Persistence is the stage of attack in which adversaries establish long-term access to compromised systems.

Rudimentary examples include:

  • Installing a rootkit
  • Adding a service that provides reverse shell
  • Command and Control implants/agents
  • Adding own SSH public key to .ssh/authorized_keys / steal and crack SSH private key
  • Adding a new user and abusing remote access services
  • Creating an NinjaJc01/ssh-backdoor

More complex persistence methods may include masquerading as a kernel module, driver, or installing BPF programs, etc. Once a device has been subjected to the more complex methods, a full wipe is almost always needed to continue using it.