This article introduces Swarmer, a tool designed for stealthy modification of the Windows Registry without triggering endpoint detection systems. It leverages legacy Windows features, specifically mandatory user profiles and the Offline Registry API, to achieve persistence without typical detection methods. The authors share insights from its operational use in engagements over the past year.

This article explains a technique for establishing registry persistence using an NTUSER.MAN file, which allows for registry writes without triggering typical monitoring callbacks. By placing a crafted NTUSER.MAN in a user's profile directory, attackers can load persistence keys directly into HKCU during logon, avoiding detection by conventional EDR solutions.