Praetorian Inc. has unveiled Swarmer, a sophisticated tool designed to empower low-privilege attackers with the ability to achieve stealthy persistence within the Windows registry while evading Endpoint Detection and Response (EDR) systems.
Operational since February 2025, Swarmer capitalizes on mandatory user profiles and the lesser-known Offline Registry API to modify the NTUSER hive without triggering conventional registry hooks. Traditional methods of establishing registry persistence, such as utilizing the HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun keys, are easily detectable by EDR tools, which monitor API calls like RegSetValue, logging any modifications made.
In contrast, Swarmer navigates around these defenses by leveraging mandatory user profiles, a legacy feature in Windows that enforces enterprise profile management. Within these profiles, the NTUSER.MAN file supersedes the standard NTUSER.DAT hive located in %USERPROFILE% upon user login. Low-privilege users can create NTUSER.MAN by duplicating and renaming NTUSER.DAT. However, altering the loaded hive typically necessitates standard APIs, which would alert EDR systems. Swarmer circumvents this limitation by employing Offreg.dll, Microsoft’s Offline Registry Library, intended for offline hive manipulation during system setup or forensic analysis.
Despite Microsoft’s warnings against using Offreg to bypass registry security, Swarmer operates unimpeded. It utilizes functions such as ORCreateHive, OROpenHive, ORCreateKey, ORSetValue, and ORSaveHive, enabling comprehensive hive construction without invoking Reg* API calls, thereby eluding Process Monitor, Event Tracing for Windows (ETW), and the majority of EDR behavioral analytics, according to Praetorian.
Swarmer Workflow and Implementation
The operational workflow of Swarmer is streamlined:
- Export HKCU using
reg exportor TrustedSec’s reg_query Beacon Object File (BOF) to prevent disk artifacts. - Modify the exported file (for instance, by adding Run key entries).
- Execute Swarmer with the command:
swarmer.exe exported.reg NTUSER.MAN, or with startup flags:swarmer.exe --startup-key "Updater" --startup-value "C:PathTopayload.exe" exported.reg NTUSER.MAN. - Place NTUSER.MAN into %USERPROFILE%.
For command-and-control (C2) implants, the BOF output can be parsed directly: swarmer.exe --bof --startup-key "Updater" --startup-value "C:PathTopayload.exe" bof_output.txt NTUSER.MAN.
Developed in C# for ease of P/Invoke and offline functionality, Swarmer operates as either an executable or a PowerShell module:
textImport-Module '.swarmer.dll'
Convert-RegToHive -InputPath '.exported.reg' -OutputPath '.NTUSER.MAN'
A workaround addresses the invalid hive output from ORCreateHive: RegLoadAppKeyW generates a base hive (non-admin), which Offreg then populates.
| Feature | Details |
|---|---|
| Platforms | Windows 10/11 |
| Privileges | Low (user-level) |
| Evasion | No Reg* APIs; optional no-disk BOF |
| Payload Types | Run keys, custom registry mods |
Limitations and Detection Opportunities
While Swarmer presents a novel approach, it comes with certain limitations:
| Caveat | Impact |
|---|---|
| One-shot | Cannot be updated without admin access; profile becomes mandatory, resetting user modifications. |
| Login-required | Activates only upon logout/login; persists through reboots. |
| HKCU-only | No access to HKLM. |
| Edge cases | Potential for login corruption; testing is advisable. |
Detection strategies may include monitoring for NTUSER.MAN creation outside of enterprise tools, identifying Offreg.dll loads in non-standard processes, or observing profile anomalies. The execution of payloads at login remains visible, necessitating obfuscation.
Defenders are encouraged to scrutinize user profile directories for the presence of NTUSER.MAN, establish a baseline for Offreg usage, and ensure profile integrity during login. Swarmer serves as a reminder of the legacy complexities within Windows that predate contemporary EDR solutions.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
