File Sync to NTUSER.MAN on Roaming Profile Shares

Rule Info

Name
File Sync to NTUSER.MAN on Roaming Profile Shares
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects file synchronization events involving 'NTUSER.MAN' files on roaming profile shares. NTUSER.MAN is a mandatory user profile file that takes priority over NTUSER.DAT when present in a user's profile directory. Adversaries may abuse this feature for registry persistence by placing a crafted NTUSER.MAN file containing malicious registry keys. This technique also don't produce registry telemetry as the hive is loaded directly from disk without invoking registry APIs or triggering CmRegisterCallbackEx callbacks. Mandatory profiles are rare in modern environments outside of kiosk or shared workstation configurations, making their presence suspicious. Consider excluding specific admin tools or scripts if this is common in your environment.
Reference
https://deceptiq.com/blog/registry-writes-without-registry-callbacks
Date
2026-01-21 00:00:00
Modified
None
Id
a4350058-56bb-46a0-8fa3-c16d78c70adb
Tags
attack.lateral-movement attack.persistence attack.privilege-escalation attack.t1547.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022