Praetorian Inc. has publicly released Swarmer, a tool enabling low-privilege attackers to achieve stealthy Windows registry persistence by sidestepping Endpoint Detection and Response (EDR) monitoring.
Deployed operationally since February 2025, Swarmer exploits mandatory user profiles and the obscure Offline Registry API to modify the NTUSER hive without triggering standard registry hooks.
Traditional registry persistence via HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun keys is easily detected. EDR tools hook APIs like RegSetValue, logging, and flagging modifications.
Swarmer bypasses this by leveraging mandatory user profiles, a legacy Windows feature for enterprise profile enforcement.
In mandatory profiles, NTUSER.MAN overrides the standard NTUSER.DAT hive in %USERPROFILE% at login. Low-privilege users can create NTUSER.MAN by copying and renaming NTUSER.DAT.
However, editing the loaded hive requires standard APIs, alerting EDR. Swarmer solves this using Offreg.dll, Microsoft’s Offline Registry Library, designed for offline hive manipulation during setup or forensics.
Microsoft warns against bypassing registry security with Offreg, but Swarmer ignores this.
Functions like ORCreateHive, OROpenHive, ORCreateKey, ORSetValue, and ORSaveHive allow full hive construction without Reg* API calls, evading Process Monitor, ETW, and most EDR behavioral analytics, praetorian said.
Swarmer Workflow and Implementation
Swarmer’s workflow is efficient:
- Export HKCU via
reg exportor TrustedSec’s reg_query Beacon Object File (BOF) to avoid disk artifacts. - Modify the export (e.g., add Run key entries).
- Run Swarmer:
swarmer.exe exported.reg NTUSER.MANor with startup flags:swarmer.exe --startup-key "Updater" --startup-value "C:PathTopayload.exe" exported.reg NTUSER.MAN. - Drop NTUSER.MAN into %USERPROFILE%.
For C2 implants, parse BOF output directly: swarmer.exe --bof --startup-key "Updater" --startup-value "C:PathTopayload.exe" bof_output.txt NTUSER.MAN.
Built in C# for P/Invoke ease and offline use, Swarmer works as an EXE or PowerShell module:
textImport-Module '.swarmer.dll'
Convert-RegToHive -InputPath '.exported.reg' -OutputPath '.NTUSER.MAN'
A workaround fixes ORCreateHive’s invalid hive output: RegLoadAppKeyW creates a base hive (non-admin), then Offreg populates it.
| Feature | Details |
|---|---|
| Platforms | Windows 10/11 |
| Privileges | Low (user-level) |
| Evasion | No Reg* APIs; optional no-disk BOF |
| Payload Types | Run keys, custom registry mods |
Limitations and Detection Opportunities
Swarmer has caveats:
| Caveat | Impact |
|---|---|
| One-shot | Can’t update without admin; profile becomes mandatory, resetting user changes. |
| Login-required | Activates only on logout/login; survives reboots. |
| HKCU-only | No HKLM access. |
| Edge cases | Possible login corruption; test first. |
Detection includes NTUSER.MAN creation outside enterprise tools, Offreg.dll loads in non-standard processes, or profile anomalies. Payload execution at login remains visible obfuscate it.
Defenders should monitor user profile directories for NTUSER.MAN, baseline Offreg usage, and profile integrity at login. Swarmer highlights Windows’ legacy cruft predating modern EDR.
This disclosure arms blue teams against obscure persistence, urging scrutiny of Windows’ dusty corners.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
