Persistence
What is Persistence?
PersistenceThe MITRE ATT&CK tactic (TA0003) covering techniques that let an attacker maintain access to a system across reboots, credential changes, and incident response.
Persistence (MITRE ATT&CK tactic TA0003) groups techniques that allow adversaries to keep their foothold even when systems are rebooted, passwords are reset, or operators try to clean up. Common implementations include autostart registry keys, scheduled tasks, Windows services, WMI event subscriptions, BITS jobs, login items on macOS, cron jobs on Linux, malicious browser extensions, OAuth tokens, and backdoored Active Directory accounts. Adversaries often layer multiple persistence mechanisms in case one is removed. Defenders detect persistence via process-creation logs, autoruns inventories (Sysinternals Autoruns, EDR), Sigma rules, and by hunting for anomalous scheduled tasks, services, or LSA providers, and they neutralise it by completely re-imaging compromised hosts.
● Examples
- 01
A backdoor installed as a Windows service with a random GUID name.
- 02
A malicious OAuth app granted persistent access to a Microsoft 365 mailbox.
● Frequently asked questions
What is Persistence?
The MITRE ATT&CK tactic (TA0003) covering techniques that let an attacker maintain access to a system across reboots, credential changes, and incident response. It belongs to the Defense & Operations category of cybersecurity.
What does Persistence mean?
The MITRE ATT&CK tactic (TA0003) covering techniques that let an attacker maintain access to a system across reboots, credential changes, and incident response.
How does Persistence work?
Persistence (MITRE ATT&CK tactic TA0003) groups techniques that allow adversaries to keep their foothold even when systems are rebooted, passwords are reset, or operators try to clean up. Common implementations include autostart registry keys, scheduled tasks, Windows services, WMI event subscriptions, BITS jobs, login items on macOS, cron jobs on Linux, malicious browser extensions, OAuth tokens, and backdoored Active Directory accounts. Adversaries often layer multiple persistence mechanisms in case one is removed. Defenders detect persistence via process-creation logs, autoruns inventories (Sysinternals Autoruns, EDR), Sigma rules, and by hunting for anomalous scheduled tasks, services, or LSA providers, and they neutralise it by completely re-imaging compromised hosts.
How do you defend against Persistence?
Defences for Persistence typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Persistence?
Common alternative names include: Foothold persistence, TA0003.
● Related terms
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- malware№ 080
Backdoor
A covert mechanism that bypasses normal authentication or access controls to give an attacker future entry to a system.
- defense-ops№ 397
Execution (MITRE Tactic)
The MITRE ATT&CK tactic (TA0002) covering techniques that run adversary-controlled code on a local or remote system.
- defense-ops№ 298
Defense Evasion
The MITRE ATT&CK tactic (TA0005) covering techniques attackers use to avoid detection, disable security tools, and hide their activity on a target system.
- defense-ops№ 265
Cyber Kill Chain
Lockheed Martin's seven-stage model that describes how a targeted intrusion progresses from reconnaissance to actions on objectives.
- forensics-ir№ 524
Incident Response
The organised process of preparing for, detecting, analysing, containing, eradicating, and recovering from cyber security incidents, then capturing lessons learned.
● See also
- № 535Initial Access
- № 447Golden Ticket