Persistence
Details
| ID | PT0004 |
| MITRE ATT&CK ID | TA0003 |
| Created | 2026-06-22 |
| Last Modified | 2026-06-22 |
| Contributors | slashsec |
| Version Permalink | Link |
Description
The adversary is trying to maintain their presence or ability to re-enter.
Persistence consists of techniques that keep access available across visits or extended time on site. Examples include hiding on premises, planting devices, retaining cloned badges or keys, and establishing recurring entry using compromised trust or credentials.
Techniques
| ID | Name | Description |
|---|---|---|
| P0008 | Valid Credentials | Adversaries may use legitimate or previously valid credentials to enter controlled areas. This includes badges, keys, PINs, biometric enrollments, or access cards obtained through theft, sharing, cloning, or insider assistance. |
| P0011 | Establish Trust | Adversaries may build rapport with staff, security, or regular occupants to reduce scrutiny and enable repeat access. Established trust supports recurring entry, escorted movement, and persistence across multiple visits. |
| P0012 | Manipulate Physical Access Controls | Adversaries may alter physical access control hardware to maintain covert entry or exit paths. Manipulation can leave controls appearing normal while allowing unauthorized access on demand. |
| P0012.001 | Replace Lock | Adversaries may swap or rekey locks so that only they retain working keys while the original hardware remains in place. Replaced locks can preserve the appearance of normal access control while enabling covert re-entry. |
| P0012.002 | Disable Latch | Adversaries may disable door latches, strike plates, or similar mechanisms so doors can be opened without normal authorization. Disabled latches may allow quiet re-entry while appearing closed from a distance. |
| P0013 | Hide on Premises | Adversaries may conceal themselves within a facility or controlled area to avoid detection between operating periods. Hiding locations include unused spaces, storage areas, ceilings, and other low-traffic zones that support extended presence. |
| P0038 | Manipulate Electronic Access Control | Adversaries may tamper with electronic access hardware such as card readers, PIN pads, and electronic locks, or related wiring and controllers, to bypass, spoof, capture credentials, or hold access in an open state. Manipulated controls can enable initial entry, credential theft, movement between zones, or covert re-entry without valid credentials while appearing operational. |
| P0038.001 | Implant Covert Capture Device | Adversaries may install concealed hardware inside or behind card readers and PIN pads to intercept credential data passed to access controllers. Implants may sit inline on reader wiring or within the enclosure, capturing badge reads and PIN entry for later use while leaving the device outwardly functional. |