The Mitre Att&ck Matrix has defined 19 techniques under the Persistence category.
Account Manipulation is when a threat actor modifies an existing account to maintain access. Be it from credentials to permissions.
BITS Jobs, This is when a threat actor sets up to ensure that a back door can routinely be established.
Boot or Logon Autostart Execution is when a threat actor configures the boot/logon settings to execute software used as a back door after every reboot or logon.
Boot or Logon Initialization Scripts is when a threat actor configures a script to launch a backdoor on each system reboot or logon.
Browser Extensions are malicious browser extensions the threat actor installs to enable a back door when the web browser is running.
Compromise Client Software Binary, Software that operates as a client for a service could be modified to enable a back door for a threat actor to use for persistence.
Create Account is when a threat actor creates an account that the threat actor can use to maintain access to a system.
Create or Modify System Process is when a threat actor sets up a backdoor to run as a service.
Event Triggered Execution is when a threat actor configures a service that triggers events upon actions to launch a back door program.
External Remote Services are when a threat actor sets up a VNC/RDP server or enables VNC/RDP for certain users to connect remotely through VNC/RDP.
Hijack Execution Flow is when a threat actor utilizes a flaw in how processes to launch to trick the Operating System into launching a back door application instead. Not wrapping a path in Quotes when folders contain a space makes you vulnerable. One example is the path, C:\Windows Vulnerability\legit.exe instead of “C:\Windows Vulnerability\legit.exe”, which would allow C:\Windows\exploit.exe to run instead.
Implant Internal Image is when a threat actor injects a back door into a cloud image known to be in a cloud environment. When a new instance starts, a new copy of the back door executes.
Modify Authentication Process is when a threat actor manipulates an authentication mechanism to downgrade authentication security so that authentication gets skipped altogether.
Office Application Startup is when a threat actor setups macros in office documents to launch a back door once a user opens a document.
Pre-OS Boot is when a threat actor infects the system bios/UEFI to keep a back door running the moment a pc/server powers on.
Scheduled Task/Job is when a threat actor sets or modifies a scheduled task to launch a back door at set intervals.
Server Software Component is when a threat actor reconfigures a server to provide an additional method of entry.
Traffic Signalling is when a threat actor sets up a service that will activate when you ping ports in a specific order. An example would be for a threat actor to use a back door, an connection from ports 80,21,443 are established before a backdoor running at port 22 becomes available.
Valid Accounts are when a threat actor utilizes an account with known credentials to hide their actions. It will be harder to detect activity from known accounts that you expect to see similar activity.