Swarmer is a specialized tool designed for stealthy persistence and configuration injection on Windows systems. By leveraging the Offline Registry API and abusing Windows Mandatory User Profiles, it allows operators to modify the HKEY_CURRENT_USER (HKCU) hive without triggering traditional registry write alerts monitored by EDR and AV solutions.
The tool transforms standard .reg files or output from the reg_query Beacon Object File (BOF) into a binary registry hive named NTUSER.MAN. When this file is placed in a user's profile directory, Windows loads it as a mandatory profile upon the next login, effectively merging the injected keys into the environment.
Key Features
- Converts standard .reg exports and Situational Awareness BOF outputs into valid Windows hive binaries.
- Utilizes the Windows Offline Registry API to avoid traditional Registry Read/Write API hooks.
- Bypasses EDR/AV detection by performing modifications outside the live registry environment.
- Functions without administrative privileges for modifying the current user's environment.
- Available as both a standalone executable and a PowerShell-compatible DLL.
Use Cases
- Establishing stealthy persistence via the Run or RunOnce registry keys.
- Modifying user-specific security settings or application configurations without generating Registry Value Set telemetry.
- Injecting environment variables or shell-related registry keys for lateral movement and execution.
