This detection rule identifies the creation or modification of the Windows mandatory user profile hive file, NTUSER.MAN, by unusual processes. Attackers may exploit mandatory profiles to introduce malicious persistence mechanisms that do not modify the live registry, making the activity harder to detect with traditional monitoring. The rule captures events indicating either the creation or alteration of NTUSER.MAN files within user profile directories, specifically targeting changes made by non-system processes, which is atypical in legitimate scenarios. This behavior is indicative of a stealthy persistence attempt that could potentially bypass established defenses. The investigation guidance includes analyzing the processes involved, examining the file path to verify legitimacy, extracting and inspecting the contents of the NTUSER.MAN file for signs of persistence-related keys, and correlating the detected event with any preceding suspicious activity. Recommendations for response actions include isolating affected systems, replacing the potentially malicious NTUSER.MAN file, conducting endpoint scans, and reviewing detection coverage for similar persistence techniques.