System Hacking — Password Attacks, Privilege Escalation, and Persistence

What Is System Hacking and Why Does It Matter?

System hacking encompasses the techniques attackers use to gain access, escalate privileges, maintain persistence, and cover tracks on target systems. The MITRE ATT&CK framework maps these activities across multiple tactics — Credential Access (TA0006), Privilege Escalation (TA0004), Persistence (TA0003), and Defence Evasion (TA0005). NIST SP 800-123 (Guide to General Server Security) defines the hardening controls designed to prevent these attacks, and CompTIA Security+ SY0-701 tests them extensively.

System hacking is the phase of the ethical hacking methodology where you move from discovering vulnerabilities to actively exploiting them — gaining access to target systems, escalating privileges, maintaining persistent access, and covering your tracks. It is where reconnaissance, scanning, and enumeration results turn into demonstrated impact.

Understanding system hacking is critical for multiple reasons:

• Penetration testers must demonstrate real exploitation to prove that vulnerabilities are not just theoretical risks but actual pathways into systems.
• SOC analysts need to recognise the artefacts that system hacking leaves behind — failed login attempts, privilege escalation indicators, suspicious scheduled tasks, and tampered log files.
• Certification exams including CompTIA Security+ SY0-701 and CEH v13 cover password attacks, privilege escalation concepts, and post-exploitation techniques extensively.
• Security architects design defences against these exact techniques — strong authentication, least privilege, endpoint detection, and centralised logging.

This page covers the four phases of system hacking: gaining access through password attacks, escalating privileges, maintaining access through persistence mechanisms, and covering tracks. All techniques are explained for beginners with the ethical and legal context that responsible security work demands.

The first time I cracked a password hash in my home lab, I felt equal parts excitement and concern. I had set up a vulnerable Linux VM, extracted the shadow file, and fed it to John the Ripper. Within seconds, “password123” appeared in my terminal. It was a deliberately weak password on a system I owned, but it drove home a visceral lesson: weak passwords are not an abstract risk — they fall in seconds. That moment changed how I thought about every password I had ever created, and it motivated me to understand the full chain of what happens after an attacker gets in.

Ethical and legal warning: System hacking techniques must only be used on systems you own or have explicit written authorisation to test. Unauthorised access violates the Computer Fraud and Abuse Act (US), the Computer Misuse Act (UK), and the Criminal Code Act 1995 (Australia). Practise exclusively in your home lab or on authorised platforms like TryHackMe and Hack The Box.

Quick Answer

System hacking follows four phases: gaining access (password attacks, exploiting vulnerabilities), escalating privileges (moving from standard user to root/admin), maintaining access (backdoors, scheduled tasks, registry persistence), and covering tracks (log clearing, timestomping). Key tools include John the Ripper and Hashcat for password cracking, LinPEAS/WinPEAS for privilege escalation enumeration, and Mimikatz for credential harvesting on Windows. Defend with strong passwords, MFA, least privilege, patching, EDR, and centralised logging.

What Do Real-World System Hacking Attacks Look Like?

The Verizon 2024 DBIR found that stolen credentials were the initial attack vector in 24% of breaches, and the MITRE ATT&CK framework documents over 40 privilege escalation techniques used by real-world threat groups. System hacking techniques appear in virtually every major breach. Understanding them helps both offensive and defensive professionals.

Scenario	What system hacking involves	Why it matters
Penetration test	Cracking passwords, escalating to admin/root, demonstrating full system compromise	Proves to stakeholders that vulnerabilities have real business impact
Ransomware attack	Attackers gain initial access, escalate to domain admin, deploy ransomware across the network	Understanding the chain helps defenders break it at every stage
Insider threat	Legitimate user escalates beyond their authorised access level	Privilege escalation monitoring catches insiders exceeding their roles
APT compromise	Nation-state actors maintain persistent access for months or years	Persistence detection is a core SOC capability
Incident response	IR team traces how an attacker moved from initial access to full compromise	Knowing attacker methodology guides forensic investigation
Red team exercise	Simulated adversary tests the organisation’s detection and response capabilities	System hacking skills are the core of red team operations

How Does System Hacking Work?

The CEH v13 methodology divides system hacking into four sequential phases that mirror the MITRE ATT&CK kill chain: Credential Access, Privilege Escalation, Persistence, and Defence Evasion. NIST SP 800-123 provides the corresponding server hardening controls that defend against each phase.

Key Definition

Privilege escalation is the process of exploiting a vulnerability, misconfiguration, or design flaw to gain higher access permissions than originally granted. Vertical escalation moves from a standard user to administrator or root. Horizontal escalation moves to another user at the same privilege level who has access to different resources. MITRE ATT&CK catalogues this under tactic TA0004 with over 40 documented techniques.

Think of system hacking like breaking into a building — not to steal, but to test the locks, alarms, and guards. First you pick the lock on the front door (gaining access). Then you find the master key ring (privilege escalation). Then you prop open a back window so you can return later (maintaining access). Finally, you wipe your footprints from the carpet (covering tracks).

The CEH methodology breaks system hacking into four sequential phases:

Phase 1: Gaining Access

The first objective is to authenticate to the target system. The most common path is through password attacks, but gaining access can also involve exploiting vulnerable services identified during scanning and vulnerability analysis.

