Creation of NTUSER.MAN File in User Profile

Rule Info

Name
Creation of NTUSER.MAN File in User Profile
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the creation of an NTUSER.MAN file in a user's profile directory. NTUSER.MAN is a mandatory user profile file that takes priority over NTUSER.DAT when present in a user's profile directory. Adversaries may abuse this feature for registry persistence by placing a crafted NTUSER.MAN file containing malicious registry keys. This technique also don't produce registry telemetry as the hive is loaded directly from disk without invoking registry APIs or triggering CmRegisterCallbackEx callbacks. Mandatory profiles are rare in modern environments outside of kiosk or shared workstation configurations, making their presence suspicious.
Reference
https://deceptiq.com/blog/ntuser-man-registry-persistence
Date
2026-01-21 00:00:00
Modified
None
Id
ef4b67d6-b31f-472c-86a7-132fdec68d03
Tags
attack.persistence attack.privilege-escalation attack.defense-evasion attack.t1547.001 attack.t1112
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022