTPublic file

Access to Windows User Profile Hive Files

Hunts audited Windows object-access events for ntuser.dat or UsrClass.dat. Compare the subject account with the username in the object path and correlate explicit-credential use, logon, and process creation in the same short window before escalation.

Sigma source

Raw YAML
title: Access to Windows User Profile Hive Files
id: 820e3bb8-7fae-4986-a897-ba38b97c140f
status: experimental
author: FRAME ZERO
date: 2026-07-16
description: Hunts audited Windows object-access events for ntuser.dat or UsrClass.dat. Compare the subject account with the username in the object path and correlate explicit-credential use, logon, and process creation in the same short window before escalation.
references:
  - https://www.threatlocker.com/blog/legacyhive-video-demo-and-analysis-of-windows-0-day-from-nightmareeclipse
  - https://git.projectnightcrawler.dev/NightmareEclipse/LegacyHive
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4663
    ObjectName|endswith:
      - '\ntuser.dat'
      - '\AppData\Local\Microsoft\Windows\UsrClass.dat'
  condition: selection
falsepositives:
  - Normal Windows profile loading and unloading activity
  - Authorized backup, migration, forensic acquisition, endpoint security, or support tooling that accesses user hive files
  - Administrators investigating or repairing a user profile
level: medium
tags:
  - attack.collection
  - attack.t1005
related_publication: legacyhive-windows-profile-hive-path-switching
telemetry_assumptions:
  - SACLs are narrowly configured on ntuser.dat and UsrClass.dat to produce Windows Security event 4663 without excessive noise.
  - Event records preserve SubjectUserName, ObjectName, access type, process context, and logon identifiers for cross-user comparison.
  - Analysts can correlate event IDs 4648, 4624, and 4688 within the same short time window.

Relationships

Related files