ATAGS Tactic: Persistence
| ID | Name | Description | |
| ATAGS-T1066 | Backdoor | Threat actors may find and target various backdoors, or inject their own, within the victim ground station provider in the hopes of maintaining their attack. | |
| .001 | Hardware Backdoor | Threat actors may find and target various hardware backdoors within the victim spacecraft in the hopes of maintaining their attack. Once in orbit, mitigating the risk of various hardware backdoors becomes increasingly difficult for ground controllers. By targeting these specific vulnerabilities, threat actors are more likely to remain persistent on the victim spacecraft and perpetuate further attacks. | |
| .002 | Software Backdoor | Threat actors may inject code to create their own backdoor to establish persistent access to the spacecraft. This may be done through modification of code throughout the software supply chain or through modification of the software-defined radio configuration (if applicable). | |
| ATAGS-T1067 | Cloud Application Integration | Threat actors may achieve persistence by leveraging OAuth application integrations in a software-as-a-service environment. Threat actors may create a custom application, add a legitimate application into the environment, or even co-opt an existing integration to achieve malicious ends. | |
| ATAGS-T1068 | Cloud Scheduled Task / Jobs | Threat actors may abuse cloud-native task scheduling services (e.g., AWS EventBridge Scheduler, Azure Logic Apps) or the Ground Station's own scheduling API to trigger malicious code execution at specific times. Unlike OS-level tasks, these schedules persist in the cloud control plane. Attackers may use this to synchronize malicious data processing or exfiltration scripts with the precise Acquisition of Signal (AOS) windows of the target satellite. | |
| ATAGS-T1069 | Event Triggered Execution | Threat actors may establish persistence by hijacking cloud-native event triggers. Attackers may manipulate Cloud Event Rules (e.g., EventBridge, Azure Event Grid) to trigger malicious serverless functions or containers in response to standard mission events—such as Satellite Contact Finished, Data Delivered. This ensures malicious code executes automatically during normal mission operations. | |
| .001 | Accessibility Features | Threat Actors may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. | |
| .002 | AppCert DLLs | Threat Actors may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. | |
| .003 | AppInit DLLs | Threat Actors may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. | |
| .004 | Application Shimming | Threat Actors may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. | |
| .005 | Change Default File Association | Threat Actors may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. | |
| .006 | Component Object Model Hijacking | Threat Actors may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system. References to various COM objects are stored in the Registry. | |
| .007 | Emond | Threat Actors may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place. | |
| .008 | Image File Execution Options Injection | Threat Actors may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). | |
| .009 | Installer Packages | Threat Actors may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation. | |
| .010 | LC_LOAD_DYLIB Addition | Threat Actors may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. There are tools available to perform these changes. | |
| .011 | Netsh Helper DLL | Threat Actors may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh. | |
| .012 | PowerShell Profile | Threat Actors may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. | |
| .013 | Python Startup Hooks | Threat Actors may achieve persistence by leveraging Python’s startup mechanisms, including path configuration (.pth) files and the sitecustomize.py or usercustomize.pymodules. These files are automatically processed during the initialization of the Python interpreter, allowing for the execution of arbitrary code whenever Python is invoked. | |
| .014 | Screensaver | Threat Actors may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations. | |
| .015 | Trap | Threat Actors may establish persistence by executing malicious content triggered by an interrupt signal. The trapcommand allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d. | |
| .016 | Udev Rules | Threat Actors may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the /dev directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with match keysto specify the conditions a hardware event must meet and action keys to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in /etc/udev/rules.d/, /run/udev/rules.d/, /usr/lib/udev/rules.d/, /usr/local/lib/udev/rules.d/, and /lib/udev/rules.d/. Rule priority is determined by both directory and by the digit prefix in the rule filename. | |
| .017 | Unix Shell Configuration Modification | Threat Actors may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. | |
| .018 | Windows Management Instrumentation Event Subscription | Threat Actors may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime. | |
| ATAGS-T1070 | External Remote Services | Threat actors may leverage external-facing remote services to persist within the ground station management network. Adversaries may abuse legitimate access mechanisms such as Cloud Management Consoles, Bastion Hosts, or Reverse SSH Tunnels to maintain command and control channels. In a supply chain context, this may involve compromising the remote support channels used by the GSaaS provider for maintenance. | |
| ATAGS-T1071 | Implant Internal Image | Threat actors may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike Upload Malware, this technique focuses on Threat actors implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image. | |
