Persistence (TA0003)

The Attacker's Critical Anchor & How to Stop It

1. Introduction: The "So What?" Hook

Persistence is the set of techniques attackers use to maintain their foothold on a compromised system, even after a reboot, logoff, or attempted cleanup. Think of it as the attacker's insurance policy against being evicted.

Why it matters: If Initial Access is breaking through the front door, Persistence is installing a hidden back door and planting a spare key under the mat. Without it, a simple system restart could wipe out an attacker's entire campaign. With it, they can survive disruptions, maintain access for months or years, and execute their final objectives data theft, ransomware deployment, or espionage on their own timetable. For defenders, failing to identify and remove persistence mechanisms means the breach is never truly over.

2. The Core Analogy: The Digital Undertow

3. Vocabulary Decoder Ring

• Persistence Mechanism: The specific method or location an attacker uses to automatically re-establish access.
  Why it matters here: This is the concrete "how"
  the bunker, the bribe, the forged document in our analogy.
• Registry Run Key / Startup Folder: Locations in Windows that automatically execute programs at user logon or system startup.
  Why it matters here: Classic, simple persistence. Like leaving your smuggling gear in the island's official supply shed.
• Scheduled Task / Cron Job: A system utility to run scripts or programs at specified times or intervals.
  Why it matters here: Provides time-based or recurring execution, allowing the attacker to "call home" regularly or re-trigger their malware.
• Service (Windows) / Daemon (Linux): A long-running background process that can be configured to start automatically with the OS.
  Why it matters here: High-privilege, robust persistence that often survives user sessions and appears legitimate in process lists.
• Implant / Backdoor: The malicious tool or payload that the persistence mechanism is designed to re-execute.
  Why it matters here: Persistence is worthless without something persistent to run. This is the smuggler in the bunker.

4. The Attacker's Playbook (Red Team View)

Common Persistence Techniques

• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder: The "classic" – placing an entry to run malware automatically at boot or logon.
• T1053.005 - Scheduled Task/Job: Scheduled Task: Creating a task that runs malicious code at specific times or on recurrence (e.g., every 5 minutes).
• T1543.003 - Create or Modify System Process: Windows Service: Installing or hijacking a legitimate-looking Windows Service to run with high privileges.
• T1136.001 - Create Account: Local Account: Creating a new, hidden user account for future access, often with administrative rights.
• T1505.003 - Server Software Component: Web Shell: Uploading a malicious script to a web server, providing persistent access via HTTP/HTTPS.

Toolbox

Attackers use a mix of built-in system tools and frameworks:

• Metasploit (Persistence Modules): Automates the creation of various persistence methods (Metsvc, registry, scheduled tasks).
• Cobalt Strike (Beacon Persistence): Its "beacon" payload has numerous built-in persistence options (e.g., via service, run key, WMI).
• Living-off-the-Land Binaries (LOLBAS): Using native tools like schtasks.exe, sc.exe, reg.exe to avoid deploying malware.

Command-Line Glimpse: Planting the Seed

5. The Defender's Handbook (Blue Team View)

SOC Reality Check: What Does Persistence Look Like in Logs?

• Windows Event ID 4697 (Scheduled Task Created): A task created by a user/service not associated with IT administration, especially with a suspicious command line pointing to a temp or user writable location.
• Windows Event ID 7045 (Service Installed): A new service installed with a peculiar name, display name mismatch, or a binary path in an unusual location (e.g., C:\Users\Public\svchost.exe).
• Sysmon Event ID 12/13 (Registry Value Set): A modification to a known autostart Registry key (e.g., Run, RunOnce) from a process like powershell.exe or cmd.exe.

Threat Hunter’s Eye

Hypothesis: An adversary established persistence via a new Windows Service that runs a payload from a non-standard, writable directory.
Hunt Query Logic (Pseudo): "Look for Event ID 7045 (Service Installed) where the 'Service File Name' path contains user directories (C:\Users\), temporary folders (C:\Windows\Temp\, C:\Temp\), or the root of a drive, and the installing process is not a trusted installer (msiexec.exe, svchost.exe)."

Defensive Tools & Categories

• Endpoint Detection and Response (EDR): Tools like CrowdStrike, Microsoft Defender for Endpoint, SentinelOne. They monitor process creation, registry changes, and service installation in real-time.
• Security Information and Event Management (SIEM): Platforms like Splunk, Elastic SIEM, Microsoft Sentinel. They aggregate and correlate logs from across the environment, enabling hunters to search for persistence patterns.
• Change Monitoring & Integrity Tools: Tools like Tripwire, Wazuh, or even built-in Windows auditing (Advanced Audit Policy) to baseline and alert on critical file/registry changes.

Blue Team Command: Investigative PowerShell

6. Real-World Example: From Headlines to Logs

The SolarWinds SUNBURST Attack

The SolarWinds campaign of 2020 is a masterclass in sophisticated persistence. Threat actors (attributed to NOBELIUM) compromised the SolarWinds Orion software build system, injecting a malicious backdoor named SUNBURST into legitimate software updates.

The Persistence Connection: In the SUNBURST attack, the threat group used Persistence when the malware, once installed on a victim's system, established multiple mechanisms to survive. It created a scheduled task named SolarWinds to re-execute the malicious DLL periodically. It also used sophisticated techniques to remain dormant and blend in with normal SolarWinds processes.

This allowed them to maintain covert access for months within victim networks, enabling them to move laterally, escalate privileges, and ultimately exfiltrate sensitive data from high-value targets, including government agencies and Fortune 500 companies.

7. Mapping the MITRE Landscape

Below are some of the primary Persistence techniques. This is a high-level view