Persistence Techniques (Registry, Scheduled Tasks, SSH Keys)

Persistence techniques are vital strategies employed by attackers to maintain ongoing access to compromised systems, even after reboots, password changes, or other remediation efforts.

These methods ensure malware or backdoors automatically re-execute or maintain control mechanisms over time, securing continuous presence within the target environment.

Common persistence vectors include modifying Windows registry entries, scheduling tasks to run malicious payloads, and abusing SSH keys for stealthy remote access. 

Registry-Based Persistence (Windows)

The Windows registry is a prime target for persistence due to its central role in system configuration and application startup control.

1. AutoStart Extension Points (ASEPs): Attackers create or modify registry keys such as:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

These keys point to executables or scripts launched automatically on user login or system startup.

2. Services and Drivers: Persistence can also be established by installing malicious services registered in registry paths like:

HKLM\SYSTEM\CurrentControlSet\Services

Malicious drivers loaded early during boot enhance stealth and control.

3. Scheduled Tasks via Registry: Scheduled tasks information is stored and can be manipulated via registry keys such as:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree

Tasks set to run periodically or at system events can silently re-launch malware.

4. UserInit and Winlogon Hijacking: Modifying keys like HKLM\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Userinit allows attackers to launch payloads during the Windows login process.

5. DLL Injection and Hijacking via Registry: Registry keys influencing DLL load orders (KnownDLLs, AppInit_DLLs) can be manipulated to inject malicious DLLs into legitimate processes.

Scheduled Tasks for Persistence

Scheduled tasks are system features that enable automated execution of programs or scripts based on triggers such as time schedules or system events.

SSH Key Abuse for Persistence (Linux & Unix)

SSH keys provide passwordless authentication, ideal for automation and remote management—but also abused for persistent, stealthy access.

1. Installation of Unauthorized SSH Keys: Attackers add their public keys to victim's ~/.ssh/authorized_keys to gain ongoing access without needing credentials.

2. Key Forwarding and Agent Abuse: Attackers leverage SSH agent forwarding to move laterally, using hijacked keys without leaving footprints.

3. Compromised Private Keys: Stolen private keys enable attackers to impersonate legitimate users, bypassing password controls.

4. Mitigation: Regularly audit authorized keys, disable unused accounts, restrict SSH access by IP or with multi-factor authentication.