Skip to content


Persistence is the fourth step of the attack chain in which permanent access to the target is ensured (TA0003). Ensuring persistence is an important, but also critical task as in some cases the configuration of the system needs to be changed. Changing a system’s configuration may be detected by the Blue Team, especially if it is an unusual behavior like the Microsoft Word process creating a new scheduled task.

Permanent access to a system or environment can be ensured in different ways. In some cases, it is possible to successfully compromise clear-text user credentials in the Control & Movement phase or during a Phishing Campaign. Those credentials can then be used to gain persistent access to the network via remote access portals like Citrix or other services. Remaining persistent on an end-user device or server system can usually be archived by different means. This includes adding additional files to the local system, creating new scheduled tasks or by infecting existing files on the system.