Persistence

Author: Stefan Waldvogel

Summery:
T1098: Account Manipulation
T1197: BITS Jobs
T1547 Boot or Logon Autostart Execution
T1547.010 Boot or Logon Autostart Execution: Port Monitors
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.005 Boot or Logon Autostart Execution: Security Support Provider
T1547.009 Boot or Logon Autostart Execution: Shortcut Modification
T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL
T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)
T1176 Browser Extensions
T1136.002 Create Account: Domain Account
T1136.001 Create Account: Local Account
T1543.003Create or Modify System Process: Windows Service
T1546.008 Event Triggered Execution: Accessibility Features
T1546.010 Event Triggered Execution: AppInit DLLs
T1546.011 Event Triggered Execution: Application Shimming
T1546.001 Event Triggered Execution: Change Default File Association
T1546.012 Event Triggered Execution: Image File Execution Options Injection
T1546.007 Event Triggered Execution: Netsh Helper DLL
T1546.013 Event Triggered Execution: PowerShell Profile
T1546.002 Event Triggered Execution: Screensaver
T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription
T1133 External Remote Services
T1574.012 Hijack Execution Flow: COR_PROFILER
T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
T1574.002 Hijack Execution Flow: DLL Side-Loading
T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path
​T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness
T1556.002 Modify Authentication Process: Password Filter DLL
T1137.002 Office Application Startup: Office Test
T1137.004 Office Application Startup: Outlook Home Page
​T1053.002 Scheduled Task/Job: At (Windows)
T1053.005 Scheduled Task/Job: Scheduled Task
T1505.002 Server Software Component: Transport Agent
T1505.003 Server Software Component: Web Shell
T1078.001 Valid Accounts: Default Accounts
T1078.003 Valid Accounts: Local Accounts

T1059.001 PowerShell

T1059.003 Windows Command Shell

T1059.005 Visual Basic

T1559.002 Dynamic Data Exchange

T1106 Native API

T1053.002 At (Windows)

T1053.005 Scheduled Task

T1069.002 Service Execution

T1204.002 Malicious File

T1047 Windows Management Instrumentation

© 2021. This work is licensed under a CC BY-SA 4.0 license​