_persistence - RunkIntel

# Persistência ```mermaid graph TB A["🔁 Persistencia (TA0003) Manter acesso continuo"] --> B["📅 Scripts Boot/Logon T1037 - Inicializacao"] A --> C["🌐 Web Shell T1505.003 - Backdoor web"] A --> D["⚙️ Servicos do Sistema T1543 - Criar/modificar"] A --> E["🗓️ Tarefas Agendadas Execução automatica"] A --> F["🔌 Extensoes de Browser T1176 - Add-ons maliciosos"] A --> G["🖥️ Servicos Externos T1133 - VPN/RDP/SSH"] A --> H["💾 Bootkit/Firmware T1542 - Nivel mais baixo"] ``` > [!info] Visão Geral > A tática de Persistência agrupa as técnicas que garantem ao atacante acesso continuo ao sistema comprometido, mesmo após reinicializacoes, mudanças de credenciais ou tentativas de remoção. E uma das fases mais complexas do ciclo de ataque, com 83 técnicas que vao desde simples tarefas agendadas até implantes no firmware. > **Técnicas:** 83 técnicas nesta categoria - a segunda maior em volume, refletindo a ampla variedade de mecanismos de persistência em diferentes plataformas. > **Destaque LATAM:** Web shells (**T1505.003**) sao o mecanismo de persistência mais documentado em ataques contra servidores web brasileiros, especialmente em sistemas de governo e comercio eletronico com aplicações desatualizadas. > [!warning] Contexto Brasil/LATAM > Web shells sao encontrados rotineiramente em servidores de prefeituras, universidades e pequenas empresas brasileiras comprometidas. Grupos de espionagem que operam na regiao usam frequentemente **T1133** (External Remote Services) para manter acesso via VPNs legitimas com credenciais roubadas. O implante de **bootkits** (**T1542**) foi documentado em campanhas de APTs chineses contra governos da América Latina. A persistência via extensoes de browser maliciosas (**T1176**) e crescente em ataques de roubo de credenciais bancarias no Brasil, explorada por grupos como **Mekotio** e **Casbaneiro**. > **83 técnicas** · Manter acesso ao sistema mesmo após reinicializações - implantes, tarefas agendadas, modificação de boot. %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nome" FROM "ttp/techniques/persistence" WHERE type = "technique" SORT title ASC ``` %%   | Nota | Nome | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- | | [[t1037-boot-or-logon-initialization-scripts\|T1037 - Boot or Logon Initialization Scripts]] | T1037 - Boot or Logon Initialization Scripts | | [[t1037-001-logon-script-windows\|T1037.001 - Logon Script (Windows)]] | T1037.001 - Logon Script (Windows) | | [[t1037-002-login-hook\|T1037.002 - Login Hook]] | T1037.002 - Login Hook | | [[t1037-003-network-logon-script\|T1037.003 - Network Logon Script]] | T1037.003 - Network Logon Script | | [[t1037-004-rc-scripts\|T1037.004 - RC Scripts]] | T1037.004 - RC Scripts | | [[t1037-005-startup-items\|T1037.005 - Startup Items]] | T1037.005 - Startup Items | | [[t1098-account-manipulation\|T1098 - Account Manipulation]] | T1098 - Account Manipulation | | [[t1098-001-additional-cloud-credentials\|T1098.001 - Additional Cloud Credentials]] | T1098.001 - Additional Cloud Credentials | | [[t1098-002-additional-email-delegate-permissions\|T1098.002 - Additional Email Delegaté Permissions]] | T1098.002 - Additional Email Delegaté Permissions | | [[t1098-003-additional-cloud-roles\|T1098.003 - Funções Adicionais em Nuvem]] | T1098.003 - Funções Adicionais em Nuvem | | [[t1098-004-ssh-authorized-keys\|T1098.004 - SSH Authorized Keys]] | T1098.004 - SSH Authorized Keys | | [[t1098-005-device-registration\|T1098.005 - Device Registration]] | T1098.005 - Device Registration | | [[t1098-006-additional-container-cluster-roles\|T1098.006 - Additional Container Cluster Roles]] | T1098.006 - Additional Container Cluster Roles | | [[t1098-007-additional-local-or-domain-groups\|T1098.007 - Additional Local or Domain Groups]] | T1098.007 - Additional Local or Domain Groups | | [[t1133-external-remote-services\|T1133 - External Remote Services]] | T1133 - External Remote Services | | [[t1136-create-account\|T1136 - Criar Conta]] | T1136 - Criar Conta | | [[t1136-001-local-account\|T1136.001 - Local Account]] | T1136.001 - Local Account | | [[t1136-002-domain-account\|T1136.002 - Domain Account]] | T1136.002 - Domain Account | | [[t1136-003-cloud-account\|T1136.003 - Criação de Conta em Nuvem]] | T1136.003 - Criação de Conta em Nuvem | | [[t1137-office-application-startup\|T1137 - Office Application Startup]] | T1137 - Office Application Startup | | [[t1137-001-office-template-macros\|T1137.001 - Office Templaté Macros]] | T1137.001 - Office Templaté Macros | | [[t1137-002-office-test\|T1137.002 - Office Test]] | T1137.002 - Office Test | | [[t1137-003-outlook-forms\|T1137.003 - Outlook Forms]] | T1137.003 - Outlook Forms | | [[t1137-004-outlook-home-page\|T1137.004 - Outlook Home Page]] | T1137.004 - Outlook Home Page | | [[t1137-005-outlook-rules\|T1137.005 - Outlook Rules]] | T1137.005 - Outlook Rules | | [[t1137-006-add-ins\|T1137.006 - Add-ins]] | T1137.006 - Add-ins | | [[t1176-browser-extensions\|T1176 - Browser Extensions]] | T1176 - Browser Extensions | | [[t1176-software-extensions\|T1176 - Software Extensions]] | T1176 - Software Extensions | | [[t1176-001-browser-extensions\|T1176.001 - Browser Extensions]] | T1176.001 - Browser Extensions | | [[t1176-002-ide-extensions\|T1176.002 - IDE Extensions]] | T1176.002 - IDE Extensions | | [[t1505-server-software-component\|T1505 - Server Software Component]] | T1505 - Server Software Component | | [[t1505-001-sql-stored-procedures\|T1505.001 - SQL Stored Procedures]] | T1505.001 - SQL Stored Procedures | | [[t1505-002-transport-agent\|T1505.002 - Agente de Transporte]] | T1505.002 - Agente de Transporte | | [[t1505-003-web-shell\|T1505.003 - Server Software Component: Web Shell]] | T1505.003 - Server Software Component: Web Shell | | [[t1505-004-iis-components\|T1505.004 - IIS Components]] | T1505.004 - IIS Components | | [[t1505-005-terminal-services-dll\|T1505.005 - Terminal Services DLL]] | T1505.005 - Terminal Services DLL | | [[t1505-006-vsphere-installation-bundles\|T1505.006 - vSphere Installation Bundles]] | T1505.006 - vSphere Installation Bundles | | [[t1525-implant-internal-image\|T1525 - Implant Internal Image]] | T1525 - Implant Internal Image | | [[t1542-001-system-firmware\|T1542.001 - Firmware do Sistema]] | T1542.001 - Firmware do Sistema | | [[t1542-002-component-firmware\|T1542.002 - Component Firmware]] | T1542.002 - Component Firmware | | [[t1542-003-bootkit\|T1542.003 - Pre-OS Boot: Bootkit]] | T1542.003 - Pre-OS Boot: Bootkit | | [[t1543-create-or-modify-system-process\|T1543 - Creaté or Modify System Process]] | T1543 - Creaté or Modify System Process | | [[t1543-001-launch-agent\|T1543.001 - Launch Agent]] | T1543.001 - Launch Agent | | [[t1543-002-systemd-service\|T1543.002 - Systemd Service]] | T1543.002 - Systemd Service | | [[t1543-003-windows-service\|T1543.003 - Windows Service]] | T1543.003 - Windows Service | | [[t1543-004-launch-daemon\|T1543.004 - Launch Daemon]] | T1543.004 - Launch Daemon | | [[t1543-005-container-service\|T1543.005 - Container Service]] | T1543.005 - Container Service | | [[ttp/techniques/persistence/t1546-003-windows-management-instrumentation-event-subscription.md\|T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription]] | T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription | | [[ttp/techniques/persistence/t1546-014-emond.md\|T1546.014 - Event Triggered Execution: Emond]] | T1546.014 - Event Triggered Execution: Emond | | [[ttp/techniques/persistence/t1546-015-component-object-model-hijacking.md\|T1546.015 - Event Triggered Execution: Component Object Model Hijacking]] | T1546.015 - Event Triggered Execution: Component Object Model Hijacking | | [[t1546-017-udev-rules\|T1546.017 - Udev Rules]] | T1546.017 - Udev Rules | | [[t1546-018-python-startup-hooks\|T1546.018 - Python Startup Hooks]] | T1546.018 - Python Startup Hooks | | [[t1547-boot-logon-autostart-execution\|T1547 - Boot or Logon Autostart Execution]] | T1547 - Boot or Logon Autostart Execution | | [[t1547-boot-or-logon-autostart-execution\|T1547 - Boot or Logon Autostart Execution]] | T1547 - Boot or Logon Autostart Execution | | [[t1547-001-registry-run-keys\|T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys]] | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys | | [[t1547-001-registry-run-keys-startup-folder\|T1547.001 - Registry Run Keys / Startup Folder]] | T1547.001 - Registry Run Keys / Startup Folder | | [[t1547-002-authentication-package\|T1547.002 - Authentication Package]] | T1547.002 - Authentication Package | | [[t1547-003-time-providers\|T1547.003 - Time Providers]] | T1547.003 - Time Providers | | [[t1547-004-winlogon-helper-dll\|T1547.004 - Winlogon Helper DLL]] | T1547.004 - Winlogon Helper DLL | | [[t1547-005-security-support-provider\|T1547.005 - Security Support Provider]] | T1547.005 - Security Support Provider | | [[t1547-006-kernel-modules-and-extensions\|T1547.006 - Kernel Modules and Extensions]] | T1547.006 - Kernel Modules and Extensions | | [[t1547-007-re-opened-applications\|T1547.007 - Re-opened Applications]] | T1547.007 - Re-opened Applications | | [[t1547-008-lsass-driver\|T1547.008 - LSASS Driver]] | T1547.008 - LSASS Driver | | [[t1547-009-shortcut-modification\|T1547.009 - Shortcut Modification]] | T1547.009 - Shortcut Modification | | [[t1547-010-port-monitors\|T1547.010 - Port Monitors]] | T1547.010 - Port Monitors | | [[t1547-012-print-processors\|T1547.012 - Print Processors]] | T1547.012 - Print Processors | | [[t1547-013-xdg-autostart-entries\|T1547.013 - XDG Autostart Entries]] | T1547.013 - XDG Autostart Entries | | [[t1547-014-active-setup\|T1547.014 - Active Setup]] | T1547.014 - Active Setup | | [[t1547-015-login-items\|T1547.015 - Login Items]] | T1547.015 - Login Items | | [[t1554-compromise-host-software-binary\|T1554 - Compromise Host Software Binary]] | T1554 - Compromise Host Software Binary | | [[t1574-hijack-execution-flow\|T1574 - Hijack Execution Flow]] | T1574 - Hijack Execution Flow | | [[t1574-001-dll\|T1574.001 - DLL]] | T1574.001 - DLL | | [[t1574-004-dylib-hijacking\|T1574.004 - Dylib Hijacking]] | T1574.004 - Dylib Hijacking | | [[t1574-005-executable-installer-file-permissions-weakness\|T1574.005 - Executable Installer File Permissions Weakness]] | T1574.005 - Executable Installer File Permissions Weakness | | [[t1574-006-dynamic-linker-hijacking\|T1574.006 - Sequestro do Vinculador Dinâmico]] | T1574.006 - Sequestro do Vinculador Dinâmico | | [[t1574-007-path-interception-by-path-environment-variable\|T1574.007 - Path Interception by PATH Environment Variable]] | T1574.007 - Path Interception by PATH Environment Variable | | [[t1574-008-path-interception-by-search-order-hijacking\|T1574.008 - Interceptação de Caminho por Sequestro de Ordem de Busca]] | T1574.008 - Interceptação de Caminho por Sequestro de Ordem de Busca | | [[t1574-009-path-interception-by-unquoted-path\|T1574.009 - Path Interception by Unquoted Path]] | T1574.009 - Path Interception by Unquoted Path | | [[t1574-010-services-file-permissions-weakness\|T1574.010 - Services File Permissions Weakness]] | T1574.010 - Services File Permissions Weakness | | [[t1574-011-services-registry-permissions-weakness\|T1574.011 - Services Registry Permissions Weakness]] | T1574.011 - Services Registry Permissions Weakness | | [[t1574-012-corprofiler\|T1574.012 - COR_PROFILER]] | T1574.012 - COR_PROFILER | | [[t1574-013-kernelcallbacktable\|T1574.013 - KernelCallbackTable]] | T1574.013 - KernelCallbackTable | | [[t1574-014-appdomainmanager\|T1574.014 - AppDomainManager]] | T1574.014 - AppDomainManager | | [[t1653-power-settings\|T1653 - Power Settings]] | T1653 - Power Settings | | [[t1668-exclusive-control\|T1668 - Exclusive Control]] | T1668 - Exclusive Control | | [[ttp/techniques/persistence/t1671-cloud-application-integration.md\|T1671 - Cloud Application Integration]] | T1671 - Cloud Application Integration |  --- **Navegação:** [[_techniques|Técnicas]] · [[_tactics|Táticas]] · [[_procedures|Procedimentos]]