Overview of MITRE ATT&CK Tactic 3: Persistence (TA0003)
Introduction
In cybersecurity, gaining access to a system is only the beginning for an attacker. Once inside, their next priority is ensuring they can maintain long-term access, even if the system is rebooted, credentials are changed, or patches are applied. Without persistence, their access could be lost the moment a user logs out or a device is restarted.
The MITRE ATT&CK framework lists Persistence (Tactic TA0003) as one of the core tactics attackers use. This tactic involves a wide set of methods that adversaries use to maintain their presence in your environment.
In this article, we’ll explore each Persistence techniques, and sub-techniques mentioned in the MITRE ATT&CK framework. We’ll break down how attackers use these methods in real-world situations, the system components they take advantage of, and how we can mitigate some of these threats effectively using F5 solutions.
Techniques and Sub-Techniques in Persistence:
T1098 - Account Manipulation:
Attackers may manipulate existing user accounts or create new ones to ensure persistent access. This includes changing passwords, assigning new roles, adding SSH keys, or associating API tokens with cloud users. By using valid credentials, attackers can bypass detection mechanisms and maintain access using legitimate pathways.
-
T1098.001 – Additional Cloud Credentials:
Attackers who gain access to a cloud account often create new API keys, access tokens, or secrets to maintain long-term, programmatic access. These credentials allow them to interact with cloud resources without triggering normal user activity alerts, and they often go unnoticed unless cloud security logging is properly configured. -
T1098.002 – Additional Email Delegate Permissions:
On email platforms like Microsoft Exchange or Google Workspace, attackers may assign themselves delegated permissions on compromised accounts. This enables them to read, send, or delete emails for a user, all without directly logging into the account, making their activity harder to detect. -
T1098.003 – Additional Cloud Roles:
Adversaries may assign new roles or modify existing permissions in a cloud environment to ensure continued access. These roles often grant wide privileges across cloud resources, making it difficult to evict the attacker without reviewing and cleaning up identity and access configurations. -
T1098.004 – SSH Authorized Keys:
On Linux and Unix systems, attackers can add their own public keys to the authorized keys file of a user account. This gives them persistent, password less SSH access, and the change can easily be overlooked without regular integrity monitoring of SSH configurations. -
T1098.005 – Device Registration:
In environments using device trust (like Azure AD or MDMs), attackers may register their own devices. Once enrolled, these devices are treated as trusted, potentially bypassing MFA or conditional access policies and giving attackers stealthy, persistent access. -
T1098.006 – Additional Container Cluster Roles:
In Kubernetes and similar platforms, attackers may assign new RBAC roles or bind existing roles to their accounts or service accounts. This allows them to maintain access and interact with workloads, secrets, and configurations across the container environment. -
T1098.007 – Additional Local or Domain Groups:
Attackers can add accounts to privileged groups like “Administrators” or “Domain Admins” on local machines or within Active Directory. This ensures elevated access persists even if detection or cleanup efforts miss group membership changes.
T1197 - BITS Jobs:
Background Intelligent Transfer Service (BITS) is a Windows component used to transfer files in the background, often used by Windows Update or other legitimate services. Attackers can abuse BITS to schedule the download and execution of malicious payloads. Since BITS jobs are designed to persist across reboots and operate in the background, they are an effective and stealthy method of achieving persistence. These jobs can be configured to run with system privileges, making them particularly dangerous if left undetected.
T1547 – Boot or Logon Autostart Execution:
This technique involves configuring malware to automatically execute when a system starts up or a user logs in. These methods are commonly used because they blend in with normal system behavior, making detection more difficult. Since many programs use autostart functionality for legitimate purposes, attackers can often abuse it without raising immediate suspicion. Regular auditing of autostart locations and system configurations is essential to detect this form of persistence.
-
T1547.001 – Registry Run Keys / Startup Folder:
Attackers add entries to Windows registry Run keys or place files in the user’s Startup folder. These entries trigger the execution of malicious programs every time a user logs in. Because many legitimate apps use these locations, attackers can often hide in plain sight. -
T1547.002 – Authentication Package:
Malicious DLLs are added as custom authentication packages in Windows. These are loaded into the LSASS process during a login, allowing attackers to intercept credentials or execute code with system-level privileges. -
T1547.003 – Time Providers:
Windows Time Service allows DLLs to be registered for time synchronization. Adversaries can abuse this by registering a malicious time provider, which gets executed automatically by the system with high privileges.
