Swarmer, a tool made available to the public by Praetorian Inc., allows low-privilege attackers to circumvent Endpoint Detection and Response (EDR) monitoring and achieve stealthy Windows registry persistence This article explores registry persistence swarmer. . Swarmer, which has been operational since February 2025, modifies the NTUSER hive without triggering standard registry hooks by taking advantage of required user profiles and the obscure Offline Registry API.

Learn more Cybersecurity Network of Zero Trust Obtain solutions Subscription to cybersecurity news Guide to Hacker Tools Software for vulnerability scanning Taking advantage of Malware elimination service Take advantage of the WordPress security plugin Conventional registry persistence using HKCU softwareIt is simple to identify Microsoft\Windows\CurrentVersion\Run keys. APIs such as RegSetValue, logging, and modification flagging are hooked by EDR tools. By using mandatory user profiles, a Windows legacy feature for enterprise profile enforcement, Swarmer gets around this.

When logging in, NTUSER.MAN takes precedence over the default NTUSER.DAT hive in %USERPROFILE%. By copying and renaming NTUSER.DAT, low-privilege users can generate NTUSER.MAN. However, standard APIs are needed to edit the loaded hive, which notifies EDR.

Offreg.dll, Microsoft's Offline Registry Library, which is intended for offline hive manipulation during setup or forensics, is how Swarmer resolves this issue. Swarmer disregards Microsoft's warning against using Offreg to circumvent registry security. According to Praetorian, functions like ORCreateHive, OROpenHive, ORCreateKey, ORSetValue, and ORSaveHive enable complete hive construction without Reg* API calls, avoiding Process Monitor, ETW, and the majority of EDR behavioral analytics. Swarmer Implementation and Workflow The workflow of Swarmer is effective: To prevent disk artifacts, export HKCU using either reg export or TrustedSec's reg_query Beacon Object File (BOF).

Make changes to the export, such as adding Run key entries.

Use the startup flags to launch Swarmer: swarmer.exe --startup-key "Updater" --startup-value or swarmer.exe exported.reg NTUSER.MAN. "C:\Path\To\payload.exe" exported.reg NTUSER.MAN. NTUSER.MAN should be dropped into %USERPROFILE%.

Use swarmer.exe --bof --startup-key "Updater" --startup-value "C:\Path\To\payload.exe" bof_output.txt NTUSER.MAN to directly parse BOF output for C2 implants. Swarmer functions as an EXE or PowerShell module and is written in C# for ease of P/Invoke and offline use.Import-Module "swarmer.dll" Convert-RegToHive -InputPath 'exported.reg' -OutputPath 'NTUSER.MAN' A workaround The invalid hive output of ORCreateHive: RegLoadAppOffreg populates the base hive (non-admin) created by KeyW. Platforms with Feature Details Windows 10 or 11 Benefits Low (level of the user) Avoidance No Reg* APIs; optional no-disk Types of BOF Payloads Custom registry mods and run keys Restrictions and Possibilities for Detection Swarmer has caveats: Caveat Impact One-shot Can’t update without admin; profile becomes mandatory, resetting user changes. Login-required Activates only on logout/login; survives reboots.

HKLM access is restricted to HKCU. Cases with edges Test first for potential login corruption. NTUSER is part of detection.Offreg.dll loads in non-standard processes, profile anomalies, or MAN creation outside of enterprise tools.

Execution of the payload during login is still visible; obfuscate it. Defenders should keep an eye out for NTUSER in user profile directories.MAN, baseline usage of Offreg and integrity of the profile upon login. Swarmer draws attention to Windows' historical flaws that predate contemporary EDR. Learn more Features of the security author Consulting services for cybersecurity Software for vulnerability scanning Software for detecting malware Software that prevents cyberattacks Tools for remote access Take advantage of Guide to Hacker Tools Subscription to cybersecurity news Services for penetration testing This revelation empowers blue teams to combat obscure persistence and calls for daily cybersecurity updates from X, LinkedIn, and Windows' dusty corners.

To have your stories featured, get in touch with us.