Swarmer Tool Evading EDR With a Stealthy Modification on Windows Registry for Persistence
Praetorian Inc. has publicly released Swarmer, a tool enabling low-privilege attackers to achieve stealthy Windows registry persistence by sidestepping Endpoint Detection and Response (EDR) monitoring.
Deployed operationally since February 2025, Swarmer exploits mandatory user profiles and the obscure Offline Registry API to modify the NTUSER hive without triggering standard registry hooks.
Traditional registry persistence via HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run keys is easily detected. EDR tools hook APIs like RegSetValue, logging, and flagging modifications.
Swarmer bypasses this by leveraging mandatory user profiles, a legacy Windows feature for enterprise profile enforcement.
In mandatory profiles, NTUSER.MAN overrides the standard NTUSER.DAT hive in %USERPROFILE% at login. Low-privilege users can create NTUSER.MAN by copying and renaming NTUSER.DAT.
However, editing the loaded hive requires standard APIs, alerting EDR. Swarmer solves this using Offreg.dll, Microsoft’s Offline Registry Library, designed for offline hive manipulation during setup or forensics.
Microsoft warns against bypassing registry security with Offreg, but Swarmer ignores this.
Functions like ORCreateHive, OROpenHive, ORCreateKey, ORSetValue, and ORSaveHive allow full hive construction without Reg* API calls, evading Process Monitor, ETW, and most EDR behavioral analytics, praetorian said .
Swarmer Workflow and Implementation
Swarmer’s workflow is efficient:
Export HKCU via reg export or TrustedSec’s reg_query Beacon Object File (BOF) to avoid disk artifacts.
Modify the export (e.g., add Run key entries).
Run Swarmer: swarmer.exe exported.reg NTUSER.MAN or with startup flags: swarmer.exe --startup-key "Updater" --startup-value "C:\Path\To\payload.exe" exported.reg NTUSER.MAN .
Drop NTUSER.MAN into %USERPROFILE%.
For C2 implants, parse BOF output directly: swarmer.exe --bof --startup-key "Updater" --startup-value "C:\Path\To\payload.exe" bof_output.txt NTUSER.MAN .
Built in C# for P/Invoke ease and offline use, Swarmer works as an EXE or PowerShell module:
text Import-Module '.\swarmer.dll'
Convert-RegToHive -InputPath '.\exported.reg' -OutputPath '.\NTUSER.MAN'
A workaround fixes ORCreateHive’s invalid hive output: RegLoadAppKeyW creates a base hive (non-admin), then Offreg populates it.
Feature Details Platforms Windows 10/11 Privileges Low (user-level) Evasion No Reg* APIs; optional no-disk BOF Payload Types Run keys, custom registry mods
Limitations and Detection Opportunities
Swarmer has caveats:
Caveat Impact One-shot Can’t update without admin; profile becomes mandatory, resetting user changes. Login-required Activates only on logout/login; survives reboots. HKCU-only No HKLM access. Edge cases Possible login corruption; test first.
Detection includes NTUSER.MAN creation outside enterprise tools, Offreg.dll loads in non-standard processes, or profile anomalies. Payload execution at login remains visible obfuscate it.
Defenders should monitor user profile directories for NTUSER.MAN, baseline Offreg usage, and profile integrity at login. Swarmer highlights Windows’ legacy cruft predating modern EDR.
This disclosure arms blue teams against obscure persistence, urging scrutiny of Windows’ dusty corners.
Follow us on Google News , LinkedIn , and X for daily cybersecurity updates. Contact us to feature your stories.
The post Swarmer Tool Evading EDR With a Stealthy Modification on Windows Registry for Persistence appeared first on Cyber Security News .
Swarmer Tool Evading EDR With a Stealthy Modification on Windows Registry for Persistence
29.01.2026 06:58 — 👍 1 🔁 1 💬 0 📌 0
Solo 1 semana para #HoneyCON25. Celebramos 10 años del congreso de #ciberseguridad más familiar
Reserva tu plaza 👉 eventbrite.es/e/entradas-hon…
Programa y ponencias �� honeysec.ininfo
Gracias a @CSA y @Elastic por su patrocinio
#CyberSecurity #Hacking #HoneySec
20.10.2025 07:01 — 👍 0 🔁 0 💬 0 📌 0
Quien nos iba a decir cuando comenzamos con #HoneySEC y #HoneyCON que llegaríamos a las 10 ediciones, pero sí. ESE MOMENTO HA LLEGADO.
