Home > Digital Forensics

Backdoor & Persistence Identification

Backdoor and persistence identification focuses on uncovering mechanisms attackers use to maintain long-term access to systems even after their initial intrusion point is closed. These mechanisms allow adversaries to quietly re-enter the environment, execute commands, exfiltrate data, deploy malware, or continue lateral movement. Effective DFIR requires locating and removing all persistence points to ensure true remediation.

Understanding Backdoors and Persistence

A backdoor provides unauthorized remote access.
Persistence keeps that access alive across reboots, logouts, patches, or resets.

Attackers commonly combine both:

  • A backdoor implant (malware, web shell, rogue account)

  • A persistence mechanism (registry key, service, scheduled task, startup script)

The goal is to avoid detection and regain access at will.

Categories of Persistence Mechanisms

Account-Based Persistence

Attackers create or abuse accounts.

Examples:

  • New admin users

  • Modified passwords

  • Privileged domain accounts

  • SSH authorized_keys additions

  • OAuth tokens and cloud identity grants

Investigators check:

  • Local and domain account lists

  • Password last-set times

  • Newly added keys

  • Identity provider logs

Service and Process Persistence

Attackers create malicious services or modify legitimate ones.

Common techniques:

  • New Windows services

  • Autostarted Linux daemons

  • Tampered systemd units

  • Launch agents on macOS

Evidence sources:

  • Windows Event Logs

  • Systemd service files

  • LaunchAgents and LaunchDaemons

Scheduled Task Persistence

Tasks triggered on:

  • Startup

  • Logon

  • Time schedule

  • Specific events

Check locations:

  • Windows Task Scheduler

  • cron jobs

  • atd jobs

  • Timed scripts

These are frequently used to execute malware repeatedly.

Registry-Based Persistence (Windows)

Common registry paths include:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Also investigate:

  • Services keys

  • Shell modifications

  • AppInit_DLLs

  • Winlogon keys

  • Startup approved lists

Registry persistence is widely used due to flexibility.

File System–Based Persistence

Examples:

  • Startup folder shortcuts

  • Modified binaries

  • DLL hijacking

  • Replacement of system executables

  • Dropped files in autoload paths

Indicators:

  • Unknown EXEs in startup folders

  • Timestamp anomalies

  • Hash mismatches

  • Suspicious DLL load orders

Web Shell Persistence

Web servers may contain:

  • PHP shells

  • ASPX shells

  • JSP backdoors

  • Hidden directories

  • Modified .htaccess files

Check:

  • Web root directories

  • Upload folders

  • Web server logs

Web shells often survive resets and allow full remote control.

Network-Based Backdoors

Attackers use covert channels such as:

  • Reverse shells

  • Covert DNS tunnels

  • ICMP tunnels

  • Custom C2 protocols

Investigators analyze:

  • PCAPs

  • DNS logs

  • Firewall logs

  • EDR telemetry

Network anomalies frequently reveal hidden backdoors.

Boot and Firmware Persistence

High-level techniques include:

  • Bootloader tampering

  • UEFI implants

  • Persistence in firmware (rare but severe)

Evidence from:

  • Boot logs

  • Firmware integrity checks

  • Secure Boot status

This category is used by advanced threat actors.

How Attackers Install Persistence

1. Using Built-in OS Features

Examples:

  • PowerShell profiles

  • Registry run keys

  • Windows service creation

  • Linux cron jobs

  • systemd user services

  • LaunchAgents on macOS

These generate legitimate-looking entries.

2. Dropping Backdoor Binaries

Attackers place:

  • Encrypted payloads

  • RATs

  • Trojans

  • Keyloggers

  • Credential stealers

They often disguise names to mimic system files.

3. Modifying Legitimate Software

Examples:

  • DLL search order hijacking

  • Replacing scheduled task binaries

  • Tampering with startup executables

These methods hide in plain sight.

4. Abuse of Remote Access Tools

Attackers use:

  • AnyDesk

  • TeamViewer

  • RDP shadowing

  • SSH tunnels

  • ngrok-like tunnels

These tools appear legitimate but provide silent backdoor access.

Key Techniques for Detecting Backdoors and Persistence

1. Examine Autorun Locations

Check:

  • Registry run keys

  • Startup folders

  • Services

  • Browser extensions

  • Systemd units

  • Cron jobs

Unknown entries are strong indicators.

2. Analyze Recent Account Activity

Look for:

  • Newly added users

  • Users elevated to admin

  • Password resets

  • Suspicious SSH keys

  • Cloud IAM manipulation

Account tampering is common.

3. Inspect Network Connections

Identify:

  • Persistent outbound connections

  • Repeated connections to unknown IPs

  • Beacon intervals

  • Non-standard ports

  • HTTP POST anomalies

Backdoors often “phone home.”

4. Audit Services and Scheduled Tasks

Look for:

  • Services with odd names

  • Executables in strange paths

  • Tasks triggered frequently

  • Tasks running PowerShell commands

Most ransomware actors rely heavily on this.

5. Check File System for Suspicious Executables

Use:

  • Hash comparison

  • Timestamp analysis

  • Entropy scans

  • Directory sweeps

Unusual EXEs and DLLs often reveal persistence paths.

6. Analyze Memory

Memory forensics can show:

  • Injected code

  • Hidden processes

  • Unlinked execution threads

  • Active network tunnels

Volatility and Rekall help uncover memory-only backdoors.

7. Review Cloud Identity Logs

Cloud persistence includes:

  • OAuth token grants

  • IAM policy changes

  • API keys

  • Serverless function backdoors

  • Suspicious storage access

Cloud logs often expose hidden remote access.

Tools for Detecting Backdoors and Persistence

  • Sysmon

  • KAPE

  • Autoruns

  • Volatility

  • ELK Stack

  • Velociraptor

  • OSQuery

  • Sigma rules

  • Splunk queries

  • YARA scanners

  • Auditd and Syslog

  • Windows Event Logs

  • EDR telemetry

Combining these provides high visibility.

Indicators of Backdoors or Persistence

  • Unknown user accounts

  • Services pointing to unusual executables

  • Scheduled tasks with encoded PowerShell

  • Registry modifications at odd times

  • New SSH keys

  • Repeated connections to rare IPs

  • High-entropy binaries in system folders

  • Disabled security tools

  • New OAuth applications

  • Backups deleted or disabled

Any of these warrant further investigation.

Intel Dump

  • Backdoors provide unauthorized access; persistence mechanisms keep that access alive after reboots, patches, or resets.

  • Attackers use accounts, services, scheduled tasks, registry keys, DLL hijacking, startup folders, web shells, remote access tools, and network tunnels to maintain footholds.

  • Investigators detect persistence by analyzing autorun locations, user accounts, services, tasks, network connections, memory artifacts, and cloud IAM logs.

  • Tools like Sysmon, KAPE, Autoruns, Volatility, ELK, Velociraptor, OSQuery, and EDR telemetry help uncover hidden persistence.

HOME COMMUNITY CAREERS DASHBOARD