-
T1547.004 – Winlogon Helper DLL:
The Winlogon process can be configured to load helper DLLs during user logon. Attackers abuse this by inserting their own DLLs, which run in the context of the logon session with elevated privileges. -
T1547.005 – Security Support Provider (SSP):
SSP DLLs are loaded into LSASS and are used during authentication. A malicious SSP allows attackers to persistently capture credentials or inject code into security-critical processes. -
T1547.006 – Kernel Modules and Extensions:
On Linux or macOS, attackers can install kernel modules or kexts (kernel extensions) to run code at the system level. These modules are deeply embedded and can survive reboots while remaining stealthy. -
T1547.007 – Re-opened Applications:
On macOS, apps that were open before a shutdown can be reopened automatically after a reboot. Attackers exploit this feature by placing malware in apps that macOS is set to relaunch on startup.
-
T1547.008 – LSASS Driver:
Malicious drivers are loaded by or injected into the LSASS process. These drivers can intercept credentials or ensure persistent execution at a very low level in the system. -
T1547.009 – Shortcut Modification:
Attackers modify .lnk (shortcut) files so that when users launch a program, malware executes first or alongside it. This method is simple but effective, especially when shortcuts are used frequently. -
T1547.010 – Port Monitors:
Windows print subsystem uses port monitors to manage printing. Adversaries can register their own malicious port monitor DLLs, which the spooler loads automatically, running under SYSTEM privileges. -
T1547.012 – Print Processors:
Print processors are DLLs used during print jobs. By registering a custom malicious print processor, attackers can ensure their code runs whenever a document is printed, often with high privileges. -
T1547.013 – XDG Autostart Entries:
On Linux systems with desktop environments, attackers can create .desktop files in the user’s ~/.config/autostart directory. These files define programs to run on login, making this a common persistence vector. -
T1547.014 – Active Setup:
Active Setup is a Windows feature used to set up a user’s environment. Malware can abuse it to run scripts or executables the next time a user logs in, especially useful in multi-user environments. -
T1547.015 – Login Items:
On macOS, login items are applications or scripts configured to run automatically when a user logs in. Attackers can register malicious items to gain persistence in user sessions.
T1037 – Boot or Logon Initialization Scripts:
This technique involves modifying or injecting commands into scripts that run during system boot or user logon. Since these scripts are run automatically by the operating system, they are a safe way for attackers to stay active without needing user interaction.
-
T1037.001 – Logon Script (Windows):
Attackers can modify or assign logon scripts through Group Policy or local user settings in Windows. These scripts run automatically when a user logs in. They can be used to start malicious programs, connect to the internet, or change system settings without the user knowing. -
T1037.002 – Login Hook:
On macOS, a login hook is a command that runs automatically at the end of the user’s login process. Though deprecated in modern macOS versions, attackers can still use this to execute malicious payloads whenever a user logs in. -
T1037.003 – Network Logon Script:
In domain environments, network-based logon scripts are often stored centrally and executed during user login. Adversaries can modify these scripts to deploy malware across multiple systems, ensuring wide and persistent access within an organization. -
T1037.004 – RC Scripts:
Unix-like systems use RC (Run Commands) scripts during startup to initialize system services. If attackers can modify these files (like /etc/rc.local or init scripts), they can ensure their payload runs every time the system boots. -
T1037.005 – Startup Items:
On macOS, older systems use “Startup Items” to load applications or scripts during boot. Although largely replaced by LaunchDaemons and LaunchAgents, this method can still be abused on legacy systems to gain persistent code execution.
T1671 – Cloud Application Integration:
Attackers can abuse legitimate cloud application integrations such as OAuth apps, third-party APIs, or SaaS connectors to maintain access to cloud services even after account credentials are changed. Once an integration is approved and authorized by a user or admin, it can often operate independently using tokens or service permissions. These integrations may allow access to emails, files, calendars, or cloud storage without needing interactive logins. Because they blend in with normal enterprise workflows, malicious integrations can be difficult to detect without thorough cloud audit logging and periodic reviews of connected applications.
