3.5 Maintaining Access: Backdoors, Rootkits & Persistence

Why Attackers Persist

A foothold that disappears on the next reboot is nearly worthless to an attacker. Maintaining access is the phase where the attacker installs persistence so control survives reboots, user logouts, and even password resets. The CEH expects conceptual fluency in the kinds of persistence and, critically, how defenders detect them.

Backdoors vs. Rootkits

These are related but distinct, and the exam tests the difference:

• A backdoor is any mechanism that bypasses normal authentication to grant the attacker re-entry — a hidden account, a listening service, a trojanized binary, or a remote-access implant. Its job is access.
• A rootkit is malware designed to hide the attacker's presence — files, processes, network connections, or other artifacts — by subverting the operating system itself. Its job is concealment. Rootkits frequently bundle a backdoor, but hiding is the defining trait.

The Malware That Carries Persistence

Maintaining access usually rides on a piece of malware the CEH defines elsewhere but reuses here:

• A Trojan / Remote Access Trojan (RAT) disguises itself as something benign while giving the attacker remote command and control — a common backdoor delivery method.
• A keylogger captures keystrokes (and thus fresh credentials) to keep access alive even after a password change.
• A logic bomb is malicious code dormant until a trigger condition (a date or event) is met, then it fires — a persistence/trigger concept, not an access method itself.

Rootkit Levels and Persistence Categories

Rootkit Levels (Stealth Increases Going Down)

The lower the level, the more the attacker controls what the system can see, so defenders cannot fully trust a compromised host to report on itself. A kernel-mode rootkit can intercept the very API calls a security tool uses to list processes or files, returning sanitized results — this is why deep-rootkit suspicion calls for out-of-band analysis.

Common Persistence Categories

• Autostart locations — run keys, startup folders, and login items that relaunch attacker code at boot or logon.
• Scheduled tasks and services — a task or service configured to run periodically or at startup, often with high privilege.
• Rogue accounts — a newly created or hidden account, sometimes added to a privileged group, providing legitimate-looking re-entry.
• Trojanized legitimate components — replacing or backdooring a trusted binary, library, or script so normal operation reactivates the implant.
• Web shells — server-side scripts (PHP/ASPX/JSP) placed on a web server that give recurring command execution; a leading persistence method on internet-facing servers.
• WMI event subscriptions / startup scripts — fileless persistence that triggers code on a system event.

Detection-Focused Defenses

The blue-team answer the CEH wants is detection and recovery, because prevention alone fails once an attacker is already inside:

• Endpoint Detection and Response (EDR) / anti-malware — behavioral detection of implants, suspicious autostart changes, and process injection.
• File Integrity Monitoring (FIM) — alerts when protected system files, binaries, or configuration baselines change unexpectedly.
• Secure Boot / Measured Boot and firmware integrity — counters bootkits and firmware rootkits by validating the boot chain.
• Account and configuration auditing — alert on new accounts, privileged-group changes, and new services or scheduled tasks.
• Offline / out-of-band analysis — examine a kernel/firmware-rootkit suspect from trusted media because the live OS may be lying.
• Rebuild from known-good — for deep rootkits, the only reliable remediation is wiping and reimaging from trusted media; cleaning in place is unreliable.

Putting Persistence in the Defender's Picture

The maintaining-access phase is where an intrusion becomes a foothold the organization keeps fighting for months. The exam's framing is consistent: each persistence technique changes something on the host (a new file, a new service, a new account, a modified binary, an unusual boot component), and the corresponding blue-team control is the one that notices that change.

** As the rootkit moves from user mode toward firmware, on-host tooling becomes progressively less reliable, so the strongest assurances come from controls that live off the host (centralized logs, network telemetry, out-of-band integrity checks) and from the willingness to rebuild from trusted media rather than attempt an in-place clean. Combining preventive least privilege (limiting who can create services, tasks, and accounts) with these detective and recovery controls is the defense-in-depth answer the exam rewards for this phase.