NTUSER.MAN

https://jh.live/flare-011526 || Manage threat intelligence and your exposed attack surface with Flare! Try a free trial and see what info is out there: https://jh.live/flare-011526

Video demo of the NTUSER dot MAN trick I saw floating around before the new year — I did not know this was a thing👀 Hat tip to DeceptIQ et al…. we showcase:

1. breaking a Windows login with an empty user profile,
2. getting initial access EZPZ with a Sliver C2 implant,
3. exporting, downloading, and hijacking an existing target user profile NTUSER.DAT or HKCU Registry hive,
4. converting hives from .reg plaintext to binary with the HiveSwarming.exe tool,
5. and establishing persistence with the new backdoored NTUSER dot MAN profile we upload!

No Registry writes, API calls or registry callbacks because it’s just a single file placed on disk! Kinda neat.

This is my first recording after a month break for the holidays and it was _painful_ — lots of fails and mistakes and it took many hours 😅

I’m experimenting with MEMES in the THUMBNAIL and SHORT video TITLES to MITIGATE against CLICKBAIT

Also experimenting with longer social text promos for video releases to add more preview details and context. I no longer have to feed algorithms, but LLMs, too!

Feels good to get something out the door again.

———

https://deceptiq.com/blog/ntuser-man-registry-persistence
https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_registry_uncommon.toml
https://learn.microsoft.com/en-us/windows/client-management/client-tools/mandatory-user-profile
https://github.com/stormshield/HiveSwarming
https://persistence-info.github.io/

Learn Cybersecurity and more with Just Hacking Training: https://jh.live/training
See what else I’m up to with: https://jh.live/newsletter

ℹ️ Affiliates:
Learn how to code with CodeCrafters: https://jh.live/codecrafters
Host your own VPN with OpenVPN: https://jh.live/openvpn
Get Blue Team Training and SOC Analyst Certifications with CyberDefenders: https://jh.live/cyberdefenseJohn HammondRead More