5. Persistence
Persistence (TA0003)
Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.
Techniques Overview
- Scheduled Task/Job: Running malware on a timer or reboot.
- Boot or Logon Autostart Execution: Registry Run keys, Startup folders.
- Create Account: Adding a backup local admin user.
- Office Application Startup: Backdooring Word templates (
Normal.dotm).
Strategy
- Redundancy: Never rely on just one persistence method. If the SOC finds your Run Key, you want your Scheduled Task to survive.
- User-Level vs Admin-Level:
- User:
HKCURun keys, Scheduled Tasks (User context). Easier to setup, dies if user is deleted. - Admin: Services,
HKLMRun keys. Harder to detect, requires privileges.
- User:
Section Contents
-
BITS Jobs
Using the Background Intelligent Transfer Service for persistence and data transfer.
-
Boot or Logon Autostart Execution
Abusing system mechanisms that run automatically at boot or logon (beyond standard Run keys).
-
Browser Extensions
Abusing browser extensions to maintain persistence and steal data.
-
Create Account
Creating backdoor accounts or generating Golden Tickets for permanent domain dominance.
-
Registry Run Keys / Startup Folder
Persistence via the Windows Registry "Run" keys and the Startup folder.
-
Scheduled Task/Job
Persistence via Windows Task Scheduler, Linux Cron, and Systemd timers.
