Dashboard
Account 🔐
Sign Up
Login
Global Leaderboard
Game Vault
Badge Backpack
Blue Team Glossary
Login and start playing
Leaving so soon?
×
You really want to log out? We were having so much fun!
Home
›
Glossary
›
Tactics & Techniques
›
Persistence Mechanisms
Persistence Mechanisms
Tactics & Techniques
Definition
Persistence refers to techniques attackers use to maintain access to a compromised system across reboots, logouts, or credential changes. Instead of repeatedly breaking in, they plant something that survives, hooking into trusted OS functionality so their payload runs automatically without them being present. The key idea: it's not about breaking the system. It's about **living inside trusted execution paths**. ### **Common Techniques** **Registry Run Keys** — Entries added to paths like `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` execute the payload every time the user logs in. **Scheduled Tasks** — Created via `schtasks`, often disguised with names mimicking legitimate Windows tasks. **Services** — Malicious binaries registered as Windows services set to auto-start at boot. Frequently run with elevated privileges. **Startup Folder** — Files or shortcuts dropped into `C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup` **WMI Event Subscriptions** — Event-based triggers bound to system events. Fileless and harder to catch without dedicated logging. ### Detection Relevant Event IDs: - `4698` — Scheduled task created - `7045` — New service installed - `Sysmon EID 11` — File creation in startup locations - `Sysmon EID 13` — Registry value set What to look for: - Newly created or modified registry Run keys - Scheduled tasks spawned by unusual parent processes (`cmd.exe`, `powershell.exe`, `wscript.exe`) - Services with binary paths pointing to temp folders or user directories - Files in startup folders with non-standard names or extensions ### Further Reading - [MITRE ATT&CK — TA0003 Persistence](https://attack.mitre.org/tactics/TA0003/) - [SANS — Common Windows Persistence Mechanisms](https://www.sans.org/blog/common-windows-persistence-mechanisms/) - [CISA — Understanding Persistence Mechanisms](https://www.cisa.gov/news-events/news/understanding-persistence-mechanisms)
Related Terms
Indicent Response
Examples & Use Cases
**APT29 (Cozy Bear)** — Known for using Registry Run Keys and WMI event subscriptions to maintain long-term access inside target environments without triggering file based detections. **SolarWinds (2020)** — Attackers embedded persistence inside a modified service DLL baked into a trusted, signed process. It survived reboots, blended with legitimate traffic, and went undetected for months. **Ransomware operators** — Groups like Ryuk commonly install scheduled tasks or services to re-run their loaders if the initial payload is killed by AV, buying time before full detonation.
.png)
