Persistence (22 techniques)

The Persistence tactic groups MITRE ATT&CK techniques used by adversaries to maintaining a foothold across system restarts, credential changes, and other interruptions. Each technique below has its own page with detection guidance, platforms, and sub-techniques.

• T1037 — Boot or Logon Initialization Scripts
  ESXi, Linux, macOS, Network Devices, Windows
• T1053 — Scheduled Task/Job
  Containers, ESXi, Linux, macOS, Network Devices, Windows
• T1078 — Valid Accounts
  Containers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows
• T1098 — Account Manipulation
  Containers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows
• T1112 — Modify Registry
  Windows
• T1133 — External Remote Services
  Containers, Linux, macOS, Windows
• T1136 — Create Account
  Windows, IaaS, Linux, macOS, Network Devices, Containers, SaaS, Office Suite, Identity Provider, ESXi
• T1137 — Office Application Startup
  Windows, Office Suite
• T1176 — Software Extensions
  Linux, macOS, Windows
• T1197 — BITS Jobs
  Windows
• T1205 — Traffic Signaling
  Linux, macOS, Network Devices, Windows
• T1505 — Server Software Component
  Windows, Linux, macOS, Network Devices, ESXi
• T1525 — Implant Internal Image
  IaaS, Containers
• T1542 — Pre-OS Boot
  Linux, macOS, Network Devices, Windows
• T1543 — Create or Modify System Process
  Containers, Linux, macOS, Windows
• T1546 — Event Triggered Execution
  Linux, macOS, Windows, SaaS, IaaS, Office Suite
• T1547 — Boot or Logon Autostart Execution
  Linux, macOS, Windows, Network Devices
• T1554 — Compromise Host Software Binary
  ESXi, Linux, macOS, Windows
• T1556 — Modify Authentication Process
  IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows
• T1653 — Power Settings
  Windows, Linux, macOS, Network Devices
• T1668 — Exclusive Control
  Linux, macOS, Windows
• T1671 — Cloud Application Integration
  Office Suite, SaaS