Exploiting Windows Mandatory User Profiles for Persistence with Swarmer Tool

This post introduces Swarmer, a tool developed to exploit Windows mandatory user profiles. The method involves copying the current user's registry hive, modifying it to add a startup key, and then reloading it during the next login. No registry writes are detected by EDR (Endpoint Detection and Response) solutions before the system reboot. The tool is available on GitHub.