Detection / DETPublic file

User Local AppData Redirected to the Object Manager Namespace

Detects a live registry change that redirects the current user's Local AppData shell folder into the BaseNamedObjects Restricted namespace. The released LegacyHive proof of concept makes this edit offline, so the rule is intended to cover live-edit variants.

Sigma source

Raw YAML
title: User Local AppData Redirected to the Object Manager Namespace
id: bccc802b-83a1-4dae-a4bc-c7875afb9d23
status: stable
author: FRAME ZERO
date: 2026-07-16
description: Detects a live registry change that redirects the current user's Local AppData shell folder into the BaseNamedObjects Restricted namespace. The released LegacyHive proof of concept makes this edit offline, so the rule is intended to cover live-edit variants.
references:
  - https://www.threatlocker.com/blog/legacyhive-video-demo-and-analysis-of-windows-0-day-from-nightmareeclipse
  - https://git.projectnightcrawler.dev/NightmareEclipse/LegacyHive
logsource:
  category: registry_set
  product: windows
detection:
  selection_value:
    TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData'
  selection_redirect:
    Details|contains: '\GlobalRoot\BaseNamedObjects\Restricted'
  condition: selection_value and selection_redirect
falsepositives:
  - Authorized compatibility testing or security research that deliberately redirects shell folders through the Windows Object Manager namespace
  - Specialized application virtualization or profile tooling with a documented Object Manager based redirection design
level: high
tags:
  - attack.defense-evasion
  - attack.t1112
related_publication: legacyhive-windows-profile-hive-path-switching
telemetry_assumptions:
  - Registry-set telemetry records the complete target value path and the newly written data.
  - Offline edits to ntuser.dat are not visible to this rule and require file telemetry or later hive-difference analysis.

Relationships

Related files