Swarmer Tool Evading EDR With a Stealthy Modification on Windows Registry for Persistence

Summary

Swarmer is a low-privilege Windows persistence utility that creates a mandatory user profile hive (NTUSER.MAN) and edits it via the Offline Registry API. Because it does not rely on conventional Reg* Windows APIs, it can plant Run key persistence while reducing visibility to EDR telemetry that is tuned to standard registry-write behavior. The method abuses mandatory profile handling to carry startup entries across logons without administrative rights. Swarmer is available as either a standalone executable or a PowerShell module and can be used in ways that minimize on-disk artifacts.

Investigation

The report outlines Swarmer’s end-to-end flow: it exports the current HKCU hive, alters the exported data to include startup persistence, and reconstructs the hive using Offreg.dll routines such as ORCreateHive and ORSetValue. The rebuilt hive is then placed as NTUSER.MAN inside the user profile path so it is applied during login. Execution is controlled through command-line options that define the target startup value and the payload location to run. The authors validated the technique on Windows 10 and Windows 11.

Mitigation

Monitor for creation of NTUSER.MAN in user contexts where mandatory profiles are not expected, and alert on Offreg.dll being loaded by unusual processes. Protect and integrity-check directories used for mandatory profiles, and baseline legitimate offline registry operations so deviations stand out. Add detections for suspicious hive changes that take effect at logon rather than at runtime. Where feasible, restrict a user’s ability to create or manipulate mandatory profile artifacts.

Response

If identified, isolate the endpoint, acquire the NTUSER.MAN hive for analysis, and enumerate any injected Run key entries. Remove unauthorized startup values and restore a known-good user hive to eliminate persistence. Perform broader forensic review to confirm no secondary payloads or alternate persistence paths were established, and hunt across the fleet for the same hive-writing pattern. Reinforce least-privilege controls to prevent low-privilege users from creating mandatory profiles.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

• Attack Narrative & Commands:
  The attacker has obtained a foothold on a compromised host and wishes to establish persistence that survives user log‑on without touching the standard Registry hives (to evade EDR hooks). Using the Swarmer tool, the attacker:

  1. Determines the target user’s profile directory (C:Usersvictim).
  2. Crafts a malicious hive file (NTUSER.MAN) containing a Run key that launches a back‑door payload on logon.
  3. Writes the file directly to the victim’s profile using low‑level file I/O (bypassing WinAPI high‑level calls).
  4. Calls the Offline Registry API ORCreateHive to load the newly created hive into memory, registers the Run key, and finally calls ORSaveHive to persist changes.

  Both actions generate:

  • Sysmon EventID 11 – file creation ending with NTUSER.MAN.
  • Security EventID 4688 – a process (swarmer.exe) whose command line contains ORCreateHive (or another OR* flag).

• Regression Test Script:

  #--------------------------------------------------------------
  # Swarmer‑style Registry Persistence Simulation (PowerShell)
  #--------------------------------------------------------------
  # 1. Define victim profile path
  $victimProfile = "$env:SystemDriveUsersvictim"
  $ntUserManPath = Join-Path $victimProfile "NTUSER.MAN"
  
  # 2. Create a minimal hive file (binary placeholder)
  #    In a real attack this would be a crafted registry hive.
  $hiveBytes = [byte[]] (0..255)               # dummy data
  [IO.File]::WriteAllBytes($ntUserManPath, $hiveBytes)
  
  # 3. Invoke Offline Registry API via a helper executable.
  #    Assume swarmer_helper.exe is a compiled binary that wraps
  #    the native Offline Registry functions.
  $helper = "C:Toolsswarmer_helper.exe"
  $args = @(
      "ORCreateHive", "`"$ntUserManPath`""
      "ORSetValue", "HKLMSoftwareMicrosoftWindowsCurrentVersionRunmyBackdoor", "`"C:Malwarebackdoor.exe`""
      "ORSaveHive", "`"$ntUserManPath`""
  )
  & $helper $args
  #--------------------------------------------------------------

• Cleanup Commands:

  # Remove the malicious hive and unload it if needed
  Remove-Item -Path "$env:SystemDriveUsersvictimNTUSER.MAN" -Force
  # If the helper left any in‑memory hives, force unload (example)
  & "$env:ProgramFilesWindows Kits10binx64reg.exe" unload "HKUTempHive"