Potential Persistence via Mandatory User Profile

  1[metadata]
  2creation_date = "2026/01/07"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/01/07"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects the creation or modification of a mandatory user profile hive (NTUSER.MAN) by an unusual process.
 11Adversaries may abuse Windows mandatory profiles by dropping a malicious NTUSER.MAN file containing
 12pre-populated persistence-related registry keys. On the next user logon, Windows loads the registry hive
 13from NTUSER.MAN, causing embedded persistence mechanisms to activate without directly modifying the live
 14registry. This technique can evade traditional registry-based monitoring and indicate a stealthy
 15persistence attempt.
 16"""
 17from = "now-9m"
 18index = ["logs-endpoint.events.file-*"]
 19language = "eql"
 20license = "Elastic License v2"
 21name = "Potential Persistence via Mandatory User Profile"
 22note = """## Triage and analysis
 23
 24> **Disclaimer**:
 25> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 26
 27### Investigating Potential Persistence via Mandatory User Profile
 28
 29Windows supports *mandatory user profiles*, which rely on the `NTUSER.MAN` registry hive instead of the standard `NTUSER.DAT`. When a user logs in, Windows loads registry settings directly from this file. Adversaries can exploit this behavior by crafting or modifying an `NTUSER.MAN` file with embedded persistence mechanisms (for example, `Run` keys, logon scripts, or policy-based execution). Because the registry hive is loaded at logon, this technique may bypass traditional registry modification telemetry and provide stealthy persistence.
 30
 31This rule detects the creation or modification of `NTUSER.MAN` files in user profile directories by non-system processes, which is uncommon in legitimate environments.
 32
 33### Possible investigation steps
 34
 35- Review the process responsible for creating or modifying NTUSER.MAN, focusing on process.name, process.executable, and parent process relationships. Creation or modification by scripting engines, LOLBins, or unsigned binaries is highly suspicious.
 36- Examine the file path to confirm whether the .MAN profile corresponds to a legitimate mandatory profile or an unexpected user directory.
 37- Extract and analyze the contents of the NTUSER.MAN file by loading it offline into a registry viewer. Look for persistence-related keys such as:
 38  - Run / RunOnce
 39  - UserInitMprLogonScript
 40  - Policy-based execution keys
 41- Determine which user account(s) are configured to use the mandatory profile and whether this aligns with expected administrative behavior.
 42- Correlate the event with preceding file writes, downloads, or process executions** that may have staged the malicious hive.
 43- Review recent logon activity for users tied to the mandatory profile to identify whether persistence may have already been triggered.
 44- Check threat intelligence sources for known malware or tooling that abuses mandatory profiles or offline registry hive manipulation.
 45
 46### False positive analysis
 47
 48- Legitimate enterprise environments may use mandatory profiles in controlled scenarios such as kiosks, training systems, or shared workstations.
 49- Administrative tools or scripts used during system imaging or profile provisioning may legitimately create NTUSER.MAN files.
 50- Profile migrations or backup/restore operations could trigger benign modifications.
 51
 52Validate whether the modifying process, user, and timing align with known administrative activity before dismissing the alert.
 53
 54### Response and remediation
 55
 56- Isolate the affected host if malicious persistence is suspected to prevent further execution.
 57- Prevent further logons for users associated with the suspicious mandatory profile until analysis is complete.
 58- Remove or replace the malicious NTUSER.MAN file with a known-good version.
 59- Inspect the loaded registry hive for additional persistence mechanisms and remove any unauthorized entries.
 60- Conduct a full endpoint scan to identify additional payloads or lateral movement.
 61- Review endpoint detection coverage to ensure offline registry hive and profile-based persistence** techniques are monitored.
 62- Escalate confirmed malicious activity to incident response and document findings to improve future detections."""
 63references = ["https://deceptiq.com/blog/ntuser-man-registry-persistence"]
 64risk_score = 47
 65rule_id = "0e42f920-047d-4568-b961-2a50db6c4713"
 66severity = "medium"
 67tags = [
 68    "Domain: Endpoint",
 69    "OS: Windows",
 70    "Use Case: Threat Detection",
 71    "Tactic: Persistence",
 72    "Data Source: Elastic Defend",
 73    "Resources: Investigation Guide",
 74]
 75timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c"
 76timeline_title = "Comprehensive File Timeline"
 77timestamp_override = "event.ingested"
 78type = "eql"
 79
 80query = '''
 81file where host.os.type == "windows" and
 82 event.type in ("creation", "change") and user.id != "S-1-5-18" and
 83 file.name : "NTUSER.MAN" and file.path : "?:\\Users\\*.MAN"
 84'''
 85
 86
 87[[rule.threat]]
 88framework = "MITRE ATT&CK"
 89[[rule.threat.technique]]
 90id = "T1547"
 91name = "Boot or Logon Autostart Execution"
 92reference = "https://attack.mitre.org/techniques/T1547/"
 93
 94
 95[rule.threat.tactic]
 96id = "TA0003"
 97name = "Persistence"
 98reference = "https://attack.mitre.org/tactics/TA0003/"
 99[[rule.threat]]
100
101framework = "MITRE ATT&CK"
102[[rule.threat.technique]]
103id = "T1112"
104name = "Modify Registry"
105reference = "https://attack.mitre.org/techniques/T1112/"
106
107
108[rule.threat.tactic]
109id = "TA0005"
110name = "Defense Evasion"
111reference = "https://attack.mitre.org/tactics/TA0005/"