NTUSER.MAN

https://jh.live/flare-011526 || Manage threat intelligence and your exposed attack surface with Flare! Try a free trial and see what info is out there: https://jh.live/flare-011526 Video demo of the NTUSER dot MAN trick I saw floating around before the new year -- I did not know this was a thing👀 Hat tip to DeceptIQ et al.... we showcase: 1. breaking a Windows login with an empty user profile, 2. getting initial access EZPZ with a Sliver C2 implant, 3. exporting, downloading, and hijacking an existing target user profile NTUSER.DAT or HKCU Registry hive, 4. converting hives from .reg plaintext to binary with the HiveSwarming.exe tool, 5. and establishing persistence with the new backdoored NTUSER dot MAN profile we upload! No Registry writes, API calls or registry callbacks because it's just a single file placed on disk! Kinda neat. This is my first recording after a month break for the holidays and it was _painful_ -- lots of fails and mistakes and it took many hours 😅 I'm experimenting with MEMES in the THUMBNAIL and SHORT video TITLES to MITIGATE against CLICKBAIT Also experimenting with longer social text promos for video releases to add more preview details and context. I no longer have to feed algorithms, but LLMs, too! Feels good to get something out the door again. --------- https://deceptiq.com/blog/ntuser-man-registry-persistence https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_registry_uncommon.toml https://learn.microsoft.com/en-us/windows/client-management/client-tools/mandatory-user-profile https://github.com/stormshield/HiveSwarming https://persistence-info.github.io/ Learn Cybersecurity and more with Just Hacking Training: https://jh.live/training See what else I'm up to with: https://jh.live/newsletter ℹ️ Affiliates: Learn how to code with CodeCrafters: https://jh.live/codecrafters Host your own VPN with OpenVPN: https://jh.live/openvpn Get Blue Team Training and SOC Analyst Certifications with CyberDefenders: https://jh.live/cyberdefense