Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.
Tactic Overview
Tactic ID: TA0003 — Matrix: Enterprise — Techniques: 23
The Persistence tactic represents a phase in the adversary lifecycle where the adversary is trying to maintain their foothold. This tactic is part of the MITRE ATT&CK Enterprise matrix and encompasses 23 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (23)
The following techniques are categorized under the Persistence tactic in the MITRE ATT&CK Enterprise matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T1098 | Account Manipulation (6 sub-techniques) | Adversaries manipulate accounts to maintain and elevate access, including modifying permissions, adding credentials, and modifying MFA settings. | T1098 |
T1197 | BITS Jobs | Adversaries abuse Background Intelligent Transfer Service to download and execute malicious payloads while evading detection. | T1197 |
T1547 | Boot or Logon Autostart Execution (14 sub-techniques) | Adversaries configure programs to run at system boot or user logon via Registry Run keys, startup folders, kernel modules, and login items. Used by APT42, Dtrack, and many others for persistence. | T1547 |
T1037 | Boot or Logon Initialization Scripts (5 sub-techniques) | Adversaries use boot or logon initialization scripts to execute malicious code at startup, including logon scripts and RC scripts. | T1037 |
T1671 | Cloud Application Integration | Adversaries abuse cloud application integrations and OAuth applications to maintain persistent access. | T1671 |
T1554 | Compromise Host Software Binary | Adversaries modify host software binaries to establish persistence by backdooring legitimate executables. | T1554 |
T1136 | Create Account (3 sub-techniques) | Adversaries create new accounts (local, domain, cloud) to maintain access and bypass credential resets. | T1136 |
T1543 | Create or Modify System Process (4 sub-techniques) | Adversaries create or modify system-level processes such as Windows services, systemd services, and launch daemons for persistence. | T1543 |
T1546 | Event Triggered Execution (16 sub-techniques) | Adversaries establish persistence by creating or modifying system mechanisms that execute code in response to specific events. | T1546 |
T1668 | Exclusive Control | Adversaries use file locking or other mechanisms to maintain exclusive control over resources and prevent remediation. | T1668 |
T1133 | External Remote Services | Adversaries leverage external-facing remote services like VPNs, Citrix, and RDP to initially access and persist within a network. | T1133 |
T1574 | Hijack Execution Flow (12 sub-techniques) | Adversaries hijack the way programs load code (DLL search order, PATH, dylib) to execute malicious payloads when legitimate programs run. | T1574 |
T1525 | Implant Internal Image | Adversaries implant cloud or container images with malicious code that executes when instances are deployed. | T1525 |
T1556 | Modify Authentication Process (9 sub-techniques) | Adversaries modify authentication mechanisms to bypass credentials and access accounts, including password filter DLLs and pluggable authentication modules. | T1556 |
T1112 | Modify Registry | Adversaries modify the Windows Registry to hide configuration information, establish persistence, or enable malicious functionality. | T1112 |
T1137 | Office Application Startup (6 sub-techniques) | Adversaries leverage Microsoft Office startup features (templates, add-ins, macros) for persistence when Office applications are launched. | T1137 |
T1653 | Power Settings | Adversaries modify power settings to prevent systems from entering sleep or hibernation, maintaining access to running processes. | T1653 |
T1542 | Pre-OS Boot (5 sub-techniques) | Adversaries modify system boot processes (bootkit, UEFI, TFTP boot) to load malicious code before the operating system. | T1542 |
T1053 | Scheduled Task/Job (5 sub-techniques) | Adversaries abuse task scheduling (schtasks, cron, systemd timers) to execute malicious code at system startup or on recurring schedules for persistence and privilege escalation. | T1053 |
T1505 | Server Software Component (5 sub-techniques) | Adversaries install malicious components (web shells, transport agents, SQL stored procedures) on servers for persistence. | T1505 |
T1176 | Software Extensions | Adversaries abuse browser extensions and plugins to establish persistence and intercept user data. | T1176 |
T1205 | Traffic Signaling (2 sub-techniques) | Adversaries use specially crafted network packets to trigger hidden functionality on compromised systems (port knocking, wake-on-LAN abuse). | T1205 |
T1078 | Valid Accounts (4 sub-techniques) | Adversaries obtain and abuse credentials of existing accounts for initial access, persistence, and privilege escalation. Extensively used by APT28, APT29, Lazarus Group, Volt Typhoon, and ransomware groups like Akira and BlackByte. | T1078 |
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- Audit scheduled tasks and startup items
- Monitor registry changes
- Privileged account management
- File integrity monitoring
- Endpoint detection and response
Detection Strategies
Effective detection of Persistence techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Persistence tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Persistence Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026