A tool for sneakily adding registry keys to HKCU without EDR/AV being able to see what's happening even if you don't have administrator access.
NOTE: You will only get to do this ONCE, after NTUSER.MAN is your new registry hive you CANNOT change it without being an admin, so make sure you make all the changes you want in the first go.
- Grab the appropriate
req_queryBOF from https://github.com/trustedsec/CS-Situational-Awareness-BOF/tree/master/SA/reg_query. - Execute
execute-bof --opsec Z:\path\to\reg_query.x64.o go z"" i1 z"" z"" i1 - Copy the output of that command to a file on your machine, for this example we'll call it
output.txt. Note that you should include all the timestamps and begin with theHKEY_CURRENT_USERkey that looks something like this:
03/18/2025 14:19:51 HKEY_CURRENT_USER\
- Grab the
swarmer.exebinary from the releases section and runswarmer.exe --bof --startup-key "WhateverKeyNameYouWant" --startup-value "C:\Path\To\Your\target.exe" output.txt NTUSER.MAN - Upload the NTUSER.MAN file back to the target machine, possibly named as something else if you want to be opsec conscious.
- Copy the file you uploaded in step 5 to %USERPROFILE%, so you should have a file like
C:\Users\MyUserName\NTUSER.MAN. - The next time the account logs in, your registry changes will be loaded.
Say that you have a registry key you want to add to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so that on startup it pops calc.
First you need to have a registry dump of the HKCU key you would like to use. Ideally this should come from the machine you're intending to modify. You can generate one of these by running reg export HKCU hkcu.reg.
Then you should make the changes to the .reg file you want to see. In our example case we can just open the file in notepad and add an extra line like this:
NOTE: Only changes to HKEY_CURRENT_USER will be applied, this cannot affect HKLM
Next you need to use this tool swarmer.exe to transform your modified reg file into a binary registry hive. An example invocation would be:
swarmer.exe hkcu.reg NTUSER.MAN
Alternatively, if you want to do this from inside a powershell script, you can instead grab the swarmer.dll binary from the releases section and run it by using the commands:
Import-Module '.\swarmer.dll'
Convert-RegToHive -InputPath '.\hkcu.reg' '.\NTUSER.MAN'Finally you just need to drop NTUSER.MAN (it MUST be called this) into your %USERPROFILE% directory (something like C:\Users\MyUserName).
The next time the account logs in, your registry changes will be loaded.
Windows is full of legacy cruft, this is abusing Windows Mandatory User Profiles. Normally you need to be an admin to rename a user's NTUSER.DAT to NTUSER.MAN, but there's apparently no protections to make sure that someone doesn't just drop a file there with the same name and have that be used instead.
There's a weird "expected" security boundary that generating a binary windows hive on a machine requires administrator access, but in general this is very loosely enforced. swarmer (ab)uses the Offline Registry API in order to manipulate a binary registry hive as it parses an exported .reg file. To quote the description:
Applications should not use the offline registry functions to bypass the security requirements of the system registry. To load a hive, an application running without the special privileges required by the RegLoadKey function can use the RegLoadAppKey function.
Well obviously we're not going to listen to that, so now we can use the low privilege registry export combined with our swarmer tool to create a "privileged" registry binary object which you can just drop into the right spot to override the existing NTUSER.DAT registry hive.
In the process of doing this we won't use ANY traditional Registry Read/Write APIs so ideally EDR shouldn't have great insight into this process - none of this will show up as an actual registry write according to sysinternals procmon. If you're PARTICULARLY paranoid you can also take the .reg file onto a machine you control, use this tool to create the hive binary file, and drop it back on the host. Once you export the registry there's no need to interact with the host until you drop the NTUSER.MAN file.
Technically you don't even need to export the registry, but it's likely dangerous to try to replace an account's registry with something from another machine that doesn't EXACTLY match the windows environment, and that will be tricky to guarantee.
- This approach was pointed out to me by fellow team member Rad, who in turn heard about it from Jonas Lykkegård
- The HiveSwarming project provided a good base for how to implement the conversion process with the Offline Registry APIs.
This tool is being open sourced under the Apache License.