To secure the access to a compromised system, attackers use persistence in order to make sure their backdoor remains installed and running across system reboots. This allows intruders to control the infected system in the future and proceed with further exploitation of the target or its infrastructure. The sophistication of the persistence method used by the attackers usually depends on the system access rights they have gained and their tactics. The higher the access level, the more sophisticated and stealthy persistence can be applied.
In most cases persistence is a result of the system’s configuration change which makes sure that a payload, deployed by the attacker, is executed every time system is started and keeps running after that providing the possibility of remote access to the attacker. In such a case, attackers alter the configuration of a target computer’s file system, modifying registry, etc.  However, techniques which do not alter the configuration of the target system exist and are usually more difficult to detect. An example of such a technique is the compromise of a Domain controller in a Windows OS environment. In such a case an attacker has control over the whole inventory of the Windows domain and therefore may instruct to execute malware on all or selected systems remotely . In this case the malware on the infected system runs completely in memory and is difficult to detect its origin. Additionally, the attacker can compromise the way authentication works on the network and therefore access systems without knowing the actual password of a user (known as skeleton key technique) having administrative access to a specified computer.