Persistence (22 techniques)
Maintaining a foothold across system restarts, credential changes, and other interruptions.
The Persistence tactic groups MITRE ATT&CK techniques used by adversaries tomaintaining a foothold across system restarts, credential changes, and other interruptions. Each technique below has its own page with detection guidance, platforms, and sub-techniques.
- T1037 - Boot or Logon Initialization ScriptsESXi, Linux, macOS, Network Devices, Windows
- T1053 - Scheduled Task/JobContainers, ESXi, Linux, macOS, Network Devices, Windows
- T1078 - Valid AccountsContainers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows
- T1098 - Account ManipulationContainers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows
- T1112 - Modify RegistryWindows
- T1133 - External Remote ServicesContainers, Linux, macOS, Windows
- T1136 - Create AccountWindows, IaaS, Linux, macOS, Network Devices, Containers, SaaS, Office Suite, Identity Provider, ESXi
- T1137 - Office Application StartupWindows, Office Suite
- T1176 - Software ExtensionsLinux, macOS, Windows
- T1197 - BITS JobsWindows
- T1205 - Traffic SignalingLinux, macOS, Network Devices, Windows
- T1505 - Server Software ComponentWindows, Linux, macOS, Network Devices, ESXi
- T1525 - Implant Internal ImageIaaS, Containers
- T1542 - Pre-OS BootLinux, macOS, Network Devices, Windows
- T1543 - Create or Modify System ProcessContainers, Linux, macOS, Windows
- T1546 - Event Triggered ExecutionLinux, macOS, Windows, SaaS, IaaS, Office Suite
- T1547 - Boot or Logon Autostart ExecutionLinux, macOS, Windows, Network Devices
- T1554 - Compromise Host Software BinaryESXi, Linux, macOS, Windows
- T1556 - Modify Authentication ProcessIaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows
- T1653 - Power SettingsWindows, Linux, macOS, Network Devices
- T1668 - Exclusive ControlLinux, macOS, Windows
- T1671 - Cloud Application IntegrationOffice Suite, SaaS
Detection engineering training, taught by practitioners.
Learn how to build real detections across the MITRE ATT&CK framework.
View Courses