T1554 – Compromise Host Software Binary:
In this technique, attackers modify legitimate software binaries already installed on a system to include malicious code. These compromised binaries appear normal to the user and the system, but execute additional unauthorized actions for the attacker. Since users and security tools often trust software from known vendors, this method allows malware to blend in easily. The changed binaries can be part of common apps like VPN clients, backup tools, or monitoring agents. This makes it hard to find them unless file integrity monitoring or behavior analysis is in place.
T1136 – Create Account:
Attackers may create new user accounts within an environment to maintain persistence or establish backdoor access. These accounts can be added locally, at the domain level, or on cloud platforms. Because they often appear as legitimate users, these accounts may go unnoticed unless proper account auditing is enforced.
-
T1136.001 – Local Account:
On standalone systems or workstations, attackers can create local user accounts and assign them administrative privileges. These accounts persist across reboots and don’t rely on existing credentials, making them a reliable fallback method for maintaining access. -
T1136.002 – Domain Account:
In Active Directory environments, adversaries with sufficient privileges may create domain accounts. These accounts can be used across multiple systems on the network, and may be added to privileged groups to blend in with legitimate admin accounts. -
T1136.003 – Cloud Account:
Within cloud platforms like AWS, Azure, or Google Cloud, attackers may create new user or service accounts. These accounts can be granted roles or permissions to access cloud resources, giving adversaries long-term access that can persist even if initial access is revoked.
T1543 – Create or Modify System Process:
Attackers often create or alter system-level processes to achieve persistence. These processes typically run automatically at startup or as services. This allows malicious code to execute with elevated privileges and without user interaction. Because they rely on native system mechanisms, these methods can be difficult to detect without behavioral monitoring or integrity checks.
-
T1543.001 – Launch Agent:
On macOS, Launch Agents are used to start programs when a user logs in. Adversaries can create or modify .plist files in user-specific directories to load their malicious processes automatically each time the user’s session starts. -
T1543.002 – Systemd Service:
On Linux systems using systemd, attackers can create or modify service unit files to execute malicious code at boot or on specific triggers. These services run with system-level privileges and can easily blend in with legitimate processes. -
T1543.003 – Windows Service:
In Windows, adversaries may install or modify services to run malicious executables with elevated permissions. Once registered, these services can be set to start automatically with the system ensuring persistent access with SYSTEM-level rights. -
T1543.004 – Launch Daemon:
Launch Daemons on macOS function like Launch Agents but operate at the system level rather than user level. Attackers can use these to execute code at system startup with root privileges, offering more powerful persistence. -
T1543.005 – Container Service:
In containerized environments, adversaries may create or manipulate service definitions (e.g., in Kubernetes or Docker) to ensure that a malicious container or process is launched persistently, even after restarts or redeployments.
T1546 – Event Triggered Execution:
Attackers use this technique to execute malicious code automatically in response to specific system or user events. By tying malware execution to system behavior like logging in, opening files, or system errors, they can achieve stealthy persistence with a minimal footprint.
