AD User ProfilePath Attribute Modification

Rule Info

Name
AD User ProfilePath Attribute Modification
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects changes to the 'ProfilePath' attribute of an Active Directory user account. Attackers can modify this attribute to point to a roaming profile to establish persistence or lateral movement within a network. One of the example includes updating the profilepath to network share to sync malicious NTUSER.MAN files for registry persistence. Since, this event can be generated during legitimate administrative activities, it is recommended to validate the legitimacy of such changes by cross-referencing with change management logs or known administrative actions.
Reference
https://deceptiq.com/blog/ntuser-man-registry-persistence
Date
2026-01-21 00:00:00
Modified
None
Id
e995b53a-8ab0-4075-9ebc-c3f982db98f1
Tags
attack.persistence attack.lateral-movement attack.privilege-escalation attack.t1098
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022