Security News

Cybersecurity news aggregator

🪟
HIGH Attacks Reddit r/netsec

Corrupting the Hive Mind: Persistence Through Forgotten Windows Internals

windowspersistenceregistry-hivemandatory-user-profilesedr-bypass
  • What: A new Windows persistence tool called Swarmer abuses mandatory user profiles to achieve persistence.
  • Why: It copies the current user's registry hive, modifies it to add a new registry key to run on startup, and because the new hive isn't loaded until the next login, EDR solutions may not detect the registry writes.
  • Impact: Allows attackers to maintain access to compromised systems by bypassing traditional EDR detection methods.
Read Full Article →

Dropping a link to our blog post about our tool Swarmer , a windows persistence tool for abusing mandatory user profiles. Essentially you copy the current user's registry hive and modify it to add a new registry key to run on startup. Because the new hive isn't loaded until the next time the user logs in, EDR never sees any actual registry writes. submitted by /u/bouncyhat [link] [comments]

Related Articles

MEDIUM GAC Hijacking Reddit r/netsec HIGH Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDR The Hacker News HIGH Qilin EDR killer infection chain Cisco Talos HIGH Ransomware gang exploits employee monitoring software in corporate attacks Web Discovery
Read Full Article → ← Back to News

Share this article

Twitter Facebook LinkedIn