Stayin' Alive: Stealthy Persistence in Enterprise Environments

You've successfully compromised your target. How do you maintain access in the face of reboots, crashes, credential resets, and active remediation? In this presentation, we take a deep dive into stealthy persistence techniques that go far beyond the basic Windows services, run keys, and cron jobs. We explore the latest attacker tradecraft that abuses trusted components and blends into normal enterprise operations. The talk covers persistence techniques derived from novel research and techniques observed in the wild from my work as a Principal Forensic Consultant. These techniques evade modern detection/AV/NDR/EDR and, more importantly, are difficult for forensic investigators to identify and eradicate. We also examine how to exploit the limitations in modern forensic tooling and common DFIR workflows. Finally, the presentation distills these findings into practical attacker tradecraft for maintaining covert, resilient access in enterprise networks.

Presented at Security Fest 2026.

Speaker: Alexander Andersson

About Alexander Andersson

Alexander Andersson

Alexander is a Principal Forensic Consultant at Truesec. Alexander has a background in red teaming and software development. Today, he spends most of his time providing incident response services to companies that have suffered from an attack. He has led hundreds of complex investigations into everything from full-scale ransomware attacks to zero-day exploits and APT campaigns. Whenever not in an active incident, Alexander spends time in research and development with a focus on both novel forensic techniques and offensive vulnerability research.

 
Get all relevant information and news regarding Security Fest, when we release recordings of talks, etc.
Get newsletter →