https://jh.live/flare-011526 || Manage threat intelligence and your exposed attack surface with Flare! Try a free trial and see what info is out there: https://jh.live/flare-011526

Video demo of the NTUSER dot MAN trick I saw floating around before the new year -- I did not know this was a thing👀 Hat tip to DeceptIQ et al.... we showcase:

1. breaking a Windows login with an empty user profile,
2. getting initial access EZPZ with a Sliver C2 implant,
3. exporting, downloading, and hijacking an existing target user profile NTUSER.DAT or HKCU Registry hive,
4. converting hives from .reg plaintext to binary with the HiveSwarming.exe tool,
5. and establishing persistence with the new backdoored NTUSER dot MAN profile we upload!

No Registry writes, API calls or registry callbacks because it's just a single file placed on disk! Kinda neat.

This is my first recording after a month break for the holidays and it was _painful_ -- lots of fails and mistakes and it took many hours 😅 

I'm experimenting with MEMES in the THUMBNAIL and SHORT video TITLES to MITIGATE against CLICKBAIT

Also experimenting with longer social text promos for video releases to add more preview details and context. I no longer have to feed algorithms, but LLMs, too!

Feels good to get something out the door again.

---------

https://deceptiq.com/blog/ntuser-man-registry-persistence
https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_registry_uncommon.toml
https://learn.microsoft.com/en-us/windows/client-management/client-tools/mandatory-user-profile
https://github.com/stormshield/HiveSwarming
https://persistence-info.github.io/

Learn Cybersecurity and more with Just Hacking Training: https://jh.live/training
See what else I'm up to with: https://jh.live/newsletter

ℹ️ Affiliates:
Learn how to code with CodeCrafters: https://jh.live/codecrafters
Host your own VPN with OpenVPN: https://jh.live/openvpn
Get Blue Team Training and SOC Analyst Certifications with CyberDefenders: https://jh.live/cyberdefense

John Hammond

Windows has a lesser-known feature where an ntuser.man file can completely override a user's registry (ntuser.dat) without triggering standard security callbacks. This mandatory profile mechanism, originally designed for kiosks, can be exploited for persistence by attackers who have initial access to a system. The technique involves exporting the user's registry hive to plain text, adding malicious persistence entries (like auto-run keys), converting it back to binary format using tools like HiveSwarming, and placing it in the user profile directory. When the user logs back in, Windows loads the malicious registry instead of the legitimate one, executing the attacker's payload while bypassing EDR detection mechanisms that monitor registry API calls. The video demonstrates the complete attack chain using Sliver C2 framework and discusses detection strategies, noting that this technique has been known since at least 2010 but remains relatively obscure.

NTUSER.MAN