Usage of NTUSER.MAN in Command Line

Rule Info

Name
Usage of NTUSER.MAN in Command Line
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the string 'NTUSER.MAN' in a command line, which may indicate attempts to manipulate or utilize mandatory user profile files. NTUSER.MAN is a mandatory user profile file that takes priority over NTUSER.DAT when present in a user's profile directory. Adversaries may abuse this feature for registry persistence by placing a crafted NTUSER.MAN file containing malicious registry keys. This technique also don't produce registry telemetry as the hive is loaded directly from disk without invoking registry APIs or triggering CmRegisterCallbackEx callbacks. Mandatory profiles are rare in modern environments outside of kiosk or shared workstation configurations, making their presence suspicious.
Reference
https://deceptiq.com/blog/ntuser-man-registry-persistence
Date
2026-01-21 00:00:00
Modified
None
Id
102c80f2-5c39-4049-87b1-5c6ae1be896e
Tags
attack.privilege-escalation attack.defense-evasion attack.persistence attack.t1547.001 attack.t1112
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022