Learn about persistence in cybersecurity, including common malware persistence mechanisms and advanced persistent threats (APTs).
This article is from The Defender's Handbook: a knowledge base for cybersecurity enthusiasts to level up their cyber knowledge—one article at a time.
Persistence has become a go-to attack tactic for today’s threat actors.
As hackers have evolved their tradecraft, they’ve become stealthier—ensuring that they can lurk in their desired environment for as long as they need to accomplish their mission.
While other attacks, such as ransomware, are loud and overt, persistence enables attackers to stay hidden—unless defenders know what to look for.
Read on to learn:
Persistence—or what we call a foothold in cybersecurity—is the method of attack that hackers use when they want to let themselves into your environments whenever they please. Read more
The most common malware persistence mechanisms include boot or logon autostart execution, boot or logon initialization scripts and scheduled tasks/jobs. Read more
Persistence can be hard to spot unless you know exactly what to look for. Read more
Because persistence is designed to be a stealthy attack tactic, it recruits various evasion techniques to avoid being detected by automated tools. The best defense against persistence is human threat hunters combined with innovative technology. Read more
Persistence in cybersecurity occurs when a threat actor discreetly maintains long-term access to systems despite disruptions such as restarts or changed credentials. Bad actors can place an implant or a “stub” that both evades automated antivirus solutions and kickstarts more malware. This malware is usually hidden in legitimate startup folders or within scheduled tasks and services, making it harder to find.
After you reboot your system or log off and on again, the stub or malware is retriggered to run again. In other words, persistence enables hackers who gain access into your environments to keep it—oftentimes without you knowing they have access in the first place.
Advanced persistent threat (APT): A persistence-enabled attack that’s advanced in nature and execution—typically executed by nation-state cybercrime groups.
Cyber kill chain: The steps attackers take to carry out a cyberattack. These steps include reconnaissance, weaponization, delivery, exploitation, installation and command and control action on objectives.
Dwell time: The time that an attacker is present in a victim’s environment before they’re detected.
Foothold: The virtual spot an attacker secures in an environment through persistence, allowing the attacker to maintain access through system disruptions.
Malware: Software designed to disrupt, damage or help an unauthorized user gain access to a computer or network.
Persistence: A stealthy attack tactic that threat actors use to gain and keep unauthorized access to a virtual environment.
Ransomware: A type of malware that encrypts a user’s data and requires some type of payment to the attacker for decryption to occur.
Persistence can be used to keep malware running—and to spread other malware if they so choose. Attackers can use persistent malware to maintain access to a network as they search for the data they want to steal. They also sometimes use persistent malware to conduct other types of shady activity, such as click fraud or cryptojacking.
Luckily, persistence can help defenders detect malware. When defenders find persistence, they can eliminate it, cutting off the threat actor’s access and stopping attackers in their tracks.
It’s important to note that detecting malware is only a temporary solution to the bigger problem: persistence. If defenders don’t find the persistence in the environment, threat actors can simply recirculate the malware. Malware detection treats one symptom without addressing the root problem. That’s why it’s critical to find—and eliminate—persistence.
Advanced persistent threats, or APTs, are a type of persistence-enabled attack. However, not all persistence-enabled attacks are APTs.
Persistence-enabled attacks that are advanced—such as those carried out by nation-state cybercrime groups—are APTs. In contrast, persistence is a more general term to include both advanced attacks—as well as attacks that lower-level threat actors and groups execute.
Perhaps the most well-known example of an APT is Stuxnet. Stuxnet was created in the early 2000s by the United States’ National Security Agency (NSA) and Israel’s cyber division of their military (Unit 8200). This APT was created in an effort to disrupt Iran’s nuclear program.
This APT was groundbreaking for its time. The malware searched the operating system for Siemens Step 7 software—the software that industrial computers serving as PLCs (programmable logic controllers) used to monitor electro-mechanical equipment. Once the malware identified the software, it automatically updated the software’s code to send instructions to the equipment to damage itself. Simultaneously, the malware sent wrong information back to the main controller, allowing the malware to remain undetected—even to the humans who were monitoring the equipment—until the equipment began to malfunction.
