PERSISTENCE

This involves any access, action, or change to a system that gives an attacker a persistent presence. Persistence in a networked environment is frequently achieved through the acquisition or creation of valid credentials and identity artifacts. Attackers or testers can simply reuse harvested credentials to regain access without installing backdoors, or create local or domain accounts to maintain footholds. At the domain level, forged Kerberos artifacts (e.g., golden and silver tickets), credential-theft tools, and skeleton-key–style modifications enable long-lived access that bypasses typical account controls. Similarly, adding SSH public keys to user accounts provides a stealthy, non-binary persistence vector for remote access. Because these methods leverage existing authentication mechanisms, they often blend with legitimate activity and require targeted detection and hardening (e.g., MFA, session restrictions, logging/UEBA) to mitigate.