-
T1546.001 – Change Default File Association:
Adversaries change file type associations (e.g., .txt, .docx) so that opening a file type launches a malicious program instead of the intended one. This hijacks user actions to trigger malware execution. -
T1546.002 – Screensaver:
On Windows, screensavers are executable files. Attackers can replace a screensaver with a malicious binary, which is triggered when the system becomes idle. -
T1546.003 – WMI Event Subscription:
Using Windows Management Instrumentation (WMI), attackers create event subscriptions that trigger scripts or executables when certain conditions are met, like user logon or system startup, providing stealthy persistence. -
T1546.004 – Unix Shell Configuration Modification:
Linux shell profiles (like .bashrc, .bash_profile) run automatically during user login. Attackers add malicious commands to these files so their payload runs every time the user opens a terminal. -
T1546.005 – Trap:
In Unix-like systems, the trap command can intercept signals and run commands when certain events occur (e.g., when a script exits). Attackers use traps to trigger payloads during script execution or logout. -
T1546.006 – LC_LOAD_DYLIB Addition:
On macOS, attackers can use LC_LOAD_DYLIB headers in executables to make the application load malicious dynamic libraries (dylibs) when it runs. This can allow code to be injected or kept running. -
T1546.007 – Netsh Helper DLL:
In Windows, attackers can register a malicious DLL as a helper in the netsh networking utility. Once registered, the DLL loads when netsh is executed, allowing stealthy code execution. -
T1546.008 – Accessibility Features:
Adversaries replace accessibility binaries like Sticky Keys with malware. Since these features run on the login screen, they can be exploited to launch programs with high privileges without logging in. -
T1546.009 – AppCert DLLs:
Windows can be configured to load specific DLLs into processes via the AppCertDLL registry key. Attackers add malicious DLLs here to intercept or alter process execution for persistence. -
T1546.010 – AppInit DLLs:
AppInit_DLLs is a legacy Windows mechanism to load DLLs into every process that loads user32.dll. Attackers abuse this to inject code into multiple processes on system start. -
T1546.011 – Application Shimming:
Using Microsoft's Application Compatibility Toolkit, attackers create “shims” that intercept and redirect application behavior. These shims can include malicious payloads that run when trusted apps are launched. -
T1546.012 – Image File Execution Options Injection:
By modifying IFEO registry keys, attackers can configure Windows to launch a different (malicious) executable when a target application is run, often used for hijacking antivirus tools or system processes. -
T1546.013 – PowerShell Profile:
Attackers modify PowerShell profile scripts that run every time a user opens PowerShell. This ensures automatic execution of malicious commands or scripts during interactive sessions. -
T1546.014 – Emond:
On macOS, Emond is a legacy event monitoring daemon. Attackers can write custom Emond rules that execute commands when specific system events occur. Though deprecated, it may still be present on older systems. -
T1546.015 – Component Object Model (COM) Hijacking:
COM objects are used by Windows applications to interact with shared code. Attackers can hijack COM object references in the registry, redirecting them to malicious code that gets loaded by legitimate apps. -
T1546.016 – Installer Packages:
Malicious installer packages (like .msi or .pkg files) can be created to execute payloads during installation. Adversaries abuse this method to install backdoors while appearing to install legitimate software. -
T1546.017 – Udev Rules:
On Linux systems, udev manages device events. Attackers create custom udev rules that trigger the execution of malicious scripts when new devices are added (e.g., USB), offering physical-trigger-based persistence.
T1668 – Exclusive Control:
Attackers may gain persistence by taking exclusive control of a resource, such as a physical device, virtual machine, or network connection. By locking access or modifying configurations, they can prevent legitimate users or administrators from regaining control. For example, on cloud or virtualization platforms, an adversary might assume ownership of a VM or management console. They restrict access through permission changes or continuous restarts. This approach not only enables long-term access but can also disrupt defensive actions by making remediation more difficult without direct intervention or infrastructure resets.
T1133 – External Remote Services:
Adversaries may use legitimate remote services such as VPNs, SSH, or Remote Desktop Protocol (RDP) to maintain persistent access to a compromised environment. By obtaining valid credentials and connecting through sanctioned external access points, attackers can blend in with normal user activity. This method is especially effective because it doesn’t require malware to stay on the victim’s system; access is maintained remotely using existing infrastructure. Detection often requires strong identity monitoring, MFA enforcement, and detailed logging of remote session behavior.
T1574 – Hijack Execution Flow:
This technique involves manipulating the way a system executes legitimate code so that attacker-controlled code is executed instead. By hijacking the normal execution flow, often through trusted binaries or system mechanisms, adversaries can establish persistence with a low-detection footprint.
-
T1574.001 – DLL Search Order Hijacking:
Attackers place malicious DLLs in directories where an application will load them instead of the intended DLL. This takes advantage of how Windows searches for DLLs and allows code execution under the context of trusted apps. -
T1574.004 – Dylib Hijacking:
Similar to DLL hijacking, but on macOS, this technique involves placing a malicious dynamic library (dylib) where an app expects a legitimate one. When the app launches, the attacker’s dylib is loaded and executed. -
T1574.005 – Executable Installer File Permissions Weakness:
Some installers or update packages have weak file or folder permissions, allowing attackers to replace them with malicious versions. When the installer runs, it executes attacker-controlled code. -
T1574.006 – Dynamic Linker Hijacking:
On Unix-like systems, attackers can alter environment variables like LD_PRELOAD or LD_LIBRARY_PATH to load malicious shared objects instead of legitimate ones during application launch.
