Persistence is how an attacker keeps access after the first compromise, so a reboot or a password reset does not lock them out. This section breaks the Windows mechanisms (registry run keys, scheduled tasks, services, WMI subscriptions), the Linux ones (SSH keys, cron, systemd, shell profiles), and cross-platform backdoors (web shells, rootkits, rogue accounts) into plain-language explainers, each ending with how a penetration test surfaces the foothold in your environment.
Topics
- What is Persistence?: how attackers keep access to a compromised system across reboots and password resets.
- What is a Backdoor?: a hidden way back into a system that bypasses normal authentication.
Key terms explained
Plain-language definitions of the backdoors and autostart mechanisms attackers use to stay. Each page covers what it is, the technique, the payload, and how to defend.
Windows persistence
- What is a registry run key?
- What is a scheduled task backdoor?
- What is service persistence?
- What is the Startup folder?
- What is a WMI event subscription?
- What is an accessibility backdoor?
Linux persistence
- What is an SSH authorized_keys backdoor?
- What is a cron job backdoor?
- What is a systemd service backdoor?
- What is a malicious shell profile?
Cross-platform
Related (Active Directory)
How to read this section
The pages follow where an attacker hides to keep access.
- Foundations first: persistence and the backdoor.
- Windows persistence: registry run keys, scheduled tasks, services, the Startup folder, WMI event subscriptions, and accessibility backdoors.
- Linux persistence: SSH authorized_keys, cron jobs, systemd services, and shell profiles.
- Cross-platform: web shells, rootkits, and rogue accounts.
- Related: the Active Directory persistence techniques (Golden tickets, krbtgt) that survive even a domain-wide reset.
Each explainer ends with how a penetration test confirms the foothold in your environment.