Stage 8 Persistence via Identity

Created by Claudiu Tabac - © 2026 
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Find me on LinkedIn 
Buy Me a Cofee
Stage 8 - Persistence via Identity
 
What Happens in Stage 8
Persistence via Identity occurs when attackers establish continued access independent of traditional security controls. Even when passwords reset, sessions expire, devices are wiped, or infrastructure changes, the attacker maintains silent control through compromised identity artifacts.
Token-Based Persistence
Long-lived OAuth refresh tokens and service principal secrets provide continuous access without credential re-entry.
Federation Manipulation
SAML signing certificates and federated trust misconfigurations create invisible backdoors into enterprise systems.
Machine Identity Abuse
Automation tokens embedded in CI/CD pipelines and barely monitored machine identities serve as persistent footholds.
Cross-Tenant Paths
External-to-internal cloud trust paths and legacy authentication protocols bypass modern security controls entirely.
Identity persistence represents cloud-native persistence—no malware implants, no binaries, no disk artifacts. This characteristic enables attackers to remain undetected for months while maintaining privileged access across hybrid and multi-cloud environments.
Attacker Objectives & Enabling Misconfigurations
Attacker Objectives in Stage 8
Adversaries establish long-term control through identity-layer manipulation, creating resilient access mechanisms that survive typical incident response procedures.
Bypass Security Resets
Maintain access through password changes, MFA re-enrollment, and account recovery processes.
Create Privileged Identities
Establish new application secrets, implant roles via nested groups, and generate cross-tenant trust footholds.
Evade Detection
Operate through identity backdoors that bypass traditional security monitoring and incident response resets.
Persistence at this stage translates to sustained, undetectable control over cloud identity infrastructure—the attacker's ultimate insurance policy.
Critical Misconfigurations
Identity Misconfiguration Universe(IMU)
MC-018: Poor Session Governance
Persistent, long-lived session tokens stored in browser sync allow indefinite access across devices.
MC-037: Weak Certificate Management
Compromised SAML signing certificates persist indefinitely, enabling continuous token forgery.
MC-062: Excessive IAM Permissions
Overprivileged roles enable generation of new secrets, identities, and persistent access paths.
MC-147: Insufficient OAuth Governance
Malicious OAuth applications maintain persistent refresh tokens without visibility or control.
MC 001-524
Detection, Breach Patterns & Threat Actors
Detection Logic for Stage 8
Identity Threat Detection Logic Library(ITDLL)
DL 041-080
DL 001-040
DL-032: Forged Token Detection
Identifies long-lived forged or modified tokens through claim mismatch analysis.
DL-027: Cross-Tenant Behavior
Detects persistence attempts across hybrid or multi-cloud identity paths.
DL-048: Group Membership Expansion
Identifies long-term lateral privilege positioning through nested group manipulation.
DL-039: Federation Manipulation
Detects persistent manipulation of federation trust relationships and claims.
DL-077: Machine Token Reuse
Identifies persistent machine identity footholds across environments.
Breach Patterns Using Stage 8
Identity Breach Patterns Library(IBP)
BP-027 — Refresh Token Theft
BP-035 — Service Principal Secret Injection
BP-036 — Persistent OAuth App Backdoor
BP-018 — SAML Signing Certificate Abuse
BP-040 — Cross-Cloud Foothold Persistence
BP 027
BP 035
BP 036
BP 018
BP 040
Threat Actors Who Use Stage 8
Identity-Centric Threat Actor Models(ICTAM)
ICTAM 001-010
ICTAM 011-020
DarkHalo (ICTAM-006)
SAML certificate persistence demonstrated in SolarWinds compromise.
BlackCat (ICTAM-009)
Machine identity persistence across cloud infrastructure.
APT28 (ICTAM-002)
Hybrid identity footholds across on-premises and cloud boundaries.
Volt Typhoon (ICTAM-004)
Long-term cross-tenant persistence in critical infrastructure.
Malicious Insider (ICTAM-017)
Hidden group membership persistence for sustained privilege retention.
Attack Chain Position & Strategic Impact
Identity Attack Chain (IAC)
Stage 7
Stage 7: Lateral Movement
Horizontal expansion through compromised identity paths
Stage 8
Stage 8: Persistence
Establishment of resilient, identity-based access mechanisms
Stage 9
Stage 9: Objectives
Achievement of mission goals with sustained access
Identity Persistence: The Attacker's Insurance Policy
Traditional incident response procedures fail against identity-layer persistence. Password resets don't eliminate compromised tokens. MFA re-enrollment doesn't revoke malicious OAuth apps. Device replacement doesn't remove federated trust backdoors. New infrastructure deployments carry forward compromised service principals.
Identity functions as a persistence layer that transcends traditional security boundaries—making it one of the most challenging attack vectors to fully eradicate from enterprise environments.
Why Identity Persistence Is Different
Survives Password Changes
Token-based access mechanisms continue functioning regardless of credential rotation policies.
Bypasses MFA Requirements
Persistent tokens and certificates authenticate without triggering multi-factor challenges.
Invisible to Traditional Tools
No malware signatures, no disk artifacts, no network implants to detect or remove.
Resilient to Infrastructure Changes
Cloud-native persistence mechanisms survive system rebuilds and environment migrations.
 
About  
Created by Claudiu Tabac — © 2026
Find me on LinkedIn
Buy Me a Coffee
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Navigation
Home
Back to IAC
 
 