-
T1574.007 – PATH Environment Variable Hijacking:
By modifying the PATH variable, adversaries can ensure their malicious executable is run when a command is called, instead of the legitimate one, especially when placed earlier in the search order.
-
T1574.008 – Search Order Hijacking:
This technique abuses the way Windows searches for files (like EXEs or DLLs) by placing malicious files in paths where the OS will find them first. This causes unintended programs to load attacker code.
-
T1574.009 – Unquoted Path Hijacking:
Windows services with unquoted file paths and spaces (e.g., C:\Program Files\App Service.exe) can be exploited if an attacker places an executable like C:\Program.exe, which will be executed first by the system. -
T1574.010 – Services File Permissions Weakness:
If service binaries have weak permissions, adversaries can replace them with malicious executables. When the service is started, their payload runs with the service’s privileges. -
T1574.011 – Services Registry Permissions Weakness:
When registry keys controlling Windows services are misconfigured, attackers can modify them to change the service’s binary path or behavior. This allows malicious code to be run under legitimate service names. -
T1574.012 – COR_PROFILER:
COR_PROFILER is a .NET environment variable used to inject profiling DLLs into managed applications. Attackers can set this to load their own DLL into every .NET process, gaining code execution persistently. -
T1574.013 – KernelCallbackTable:
This Windows structure is used to call user-mode functions from kernel mode. Attackers with sufficient privileges can modify it to point to their own code, gaining stealthy and powerful persistence. -
T1574.014 – AppDomainManager:
.NET applications can be influenced by an AppDomainManager that controls how code executes. Attackers abuse this by setting registry keys to load malicious AppDomainManager assemblies into targeted .NET apps.
T1525 – Implant Internal Image:
In this technique, attackers implant malicious code or backdoors directly into golden images, base virtual machines, or container templates used by organizations to deploy systems. These pre-configured images are often trusted and reused across environments. This means the malware will be automatically included on every new system provisioned from them. By compromising these internal images, adversaries ensure long-term persistence while remaining stealthy. Their code becomes part of the organization’s standard deployment process. Detection typically requires rigorous image integrity validation, and periodic re-verification of base images.
T1556 – Modify Authentication Process:
Attackers may target authentication mechanisms directly to maintain persistence, intercept credentials, or bypass normal login processes. By modifying components responsible for validating users, adversaries can stealthily gain or retain access to systems and services without raising alarms.
-
T1556.001 – Domain Controller Authentication:
Adversaries with privileged access to a Domain Controller can manipulate authentication protocols (e.g., Kerberos) to issue forged credentials like Golden Tickets. This allows long-term, stealthy access to Active Directory environments. -
T1556.002 – Password Filter DLL:
In Windows, password filters validate new or changed passwords. Attackers can install a malicious password filter DLL to intercept passwords in plaintext whenever users update their credentials, enabling credential harvesting and persistent access. -
T1556.003 – Pluggable Authentication Modules (PAM):
On Unix-like systems, attackers may backdoor PAM modules to intercept login attempts or allow unauthorized logins. Since PAM governs all authentication actions (like SSH, sudo, etc.), compromising it gives wide-reaching access. -
T1556.004 – Network Device Authentication:
Attackers can change the authentication settings on routers, switches, or firewalls to make security weaker. They can do this by turning off 2FA, changing how people log in, or creating hidden backdoor accounts that let people still access the network. -
T1556.005 – Reversible Encryption:
By configuring systems to store passwords using reversible encryption (rather than hashing), adversaries can extract stored credentials in plaintext. This weakens security and allows easy recovery of user passwords after gaining initial access. -
T1556.006 – Multi-Factor Authentication Interception:
Attackers may try to get around or intercept MFA by using tricks like taking over a session, phishing with reverse proxies, or using trusted device registrations. This can let them stay even in environments with strong authentication policies. -
T1556.007 – Hybrid Identity:
In hybrid environments using cloud-based identity providers (like Azure AD synced with on-prem AD), adversaries may manipulate synchronization or federation configurations to maintain access across both environments. -
T1556.008 – Network Provider DLL:
Attackers can install or modify network provider DLLs in Windows to intercept authentication requests. These DLLs load during the logon process and can be abused to capture user credentials or execute malicious payloads. -
T1556.009 – Conditional Access Policies:
Adversaries with administrative privileges in cloud environments can tamper with conditional access policies to weaken security. They can do this by disabling location restrictions or MFA requirements, making it easier to persist undetected.
