A method of staying on a system by adding execution paths that run automatically at login or startup, such as scheduled tasks or registry entries. It is common in malware because it survives reboots and can re-establish access even after the initial lure is removed.
Expanded Definition
persistence via autorun is a post-compromise technique that preserves an attacker’s ability to regain execution after reboot, logout, or user session reset by embedding startup-triggered execution paths. In NHI and endpoint investigations, it often appears as scheduled tasks, Run keys, startup folders, login scripts, launch agents, or service configurations that relaunch a payload without requiring a fresh phishing lure or exploit. The security significance is that autorun persistence converts a one-time foothold into repeatable access, which makes containment harder and incident timelines longer.
Definitions vary across vendors on whether a given autorun mechanism counts as “persistence” only when it directly launches malware, or whenever it can be abused to launch any attacker-controlled code. NHI Management Group treats the term operationally: if the mechanism survives normal user restarts and can restore execution authority, it is persistence regardless of the original delivery path. The closest standards-adjacent framing is found in MITRE ATT&CK, which catalogs startup and logon mechanisms as common adversary techniques. The most common misapplication is treating autorun entries as harmless system configuration, which occurs when defenders review them only for availability issues and not for unauthorized code execution paths.
Examples and Use Cases
Implementing detection and response for autorun persistence rigorously often introduces noise and administrative overhead, requiring organisations to weigh startup reliability against the cost of frequent review and false-positive triage.
- A compromised service account creates a scheduled task that relaunches a script every morning, allowing the attacker to re-establish access after the host reboots.
- An attacker adds a registry Run key on a Windows workstation so a token-stealing loader executes at user logon, even if the original payload is removed.
- A Linux foothold is maintained through a systemd service or cron entry, keeping malicious tooling present across restarts and maintenance windows.
- A macOS launch agent is used to re-run an agentic tool with stolen credentials, creating durable access that survives normal user sessions.
- During an investigation, persistence artifacts are mapped alongside identity abuse patterns in the Salt Typhoon US telecoms breach case study, where long-lived access and credential misuse amplified operational impact.
For defensive context, NIST Cybersecurity Framework 2.0 helps organisations connect these artifacts to broader detection and recovery workflows rather than treating them as isolated endpoint curiosities.
Why It Matters in NHI Security
Autorun persistence is especially dangerous in NHI environments because service accounts, API keys, and automation tokens can be paired with scheduled execution to recreate access without interactive login. Once a secret is stolen, the attacker does not need to “stay logged in” if the system itself will relaunch code on their behalf. That is why persistence analysis belongs in the same control conversation as secret rotation, entitlement reduction, and offboarding. NHI Management Group research shows that 91.6% of secrets remain valid five days after the targeted organisation is notified, which means delayed remediation gives persistence mechanism time to keep working and to spread across tooling. The risk is not just initial compromise, but repeated re-entry through the same trusted path.
This is also where zero trust and identity governance intersect with endpoint hardening. Ultimate Guide to NHIs shows how poor visibility and excess privilege amplify NHI abuse, while NIST Cybersecurity Framework 2.0 provides the governance lens for reducing blast radius and improving recovery discipline. Organisations typically encounter the full cost of autorun persistence only after an eradication attempt fails and the same actor reappears on the next boot, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Persistent autorun paths often depend on exposed secrets or abused service accounts. |
| NIST CSF 2.0 | DE.CM-8 | Persistence artifacts are discovered through continuous monitoring of systems and identities. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Autorun persistence exploits overly trusted execution paths, conflicting with least privilege. |
Limit auto-start privileges and require policy-based approval for persistent execution mechanisms.