| ATAGS-T1072 | Infrastructure File Infection | Threat actors may attempt to infect Infrastructure as Code (IaC) templates or Mission Profiles with malicious logic. These files (e.g., Terraform, CloudFormation, or JSON mission definitions) define the configuration of the ground station resources and data flows. By injecting malicious definitions into the engineering environment or CI/CD pipeline, adversaries ensure that newly provisioned resources or scheduled contacts automatically execute compromised logic upon instantiation. | |
| ATAGS-T1055 | Modify Authentication Process | Threat actors may modify the internal authentication process of the victim ground station to facilitate initial access, recurring execution, or prevent authorized entities from accessing the ground station. This can be done through the modification of the software binaries or memory manipulation techniques. | |
| .001 | Domain Controller Authentication | Threat Actors may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. | |
| .002 | Multi-Factor Authentication | Threat Actors may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. | |
| .003 | Network Device Authentication | Threat Actors may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. | |
| .004 | Network Provider DLL | Threat Actors may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions. During the logon process, Winlogon (the interactive logon module) sends credentials to the local mpnotify.exe process via RPC. The mpnotify.exe process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening. | |
| .005 | Password Filter DLL | Threat Actors may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. | |
| .006 | Pluggable Authentication Modules | Threat Actors may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow. | |
| .007 | Reversible Encryption | An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it. | |
| .008 | Conditional Access Policies | Threat Actors may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource. | |
| .009 | Hybrid Identity | Threat Actors may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. | |
| ATAGS-T1074 | Server Software Component | Threat actors may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Threat actors may install malicious components to extend and abuse server applications. | |
| .001 | IIS Components | Threat Actors may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers. | |
| .002 | SQL Stored Procedures | Threat Actors may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted). | |
| .003 | Terminal Services DLL | Threat Actors may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP. | |
| .004 | Transport Agent | Threat Actors may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails. Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks. | |
| .005 | vSphere Installation Bundles | Threat Actors may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors. VIBs are collections of files used for software distribution and virtual system management in VMware environments. Since ESXi uses an in-memory filesystem where changes made to most files are stored in RAM rather than in persistent storage, these modifications are lost after a reboot. However, VIBs can be used to create startup tasks, apply custom firewall rules, or deploy binaries that persist across reboots. Typically, administrators use VIBs for updates and system maintenance. | |
| .006 | Web Shell | Threat Actors may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. | |
| ATAGS-T1075 | Software Extentions | Threat actors may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms. Extensions are typically installed via official marketplaces, app stores, or manually loaded by users, and they often inherit the permissions and access levels of the host application. | |
| .001 | Browser Extentions | Threat Actors may abuse internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality to and customize aspects of internet browsers. They can be installed directly via a local file or custom URL or through a browser's app store - an official online platform where users can browse, install, and manage extensions for a specific web browser. Extensions generally inherit the web browser's permissions previously granted. | |
| .002 | Hybrid Identity | Threat Actors may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. | |
| .003 | IDE extentions | Threat Actors may abuse an integrated development environment (IDE) extension to establish persistent access to victim systems. IDEs such as Visual Studio Code, IntelliJ IDEA, and Eclipse support extensions - software components that add features like code linting, auto-completion, task automation, or integration with tools like Git and Docker. A malicious extension can be installed through an extension marketplace (i.e., Compromise Software Dependencies and Development Tools) or side-loaded directly into the IDE. | |
| ATAGS-T1076 | Traffic Signaling | Threat actors may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. Port Knocking), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. | |
| .001 | Port Knocking | Threat Actors may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. | |
| .002 | Socket Filters | Threat Actors may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, Threat Actors can use features such as the libpcap library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell. | |
| ATAGS-T1077 | Valid Credentialed Persistence | Threat actors may create, acquire or leverage valid credentials to maintain persistent access to a ground station or its supporting command and control (C2) systems. These credentials may include system service accounts, user accounts, maintenance access credentials, cryptographic keys, or other authentication mechanisms that enable continued entry without triggering access alarms. By operating with legitimate credentials, Threat actors can sustain access over extended periods, evade detection, and facilitate follow-on tactics such as command execution, data exfiltration, or lateral movement. Credentialed persistence is particularly effective in environments lacking strong credential lifecycle management, segmentation, or monitoring allowing threat actors to exploit trusted pathways while remaining embedded in mission operations. | |