{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mandatory-profile/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["persistence","windows","mandatory-profile","file-modification"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers may leverage Windows mandatory profiles to achieve persistence by crafting or modifying an \u003ccode\u003eNTUSER.MAN\u003c/code\u003e file containing malicious registry entries. Windows loads registry settings directly from this file when a user logs in, causing embedded persistence mechanisms, such as Run keys or logon scripts, to activate. This technique allows adversaries to establish persistence without directly modifying the live registry, potentially evading detection by traditional registry-based monitoring tools. This technique may be used for stealthy persistence on systems where mandatory profiles are in use.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe adversary gains initial access to the system, possibly through exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker locates a user profile directory on the system, typically found under \u003ccode\u003eC:\\\\Users\\\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies an \u003ccode\u003eNTUSER.MAN\u003c/code\u003e file within the user\u0026rsquo;s profile directory. This file contains registry settings that will be loaded when the user logs in.\u003c/li\u003e\n\u003cli\u003eThe adversary embeds malicious registry keys within the \u003ccode\u003eNTUSER.MAN\u003c/code\u003e file, such as entries in the \u003ccode\u003eRun\u003c/code\u003e or \u003ccode\u003eRunOnce\u003c/code\u003e keys, or configurations for logon scripts.\u003c/li\u003e\n\u003cli\u003eThe user logs off and then logs back onto the system.\u003c/li\u003e\n\u003cli\u003eUpon logon, Windows loads the registry settings from the \u003ccode\u003eNTUSER.MAN\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe malicious registry keys are executed, enabling the attacker to establish persistence or perform other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe adversary maintains persistence on the system, enabling them to execute commands, install malware, or steal data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish a persistent presence on the compromised system. This can lead to unauthorized access to sensitive data, further compromise of the network, and potential data exfiltration. The use of mandatory profiles for persistence can make detection more challenging as the malicious activity is triggered during user logon.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Persistence via Mandatory User Profile Creation\u0026rdquo; to detect the creation of NTUSER.MAN files by non-SYSTEM processes (see below).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Persistence via Mandatory User Profile Modification\u0026rdquo; to detect modification of NTUSER.MAN files by non-SYSTEM processes (see below).\u003c/li\u003e\n\u003cli\u003eMonitor file creation and modification events related to \u003ccode\u003eNTUSER.MAN\u003c/code\u003e in user profile directories to identify suspicious activity.\u003c/li\u003e\n\u003cli\u003eReview endpoint detection coverage to ensure offline registry hive and profile-based persistence techniques are monitored.\u003c/li\u003e\n\u003cli\u003eInvestigate any file creation or modification of NTUSER.MAN files by reviewing process.name, process.executable, and parent process relationships.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-ntuser-man-persistence/","summary":"Adversaries may abuse Windows mandatory profiles by dropping a malicious NTUSER.MAN file containing pre-populated persistence-related registry keys to establish persistence, which can evade traditional registry-based monitoring.","title":"Potential Persistence via Mandatory User Profile Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-ntuser-man-persistence/"}],"language":"en","title":"CraftedSignal Threat Feed — Mandatory-Profile","version":"https://jsonfeed.org/version/1.1"}