2026-05-29 –, Main Stage
You've successfully compromised your target. How do you maintain access in the face of reboots, crashes, credential resets, and active remediation?
In this presentation, we take a deep dive into stealthy persistence techniques that go far beyond the basic Windows services, run keys, and cron jobs. We explore the latest attacker tradecraft that abuses trusted components and blends into normal enterprise operations.
The talk covers persistence techniques derived from novel research and techniques observed in the wild from my work as a Principal Forensic Consultant. These techniques evade modern detection/AV/NDR/EDR and, more importantly, are difficult for forensic investigators to identify and eradicate. We also examine how to exploit the limitations in modern forensic tooling and common DFIR workflows.
Finally, the presentation distills these findings into practical attacker tradecraft for maintaining covert, resilient access in enterprise networks.
This talk explores persistence, focusing on what actually works in real-world intrusions versus techniques that only look impressive. Using a mix of real-world cases and novel research, the presentation highlights both common mistakes and solid persistence mechanisms.
The talk will feature multiple live demos.
The talk content is based on (1) my experience leading hundreds of complex investigations as a Pricipal Forensic Consultant, (2) learnings from years of developing proprietary forensic tooling, and (3) an extensive review of persistence techniques and the limitations of current forensic tooling.
Alexander is a Principal Forensic Consultant at Truesec. Alexander has a background in red teaming and software development. Today, he spends most of his time providing incident response services to companies that have suffered from an attack. He has led hundreds of complex investigations into everything from full-scale ransomware attacks to zero-day exploits and APT campaigns. Whenever not in an active incident, Alexander spends time in research and development with a focus on both novel forensic techniques and offensive vulnerability research.