T1112 – Modify Registry:
The Windows Registry is a central database that stores configuration settings for the operating system and installed applications. Attackers often modify registry keys to achieve persistence, evade detection, or manipulate system behavior. For example, they may add entries under autorun keys (like Run or RunOnce) to execute malware automatically at startup. They can also alter security settings, disable antivirus components, or hide their activity. Because the Registry is so integral to Windows functionality, malicious changes can be hard to spot without proper monitoring or auditing tools.
T1137 – Office Application Startup:
Adversaries may abuse Microsoft Office features that run automatically during application startup to achieve persistence. Since Office tools like Word and Outlook are widely used and trusted, modifying their startup behavior is an effective way to execute malicious code with minimal user suspicion.
-
T1137.001 – Office Template Macros:
Attackers may embed malicious macros in global Office templates like Normal.dotm for Word or Excel.xltm for Excel. When Office applications launch, they load the template and execute the macro automatically, ensuring persistent execution every time the user opens the application. -
T1137.002 – Office Test:
The Office Test feature is a legacy tool for developers, but attackers can misuse it to execute arbitrary scripts or code. If enabled via the Registry, it can be used to launch payloads persistently alongside Office apps. -
T1137.003 – Outlook Forms:
Custom Outlook forms can include embedded scripts. An attacker can create or modify these forms so that malicious scripts are triggered when the user interacts with emails, tasks, or calendar events offering persistent, application-level access. -
T1137.004 – Outlook Home Page:
Older versions of Outlook support a custom "home page" for folders, which can load web content. Attackers can point this page to a malicious local HTML file or remote resource that executes code when the folder is opened, offering stealthy persistence. -
T1137.005 – Outlook Rules:
Outlook rules can automate actions like forwarding or deleting emails. Attackers with access can create rules that auto-execute malicious scripts or redirect sensitive emails to an external address. This helps maintain access or data exfiltration over time. -
T1137.006 – Add-ins:
Office supports add-ins (e.g., .dll files or COM objects) that load automatically with the application. Adversaries may install malicious add-ins to run code persistently whenever a targeted Office program is launched.
T1653 – Power Settings:
Adversaries may alter a system’s power settings to ensure their malicious processes remain active and uninterrupted. By disabling sleep, hibernation, or display timeout settings, attackers can prevent a device from going into a low-power state that might disrupt malware execution or remote access sessions. This technique is particularly useful in maintaining long-term access to laptops or workstations that would otherwise suspend operations due to inactivity. Modifying power settings can also help avoid detection, as scheduled scans or automated defenses might only run during certain system states.
T1542 – Pre-OS Boot:
This technique involves modifying components that load before the operating system, such as firmware or bootloaders to maintain stealthy and long-term persistence. Because these layers operate below the OS, they’re often outside the visibility of traditional security tools. This makes detection and removal extremely difficult.
