Burp Suite extension that adds built-in MCP tooling, AI-assisted analysis, privacy controls, passive and active scanning and more - six2dez/burp-ai-agent

Praetorian Inc. has publicly released Swarmer, a tool enabling low-privilege attackers to achieve stealthy Windows registry persistence by sidestepping Endpoint Detection and Response (EDR) monitoring. Deployed operationally since February 2025, Swarmer exploits mandatory user profiles and the obscure Offline Registry API to modify the NTUSER hive without triggering standard registry hooks. Traditional registry persistence via HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run keys is easily detected. EDR tools hook APIs like RegSetValue, logging, and flagging modifications. Swarmer bypasses this by leveraging mandatory user profiles, a legacy Windows feature for enterprise profile enforcement. In mandatory profiles, NTUSER.MAN overrides the standard NTUSER.DAT hive in %USERPROFILE% at login. Low-privilege users can create NTUSER.MAN by copying and renaming NTUSER.DAT. However, editing the loaded hive requires standard APIs, alerting EDR. Swarmer solves this using Offreg.dll, Microsoft’s Offline Registry Library, designed for offline hive manipulation during setup or forensics. Microsoft warns against bypassing registry security with Offreg, but Swarmer ignores this. Functions like ORCreateHive, OROpenHive, ORCreateKey, ORSetValue, and ORSaveHive allow full hive construction without Reg* API calls, evading Process Monitor, ETW, and most EDR behavioral analytics, praetorian said . Swarmer Workflow and Implementation Swarmer’s workflow is efficient: Export HKCU via  reg export  or TrustedSec’s reg_query Beacon Object File (BOF) to avoid disk artifacts. Modify the export (e.g., add Run key entries). Run Swarmer:  swarmer.exe exported.reg NTUSER.MAN  or with startup flags:  swarmer.exe --startup-key "Updater" --startup-value "C:\Path\To\payload.exe" exported.reg NTUSER.MAN . Drop NTUSER.MAN into %USERPROFILE%. For C2 implants, parse BOF output directly:  swarmer.exe --bof --startup-key "Updater" --startup-value "C:\Path\To\payload.exe" bof_output.txt NTUSER.MAN . Built in C# for P/Invoke ease and offline use, Swarmer works as an EXE or PowerShell module: text Import-Module '.\swarmer.dll' Convert-RegToHive -InputPath '.\exported.reg' -OutputPath '.\NTUSER.MAN' A workaround fixes ORCreateHive’s invalid hive output: RegLoadAppKeyW creates a base hive (non-admin), then Offreg populates it. Feature Details Platforms Windows 10/11 Privileges Low (user-level) Evasion No Reg* APIs; optional no-disk BOF Payload Types Run keys, custom registry mods Limitations and Detection Opportunities Swarmer has caveats: Caveat Impact One-shot Can’t update without admin; profile becomes mandatory, resetting user changes. Login-required Activates only on logout/login; survives reboots. HKCU-only No HKLM access. Edge cases Possible login corruption; test first. Detection includes NTUSER.MAN creation outside enterprise tools, Offreg.dll loads in non-standard processes, or profile anomalies. Payload execution at login remains visible obfuscate it. Defenders should monitor user profile directories for NTUSER.MAN, baseline Offreg usage, and profile integrity at login. Swarmer highlights Windows’ legacy cruft predating modern EDR. This disclosure arms blue teams against obscure persistence, urging scrutiny of Windows’ dusty corners. Follow us on Google News , LinkedIn , and X for daily cybersecurity updates. Contact us to feature your stories. The post Swarmer Tool Evading EDR With a Stealthy Modification on Windows Registry for Persistence appeared first on Cyber Security News .

Discovering secrets in exposed container images and leveraging misconfigurations for deeper access

Title:Bypass WAF Cloudflare RXSS in Hackerone

Understand the implications of CVE-2025-27110 on web application security and how it may allow attacks to bypass defenses.

Hello everyone, I’m Fares. Today, I’ll share the story of how I successfully identified a reflected XSS vulnerability within a public bug…

<p>El evento MorterueloCon son ponencias sobre ciberseguridad, con el fin de concienciación sobre el uso y desarrollo seguro de tecnologías de la información y la comunicación, que se celebran en Cuen...

Lately I’ve been thinking about Stephan Berger’s recent blog post on hiding Linux processes with bind mounts. Bottom line here is that if you have an evil process you want to hide, use …

Kali Linux Cheat Sheet for Penetration Testers. Contribute to NoorQureshi/kali-linux-cheatsheet development by creating an account on GitHub.

El ajuste propuesto consta de solo 30 líneas de código y reorganiza operaciones dentro de la pila de redes de Linux, mejorando la eficiencia energética y el rendimiento.

Unicode codepoint truncation - also called a Unicode overflow attack - happens when a server tries to store a Unicode character in a single byte. Because the maximum value of a byte is 255, an overflo