Praetorian Inc. has publicly launched Swarmer, a instrument enabling low-privilege attackers to realize stealthy Home windows registry persistence by sidestepping Endpoint Detection and Response (EDR) monitoring.
Deployed operationally since February 2025, Swarmer exploits obligatory consumer profiles and the obscure Offline Registry API to switch the NTUSER hive with out triggering customary registry hooks.
Conventional registry persistence by way of HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun keys is well detected. EDR instruments hook APIs like RegSetValue, logging, and flagging modifications.
Swarmer bypasses this by leveraging obligatory consumer profiles, a legacy Home windows function for enterprise profile enforcement.
In obligatory profiles, NTUSER.MAN overrides the usual NTUSER.DAT hive in %USERPROFILE% at login. Low-privilege customers can create NTUSER.MAN by copying and renaming NTUSER.DAT.
Nonetheless, enhancing the loaded hive requires customary APIs, alerting EDR. Swarmer solves this utilizing Offreg.dll, Microsoft’s Offline Registry Library, designed for offline hive manipulation throughout setup or forensics.
Microsoft warns in opposition to bypassing registry safety with Offreg, however Swarmer ignores this.
Features like ORCreateHive, OROpenHive, ORCreateKey, ORSetValue, and ORSaveHive permit full hive development with out Reg* API calls, evading Course of Monitor, ETW, and most EDR behavioral analytics, praetorian mentioned.
Swarmer Workflow and Implementation
Swarmer’s workflow is environment friendly:
Export HKCU by way of reg export or TrustedSec’s reg_query Beacon Object File (BOF) to keep away from disk artifacts.
Modify the export (e.g., add Run key entries).
Run Swarmer: swarmer.exe exported.reg NTUSER.MAN or with startup flags: swarmer.exe –startup-key “Updater” –startup-value “C:PathTopayload.exe” exported.reg NTUSER.MAN.
Drop NTUSER.MAN into %USERPROFILE%.
For C2 implants, parse BOF output instantly: swarmer.exe –bof –startup-key “Updater” –startup-value “C:PathTopayload.exe” bof_output.txt NTUSER.MAN.
Inbuilt C# for P/Invoke ease and offline use, Swarmer works as an EXE or PowerShell module:
textImport-Module ‘.swarmer.dll’
Convert-RegToHive -InputPath ‘.exported.reg’ -OutputPath ‘.NTUSER.MAN’
A workaround fixes ORCreateHive’s invalid hive output: RegLoadAppKeyW creates a base hive (non-admin), then Offreg populates it.
FeatureDetailsPlatformsWindows 10/11PrivilegesLow (user-level)EvasionNo Reg* APIs; non-obligatory no-disk BOFPayload TypesRun keys, customized registry mods
Limitations and Detection Alternatives
Swarmer has caveats:
CaveatImpactOne-shotCan’t replace with out admin; profile turns into obligatory, resetting consumer adjustments.Login-requiredActivates solely on logout/login; survives reboots.HKCU-onlyNo HKLM entry.Edge casesPossible login corruption; take a look at first.
Detection contains NTUSER.MAN creation outdoors enterprise instruments, Offreg.dll hundreds in non-standard processes, or profile anomalies. Payload execution at login stays seen obfuscate it.
Defenders ought to monitor consumer profile directories for NTUSER.MAN, baseline Offreg utilization, and profile integrity at login. Swarmer highlights Home windows’ legacy cruft predating trendy EDR.
This disclosure arms blue groups in opposition to obscure persistence, urging scrutiny of Home windows’ dusty corners.
Observe us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