-
T1542.001 – System Firmware:
Attackers can modify the BIOS or UEFI firmware to embed malicious code that executes before the operating system loads. This ensures deep persistence and can survive OS reinstalls or hard drive replacements. Detection usually requires firmware integrity validation or chip-level forensics. -
T1542.002 – Component Firmware:
Instead of targeting the system’s main firmware, adversaries may compromise firmware in hardware components such as hard drives, network cards, or GPUs. Malware placed here can execute during early boot phases or be triggered later during normal use. -
T1542.003 – Bootkit:
Bootkits are malicious programs that target the boot process by replacing or modifying bootloaders. They run before the OS kernel and can intercept system startup to load malware stealthily, often with elevated privileges. -
T1542.004 – ROMMONkit:
A ROMMONkit targets Cisco devices by modifying the ROM Monitor (ROMMON), which is the bootstrap firmware for Cisco routers and switches. Compromising this level gives adversaries full control before the device loads its OS or configuration. -
T1542.005 – TFTP Boot:
Some network devices or virtual environments use TFTP (Trivial File Transfer Protocol) to boot from a network image. If attackers can replace or redirect the boot image, they can execute malicious code during system boot, potentially across multiple devices on the network.
T1053 – Scheduled Task/Job:
Attackers use task scheduling utilities across different platforms to execute malicious code automatically at specific times or system events (like startup or logon). These scheduled jobs are a reliable way to maintain persistence without requiring constant interaction from the attacker.
-
T1053.002 – At:
The at command is used in both Windows and Unix-like systems to schedule tasks at a specific time. Adversaries may create malicious jobs using at to ensure their code runs at a later time, especially after a reboot or user login. -
T1053.003 – Cron:
On Unix and Linux systems, attackers often abuse cron, a time-based job scheduler to run their malware or scripts on a recurring schedule (e.g., every minute, daily). Cron jobs run in the background and are easy to overlook, making them ideal for stealthy persistence. -
T1053.005 – Scheduled Task (Windows):
Windows Task Scheduler allows tasks to be triggered based on time or system events. Attackers may create or hijack scheduled tasks to run malware at logon, system boot, or other intervals. These tasks often run with elevated privileges and blend in with legitimate admin activity. -
T1053.006 – Systemd Timers:
In modern Linux systems using systemd, attackers may use systemd timers as a stealthier alternative to cron. These timers can trigger malicious services or scripts at specific intervals, offering reliable persistence while avoiding legacy logging tools that monitor cron.
-
T1053.007 – Container Orchestration Job:
In containerized environments (e.g., Kubernetes), adversaries can create jobs or schedule tasks within the orchestration system to run their malicious containers periodically. These jobs may allow continued access or command execution across container restarts or system reboots.
T1505 – Server Software Component:
This technique involves exploiting extensible features or plugin mechanisms in server software to execute malicious code. Since these components are often trusted and run with elevated privileges, they provide adversaries with powerful, stealthy persistence once compromised.
-
T1505.001 – SQL Stored Procedures:
Attackers may create or alter SQL stored procedures predefined code stored in a database to execute malicious commands when the procedure is triggered. If the database server runs with high privileges, this can offer ongoing access or data manipulation capabilities. -
T1505.002 – Transport Agent:
In Microsoft Exchange, transport agents process email as it flows through the system. Adversaries can install a malicious transport agent to intercept, modify, or redirect email traffic, allowing data exfiltration or command execution each time mail is processed. -
T1505.003 – Web Shell:
A web shell is a script (PHP, ASPX, JSP, etc.) uploaded to a web server that allows attackers to execute commands through a browser interface. Once installed, it gives remote control over the server and can survive across reboots and updates if not detected. -
T1505.004 – IIS Components:
IIS (Internet Information Services) supports custom modules and extensions. Attackers may install malicious IIS modules (e.g., native DLLs or managed code) that integrate into the request pipeline, executing code automatically whenever the web server handles traffic. -
T1505.005 – Terminal Services DLL:
Attackers can replace or add malicious DLLs in the Terminal Services (Remote Desktop Services) subsystem on Windows. These DLLs may load automatically when the service starts, enabling persistent and stealthy execution with system-level access. -
T1505.006 – vSphere Installation Bundles (VIBs):
In VMware environments, adversaries can create or modify VIBs to implant malicious components into ESXi hosts. Since VIBs run at the hypervisor level, this provides extremely deep persistence that’s hard to detect without specialized forensic tools.
T1176 – Software Extensions:
Adversaries may abuse extensibility features in software applications like browsers or development tools to maintain persistent access or execute malicious code. Since extensions are often trusted and run with the same privileges as the host application, they offer a stealthy and effective method for persistence.
