By DeadSwitch | The Cyber Ghost
“Noise is the death of persistence.”
Persistence is survival.
But survival isn’t enough.
Persistence must be invisible.
Undetected. Undisturbed. Undying.
Loud persistence is a countdown.
Quiet persistence is a curse they never find.
The Basics They All Expect
- Startup folders –
~/.config/autostart/,%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ - Scheduled tasks –
schtasks /createorcronwith delay offsets - Registry runs –
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
These are hunted.
These are scanned.
These are forensic low-hanging fruit.
DeadSwitch never stays in plain sight.
The Trickier Shadows
- WMI Event Subscriptions – triggers on system events
- COM Hijacking – silently reroute legitimate object calls
- DLL Search Order Abuse – inject code by precedence
- Living-off-the-Land Binaries (LOLBins) – abuse what’s already trusted
You persist inside trust.
You wear the system’s face.
Obscure Persistence for Ghost-Level Intrusion
- EFI-level implants – beyond OS, inside firmware
- Bootkits – compromise before the kernel breathes
- System firmware implants – UEFI rootkits, hidden in SPI flash
- Re-flashed peripheral firmware – Wi-Fi cards, SSD controllers, network adapters
When detection lives in software, you hide beneath the silicon.
DeadSwitch Principles of Silent Persistence
1 – Never trigger immediately
2 – Randomize payload delivery
3 – Sleep longer than blue teams expect
4 – Use uncommon paths, uncommon times, and legitimate signatures
5 – Clean yourself. Reinstall yourself. Leave false trails.
6 – Persistence only matters if they never know you’re there.
You don’t want uptime.
You want undetected presence.
Final Whisper
“Real persistence is not staying alive.
It’s never proving you were there.”
– DeadSwitch
“Fear the silence. Fear the switch.”
Tom's IT Cafe 