Persistence is a tactic used by attackers to have access to a compromised system for an extended period of time. Having gained persistence in a system, attackers maintain access to it (including automatically) even after events that usually interrupt malware execution and/or compromised account activity, such as a device restart, password change, logout, or update.
The MITRE ATT&CK knowledge base designates the Persistence tactic as TA0003.
Why persistence?
Persistence makes it possible to spy on victims, steal their data and money, or use their devices for the attackers’ own purposes long-term. Additionally, threat actors can sell access to individual compromised devices or entire botnets.
Persistence methods
To gain persistence, attackers often exploit legitimate operating system processes for autostarting programs and services. Because they use standard system utilities (PowerShell, WMI, Bash, Schtasks, and the like), such actions look like routine administrator tasks, making them difficult to detect.
Below are the most common persistence methods.
- Modifying the Startup folder or Windows registry. Attackers modify registry keys or add malicious programs to the Startup folder, causing the system to execute their code on every restart.
- Modifying the task scheduler (for example, Windows Task Scheduler or Cron). Attackers create scheduled tasks that run malicious code on schedule (for example, every hour) or when a specific event occurs (for example, the computer idling).
- Creating or modifying services. Attackers create a new system service or modify an existing legitimate one so that a malicious file runs early in the OS boot process with high privileges.
- Account manipulation. Attackers modify existing accounts (for example, escalate user account privileges or reset administrative passwords), as well as create new hidden administrative accounts. This technique allows intruders to log in to the system via standard remote access protocols (such as RDP or SSH) without relying on software vulnerabilities.
- Bootkits. Attackers infect the disk boot sector or UEFI firmware of a compromised device to run malicious code before the operating system has time to boot.