The adversary is trying to maintain their foothold.

Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.


Techniques: 4
ID Name Description
VT0011 Account Manipulation Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials, machine identities or permission groups.
.001 Additional Cloud Credentials Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
.002 SSH Authorized Keys Adversaries may modify the Secure Shell (SSH) authorized_keys file to maintain persistence on a victim host. SSH is the standard for remote access to Linux and Unix-based distributions, macOS, and Microsoft from Windows 10 machines. The most common way to implement SSH is using key-based authentication to secure the authentication for remote management sessions.
VT0014 Compromise Client Software Binary Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.
VT0002 External Remote Services External-facing remote services such as SSH, VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. Adversaries may leverage such remote services to initially access and persist within a network. Access to remote services may be used as a redundant or persistent access mechanism during an operation.
VT0005 Valid Accounts Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
.001 Default Accounts Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems or default factory/provider set accounts on other types of systems, software, or devices.



Created: 26 November 2020

Last Modified: 26 November 2020