User Local AppData Redirected to the Object Manager Namespace
Detects a live registry change that redirects the current user's Local AppData shell folder into the BaseNamedObjects Restricted namespace. The released LegacyHive proof of concept makes this edit offline, so the rule is intended to cover live-edit variants.
Sigma source
Raw YAMLtitle: User Local AppData Redirected to the Object Manager Namespace
id: bccc802b-83a1-4dae-a4bc-c7875afb9d23
status: stable
author: FRAME ZERO
date: 2026-07-16
description: Detects a live registry change that redirects the current user's Local AppData shell folder into the BaseNamedObjects Restricted namespace. The released LegacyHive proof of concept makes this edit offline, so the rule is intended to cover live-edit variants.
references:
- https://www.threatlocker.com/blog/legacyhive-video-demo-and-analysis-of-windows-0-day-from-nightmareeclipse
- https://git.projectnightcrawler.dev/NightmareEclipse/LegacyHive
logsource:
category: registry_set
product: windows
detection:
selection_value:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData'
selection_redirect:
Details|contains: '\GlobalRoot\BaseNamedObjects\Restricted'
condition: selection_value and selection_redirect
falsepositives:
- Authorized compatibility testing or security research that deliberately redirects shell folders through the Windows Object Manager namespace
- Specialized application virtualization or profile tooling with a documented Object Manager based redirection design
level: high
tags:
- attack.defense-evasion
- attack.t1112
related_publication: legacyhive-windows-profile-hive-path-switching
telemetry_assumptions:
- Registry-set telemetry records the complete target value path and the newly written data.
- Offline edits to ntuser.dat are not visible to this rule and require file telemetry or later hive-difference analysis.