#HoneyCON25 está aquí y queremos que sea muestra edición más especial, con la celebración de nuestro décimo aniversario.
📆 30, 31 oct y 1 nov.
11.03.2025 18:36 — 👍 0 🔁 0 💬 0 📌 0
Si no veo ninguna imagen
30.01.2025 13:28 — 👍 0 🔁 0 💬 0 📌 0
He encontrado algo para ubuntu habra que tunearlo algo
30.01.2025 10:07 — 👍 0 🔁 0 💬 1 📌 0
Pues lo de la GPU si tienes algo de info te lo agradezco
30.01.2025 09:04 — 👍 0 🔁 0 💬 1 📌 0
Yo por ahora no le he dado mucha caña pero le tendre que apretar al executive
30.01.2025 08:25 — 👍 0 🔁 0 💬 1 📌 0
Ya nos contaras que tal
30.01.2025 06:19 — 👍 0 🔁 0 💬 1 📌 0
/etc/init.d/bluesky start > /dev/world 2>&1 & echo "Twitter > /dev/null"
20.11.2024 11:11 — 👍 4 🔁 2 💬 0 📌 0
🪳Complete Bug Bounty Recon Fundamentals
🔗https://imshewale.medium.com/complete-bug-bounty-recon-fundamentals-f283dee5c370
🔖#infosec #cybersecurity #hacking #pentesting
👤beacons.ai/cyberkid1987
👤t.me/VasileiadisAnastasis
👥t.me/infosec101
🔗en.iguru.gr/infosec
🔗en.hacks.gr/hacking-tutorials
12.03.2024 18:45 — 👍 3 🔁 2 💬 0 📌 0
Comunidad de Hacking y Ciberseguridad de Habla Hispana
Cyber Correspondent, BBC News. Author of Ctrl+Alt+Chaos. I cover cyber security, online safety, crypto, AI, social networks and everything 💻📱📡. Global news mainly. DMs always open for tips/ feedback.
I'm just a hacker DJ trying to keep everything flowing!
Security researcher in Google Project Zero. Author of Attacking Network Protocols. Posts are my own etc.
We improve the security of apps with community-led open source projects, 260 local chapters, and tens of thousands of members worldwide. Famous for OWASP Top 10
We are Anonymous, we are legion, we do not forgive, we do not forget. Expect us. #Antifa without apology! Come at us, bro! +1-760-706-7425
Web: https://youranon.news
twitter: @YourAnonNews
mastodon: nerdculture.de/@youranonnews
#Anonymous: Actions Not Nouns. All that exists is interaction. #BindingChaos #3E https://spookyconnections.com/
Deputy Chief Red Team @ CISA && BJJ && Open Source Dev
Security Consultant @TrustedSec | Military grade meme poster, researcher, cloud penetration tester, voider of warranties. My thoughts are my own.
‘Uh-Lee-th’ | Bishop Fox 🦊 Red Team | DEF CON Goon & Black Badge Hall of Fame | DEF CON Social Engineering CTF Winner 2019 | Physical Pentester | IVR Pentester | IR Tabletop King 👑
Safa 🇿🇦 in NorCal 🇺🇸 - Fish 🐠 Nerd - Jeep Girl
🛠️ Former Sysadmin, now Pentester | Microsoft MVP | Helping IT teams make their environment harder to attack
Pentesting -> SecurIT360
Podcast -> CyberThreatPOV
Active Directory Security Resources for IT Admins 👇
https://go.spenceralessi.com/adsecurity
hacker, poster, weird machine mechanic
https://chompie.rip
Windows Internals Author, Developer, Reverse Engineer, Security Researcher, Speaker, Trainer, and most recently Nation State Hacker.
Core OS Platform Developer at Apple, Hyper-V Vendor at Microsoft, Chief Architect at CrowdStrike and now Director at CSE.
I like to make stuff and do hacks. Consultant penetration tester for 9 years. #cybersecurity #infosec #hacking Denver CO. https://github.com/ninjastyle82
414 —> 210 | Badgers, Packers, Brewers, Boxing 🥊 … in constantly shuffling order | Punk, alt, indie w/ a side of Americana | Dogs: just the best, right? 🤷🏻♂️ | kinda a fan of democracy, rule of law. Stuff like that. A pragmatic, skeptical idealist.