Ultimately, Stuxnet affected more than 200,000 computers and destroyed nearly 1,000 centrifuges at Iran’s Natanz nuclear facility.
Typically, persistence falls in the middle of the cyber kill chain. After hackers gain access to an environment, their goal is to keep that access without being detected.
Below are the five main stages in the cyber kill chain.
MITRE ATT&CK®, which compiles information about adversary tactics based on what’s being seen in the real world, has identified 19 different known malware persistence mechanisms that attackers use to lurk in environments undetected. Out of those, we tend to see hackers establish persistence in one of three ways:
This common malware persistence mechanism involves a hacker who abuses a legitimate operating system process—for example, a system reboot or logon. A hacker achieves persistence by adding an entry to the run keys in Windows Registry or the Startup folder. As a result, any referenced programs will be executed when a user logs in.
For this persistence technique, hackers typically use local credentials or an administrator account to run scripts that are automatically executed at boot or logon to establish persistence. In turn, attackers can execute other programs or send information to an internal logging server.
It's possible to decrease your chances of being impacted by this common malware persistence mechanism if you ensure proper permissions are set and restrict write access to logon scripts to specific administrators. However, this isn’t a foolproof preventive measure.
This persistence mechanism occurs when an attacker abuses the task scheduling feature to jumpstart the initial or recurring execution of malicious code.
A common method is abusing Windows Task Scheduler, which can be used to execute programs at system startup or on a scheduled basis. As an example, TrickBot, a trojan spyware program, has been known to create scheduled tasks on compromised systems in a way that provides persistence for the attack.
Because all major operating systems feature utilities to schedule programs or scripts to be executed, this persistence mechanism is a risk for nearly everyone. The key to detecting this common malware persistence mechanism is to regularly review your task scheduler to eliminate any changes to tasks that don’t correlate with known software, patch cycles and so on.
Let’s say, for example, an attacker is able to compromise a system and create a scheduled task that automatically executes the following command every time the machine starts up:
cmd /c “start /b
This kicks off a new command prompt in the background.
This is the location of the batch file to be executed.
At a glance, it's easy to focus on the second half of this command; there's clearly a very unusual-looking file being called. Let’s go ahead and open the file to see what’s inside:
net user eviluser “myEvilPassword” /ADD
net localgroup administrators eviluser /ADD
This batch file adds a new backdoor account with administrative privileges.
In this case, the challenge an automated security tool would have is validating malicious intent with this scheduled task—and that’s to the benefit of the attacker.
Many preventive tools require a high degree of confidence that malicious activity is occurring before stepping in. Creating a username and password through a command line prompt could actually be a legitimate administrative task. Therefore, most security products will allow the action to continue in order to avoid potential disruption for the end user. All the while, the attacker can stealthily hide in the software’s blindspots.
This is why persistence is an attacker’s greatest ally. It provides secret, backdoor access that’s hidden within the existing parts of an operating system.
Source: Data captured from The Huntress Managed Security Platform, which detects persistent footholds and other cyberthreats, January–May, 2021 (Base = 2,566)
Many companies that produce security tools claim they can find and eliminate persistence through artificial intelligence (AI) and automation. The problem is that persistence, by design, is stealthy to remain undetected. It often accomplishes this by using forms of obfuscation or evasion techniques that automated tools won’t catch.
Humans, on the other hand, have the contextual awareness to see if something doesn’t look right. This is why threat hunting combines innovative technology with human intelligence to identify attacks that are missed by automated security tools alone.
Human threat hunters and innovative technology are the dynamic duo that can find and eliminate persistence.
To learn more about persistence in cybersecurity, check out our other resources:
The Huntress Managed Security Platform was designed to detect persistence mechanisms to identify and evict threat actors from your environments.
If you’d like to see The Huntress Managed Security Platform in action against persistent threats, sign up for a free 21-day trial.