-
T1176.001 – Browser Extensions:
Attackers can develop or modify browser extensions (e.g., for Chrome or Firefox) to execute malicious scripts, steal credentials, track user activity, or redirect traffic. Once installed, these extensions typically run every time the browser starts, giving long-term access to user sessions and sensitive data. -
T1176.002 – IDE Extensions:
Integrated Development Environments (IDEs) like Visual Studio Code or JetBrains support third-party extensions to enhance development workflows. Adversaries can abuse this by installing malicious IDE plugins that execute when developers launch the IDE. This enables code execution or credential theft in sensitive dev environments.
T1205 – Traffic Signaling:
Traffic signaling involves using subtle or hidden communication patterns to trigger malicious behavior or maintain access. Instead of continuously calling home, the malware "listens" for a specific pattern in network traffic to wake up, execute code, or open a command-and-control channel, allowing stealthy persistence without active beacons.
-
T1205.001 – Port Knocking:
Port knocking is a stealthy technique where a system listens for a specific sequence of connection attempts to closed ports. When the correct pattern is received, it triggers a hidden service (like SSH or a backdoor) to open, allowing an attacker access. Since no services appear to be running, it evades basic network scans.
-
T1205.002 – Socket Filters:
Attackers can install custom socket filters, especially in Unix/Linux systems to monitor low-level packet data and act only when certain traffic patterns or contents are seen. This can be used to silently activate malware or establish a covert channel, with little footprint on the host.
T1078 – Valid Accounts:
Adversaries may use legitimate usernames and passwords to gain and maintain access to systems. Unlike malware-based persistence, this method involves no exploits just abusing the trust and permissions of valid credentials, making detection much harder. These credentials may be stolen, guessed, or obtained through social engineering.
-
T1078.001 – Default Accounts:
Some systems and applications come with pre-configured accounts (like admin, root, or guest) that are often enabled by default. Attackers may target these if they are left unchanged or have weak/default passwords. Once compromised, these accounts provide immediate access, often with elevated privileges. -
T1078.002 – Domain Accounts:
In Active Directory environments, domain accounts can be used to access multiple systems across the network. Adversaries who compromise domain credentials can move laterally, access shared resources, and maintain persistence even if one endpoint is cleaned. -
T1078.003 – Local Accounts:
Attackers may use valid local accounts on individual machines to persist between reboots. These accounts, if privileged, can be used to re-establish access even if network-based defenses (like domain credentials or VPN access) are revoked. -
T1078.004 – Cloud Accounts:
Adversaries can target cloud identities (e.g., AWS IAM users, Azure AD users) to access cloud infrastructure. Once logged in with valid credentials, they can create or modify resources, exfiltrate data, or establish persistence using cloud-native features under the guise of a legitimate user.
How F5 can help?
F5 provides intelligent and adaptable security solutions through platforms like F5 Distributed Cloud, BIG-IP, and NGINX App Protect. These platforms help organizations build a resilient and secure digital infrastructure.
These technologies offer robust capabilities such as traffic inspection, access control, threat detection, and policy enforcement. These capabilities enable businesses to protect critical services across on-premises, cloud, and hybrid environments.
Designed for high-performance and scalability, F5 solutions integrate seamlessly into existing ecosystems, supporting both operational efficiency and proactive security. As part of a well-rounded security strategy, F5 empowers organizations to manage risk confidently, maintain availability, and stay ahead of evolving cyber threats. For further information, refer to
- Mitigating Software and Data Integration Failures using F5 BIG-IP
- Mitigating Identification and Authentication Failures using F5 BIG-IP
Please reach out to your local F5 team for more details on other mitigation methods for MITRE Tactic 03 persistence
Conclusion
Persistence is a crucial goal for attackers after gaining initial access, allowing them to maintain control over systems even after reboots, credential changes, or security updates. As we've seen, the MITRE ATT&CK framework outlines a wide range of techniques spanning from malicious startup scripts and scheduled tasks to firmware implants and the misuse of valid accounts that adversaries can leverage silently to embed themselves into an environment. Understanding these methods helps defenders recognize abnormal behaviors, strengthen system hardening, and build proactive detection and response strategies to disrupt long-term threats before they cause lasting damage.