The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.
View in MITRE ATT&CK®| Technique ID | Technique Name | Number of Mappings | Number of Subtechniques |
|---|---|---|---|
| T1037 | Boot or Logon Initialization Scripts | 17 | 5 |
| T1543 | Create or Modify System Process | 45 | 5 |
| T1133 | External Remote Services | 56 | 0 |
| T1547 | Boot or Logon Autostart Execution | 18 | 13 |
| T1137 | Office Application Startup | 23 | 6 |
| T1053 | Scheduled Task/Job | 29 | 5 |
| T1176 | Browser Extensions | 20 | 0 |
| T1205 | Traffic Signaling | 19 | 2 |
| T1525 | Implant Internal Image | 41 | 0 |
| T1542 | Pre-OS Boot | 39 | 5 |
| T1554 | Compromise Host Software Binary | 24 | 0 |
| T1098 | Account Manipulation | 53 | 7 |
| T1574 | Hijack Execution Flow | 34 | 13 |
| T1078 | Valid Accounts | 72 | 4 |
| T1546 | Event Triggered Execution | 27 | 17 |
| T1197 | BITS Jobs | 23 | 0 |
| T1505 | Server Software Component | 37 | 5 |
| T1136 | Create Account | 35 | 3 |
| T1653 | Power Settings | 5 | 0 |
| T1556 | Modify Authentication Process | 40 | 9 |