Persistence is the attacker phase of keeping access to a compromised system over time, so a reboot, a closed vulnerability, or a password change does not end the intrusion. Attackers plant mechanisms that re-run their code automatically, registry run keys, scheduled tasks, services, WMI subscriptions, SSH keys, cron jobs, web shells, and rogue accounts. It maps to MITRE TA0003, and the defense is knowing every autostart location and detecting changes to them.
What persistence is
Getting code execution once is fragile: the process dies, the machine reboots, the password gets reset. Persistence is everything an attacker does to make their access survive those events.
The core idea is to hook into something the system runs automatically and repeatedly, a logon, a boot, a schedule, an event, so the attacker’s code keeps coming back without them lifting a finger.
Where attackers persist
Persistence lives wherever the system auto-runs something:
- Windows: registry run keys, scheduled tasks, services, the Startup folder, WMI event subscriptions, and accessibility backdoors.
- Linux: SSH authorized_keys, cron jobs, systemd services, and shell profiles.
- Cross-platform: web shells, rootkits, and rogue accounts.
Why it matters
Persistence is what turns a momentary compromise into a long-term presence. It is also what makes incident response hard: clean one foothold and the attacker returns through another.
The most durable persistence survives even drastic remediation, a Golden Ticket forged from the krbtgt key keeps working across the whole domain until that key is rotated twice.