Praetorian Inc. has unveiled Swarmer, a tool that enables attackers with minimal privileges to establish persistent access on Windows systems by circumventing Endpoint Detection and Response (EDR) mechanisms. Operational since February 2025, Swarmer manipulates mandatory user profiles and utilizes the Offline Registry API to alter the NTUSER hive without activating standard registry monitoring.
Traditional Registry Persistence and EDR Detection
Conventional methods for achieving registry persistence involve modifying the `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` keys. However, EDR solutions typically monitor these changes by hooking into APIs like `RegSetValue`, thereby logging and flagging such modifications as potential threats.
Swarmer’s Approach: Exploiting Mandatory User Profiles
Swarmer circumvents EDR detection by exploiting mandatory user profiles—a legacy Windows feature designed for enforcing consistent user environments across enterprise systems. In these profiles, the `NTUSER.MAN` file supersedes the standard `NTUSER.DAT` hive located in `%USERPROFILE%` during user login. Attackers with low-level privileges can create an `NTUSER.MAN` file by duplicating and renaming the existing `NTUSER.DAT`.
Utilizing the Offline Registry API
Modifying a loaded registry hive typically requires standard APIs, which are monitored by EDR systems. Swarmer addresses this challenge by leveraging `Offreg.dll`, Microsoft’s Offline Registry Library intended for offline hive manipulation during system setup or forensic analysis. Despite Microsoft’s advisories against using Offreg to bypass registry security, Swarmer employs functions such as `ORCreateHive`, `OROpenHive`, `ORCreateKey`, `ORSetValue`, and `ORSaveHive`. These functions facilitate comprehensive hive construction without invoking the standard `Reg` APIs, effectively evading detection by tools like Process Monitor, Event Tracing for Windows (ETW), and most EDR behavioral analytics.
Swarmer’s Workflow and Implementation
Swarmer’s operational workflow is streamlined and efficient:
1. Export the HKCU Hive: Utilize the `reg export` command or TrustedSec’s `reg_query` Beacon Object File (BOF) to extract the current user’s registry hive, minimizing disk artifacts.
2. Modify the Exported Registry File: Edit the exported registry file to include desired changes, such as adding entries to the Run key for persistence.
3. Generate the NTUSER.MAN File: Execute Swarmer with the modified registry file to create the `NTUSER.MAN` file. This can be done using the command:
“`
swarmer.exe exported.reg NTUSER.MAN
“`
Alternatively, to specify startup parameters:
“`
swarmer.exe –startup-key Updater –startup-value C:\Path\To\payload.exe exported.reg NTUSER.MAN
“`
4. Deploy the NTUSER.MAN File: Place the generated `NTUSER.MAN` file into the `%USERPROFILE%` directory.
For command-and-control (C2) implants, Swarmer can process BOF output directly:
“`
swarmer.exe –bof –startup-key Updater –startup-value C:\Path\To\payload.exe bof_output.txt NTUSER.MAN
“`
Developed in C# to facilitate P/Invoke and offline usage, Swarmer functions as both an executable and a PowerShell module:
“`powershell
Import-Module ‘.\swarmer.dll’
Convert-RegToHive -InputPath ‘.\exported.reg’ -OutputPath ‘.\NTUSER.MAN’
“`
To address the issue of `ORCreateHive` producing invalid hive outputs, Swarmer employs a workaround where `RegLoadAppKeyW` creates a base hive (without requiring administrative privileges), which is then populated using Offreg.
Key Features of Swarmer
– Supported Platforms: Windows 10 and Windows 11
– Required Privileges: Low (user-level)
– Evasion Techniques: Avoids using standard `Reg` APIs; offers optional no-disk BOF execution
– Payload Types: Supports Run keys and custom registry modifications
Limitations and Detection Opportunities
While Swarmer presents a novel method for achieving stealthy persistence, it has certain limitations:
– One-Time Use: Once deployed, the profile becomes mandatory, preventing further updates without administrative privileges and resetting user changes upon each login.
– Activation Requires Login: The persistence mechanism activates only upon user logout and subsequent login, though it does survive system reboots.
– Limited to HKCU: Swarmer operates solely within the `HKEY_CURRENT_USER` hive and does not have access to `HKEY_LOCAL_MACHINE`.
– Potential for Login Issues: There is a risk of login corruption; thorough testing is recommended before deployment.
Detection strategies include monitoring for the creation of `NTUSER.MAN` files outside of standard enterprise tools, observing the loading of `Offreg.dll` in atypical processes, and identifying anomalies in user profiles. While payload execution at login remains detectable, obfuscation techniques can be employed to mitigate this visibility.
Recommendations for Defenders
To counteract the techniques employed by Swarmer, security teams should:
– Monitor User Profile Directories: Regularly check for the presence of `NTUSER.MAN` files in user profile directories, especially those created without authorized enterprise tools.
– Baseline Offreg Usage: Establish a baseline of legitimate `Offreg.dll` usage to identify anomalies indicative of unauthorized access.
– Assess Profile Integrity at Login: Implement checks to ensure the integrity of user profiles during the login process, identifying any unauthorized modifications.
The disclosure of Swarmer underscores the importance of scrutinizing legacy Windows features that may be exploited to bypass modern security measures. By understanding and monitoring these obscure persistence mechanisms, defenders can enhance their ability to detect and mitigate such threats.
Twitter Post:
Introducing Swarmer: A tool that enables stealthy Windows registry persistence by evading EDR detection. Learn how it exploits mandatory user profiles and the Offline Registry API. #CyberSecurity #EDREvasion #WindowsSecurity
Focus Key Phrase:
Swarmer tool evading EDR
Article X Post:
Hashtags:
Article Key Phrase:
Category: Security News