Password attack types:

Attack type	How it works	Speed	When to use
Brute force	Tries every possible character combination systematically	Very slow for long passwords	Last resort — when no other information is available
Dictionary attack	Tries words from a wordlist (e.g. rockyou.txt)	Fast against weak passwords	First attempt — catches common and predictable passwords
Rainbow table	Pre-computed hash-to-password lookup tables	Very fast lookup	When you have unsalted hashes
Pass-the-hash	Uses captured NTLM hash directly without cracking it	Instant — no cracking needed	Windows environments with NTLM authentication
Credential stuffing	Tests stolen username/password pairs from data breaches	Moderate	When users reuse passwords across services
Password spraying	Tries a few common passwords against many accounts	Moderate	Avoids account lockout thresholds

Phase 2: Escalating Privileges

Once you have initial access (often as a low-privilege user), the goal is to gain administrative or root-level control. Privilege escalation comes in two forms:

• Vertical escalation — moving from a normal user to administrator/root. This is the most impactful form and the primary goal.
• Horizontal escalation — moving to another user at the same privilege level who has access to different resources.

Phase 3: Maintaining Access

After gaining elevated access, attackers establish persistence mechanisms that allow them to return even if the original vulnerability is patched or the compromised password is changed.

Phase 4: Covering Tracks

The final phase involves removing evidence of the compromise — clearing logs, modifying timestamps, and hiding files. In penetration testing, you document what you did rather than hiding it, but understanding these techniques helps defenders know what to look for.

Step-by-Step: System Hacking in Practice

DocHowTo

Goal: Gain access to a target system, escalate to root/administrator, establish persistence, and document the full attack chain. Time: 1–4 hours per target system depending on password complexity and available escalation vectors. Prerequisites: Enumeration results (usernames, service versions), hash extraction capability, Kali Linux or equivalent with John the Ripper, Hashcat, LinPEAS/WinPEAS installed.

Password Cracking Workflow

1. Obtain password hashes. Extract hashes from /etc/shadow (Linux), SAM database (Windows), or captured network authentication (NTLM, Kerberos).
2. Identify the hash type. Different systems use different algorithms — MD5, SHA-512, NTLM, bcrypt. Tools like hashid or hash-identifier help determine the type.
3. Choose the attack method. Start with a dictionary attack using a quality wordlist. If that fails, try rule-based mutations. Brute force is the last resort.
4. Run the cracking tool. Feed the hashes and wordlist to John the Ripper or Hashcat and let it work.
5. Use the credentials. Authenticate to the target system with the cracked password.

Privilege Escalation Workflow

1. Enumerate the current environment. What user are you? What groups? What OS version? What services are running? What files have unusual permissions?
2. Search for quick wins. SUID binaries on Linux, unquoted service paths on Windows, stored credentials in configuration files.
3. Check for kernel exploits. Compare the OS version and patch level against known kernel vulnerabilities.
4. Exploit misconfigurations. Writable service binaries, weak file permissions, scheduled tasks running as SYSTEM/root with modifiable scripts.
5. Verify escalation. Confirm you now have the elevated privileges you targeted.

System Hacking Methodology

Visual Explanation

System Hacking Methodology

Four phases from initial access to complete compromise — each phase builds on the last

Pause

Gaining Access

Authentication bypass

Password cracking

Pass-the-hash

Exploit vulnerabilities

Social engineering

Escalating Privileges

Normal user to admin

Kernel exploits

SUID/UAC bypass

Misconfiguration abuse

Credential harvesting

Maintaining Access

Persistence

Backdoors

Rootkits

Scheduled tasks

Registry run keys

Covering Tracks

Anti-forensics

Log clearing

Timestomping

File hiding

Event log tampering

Idle

How Does System Hacking Fit Into a Security Architecture?

MITRE ATT&CK documents platform-specific privilege escalation techniques under TA0004, with separate sub-techniques for Linux, Windows, and macOS. NIST SP 800-123 recommends layered defences including least privilege, file integrity monitoring, and endpoint detection to counter these techniques at every level of the system architecture.

Privilege escalation techniques differ significantly between Linux and Windows because the operating systems handle permissions, services, and authentication differently. Understanding both platforms is essential for any security professional.

Linux vs Windows Privilege Escalation

Visual Explanation

Linux vs Windows Privilege Escalation

Linux Privilege Escalation

• SUID binaries — Files with SUID bit run as the file owner (often root) — find writable or exploitable SUID binaries
• Sudo misconfigurations — Users granted sudo for specific commands that allow shell escapes (e.g. sudo vim, sudo find)
• Kernel exploits — Unpatched kernels vulnerable to CVEs like DirtyCow or PwnKit — check with uname -r
• Cron job abuse — Scheduled tasks running as root that reference writable scripts or use wildcard injection
• Writable /etc/passwd — If /etc/passwd is writable, add a new user with UID 0 for root access

VS

Windows Privilege Escalation

• UAC bypass — User Account Control can be bypassed through auto-elevating binaries and DLL hijacking
• Unquoted service paths — Services with spaces in unquoted paths allow DLL/binary planting in writable directories
• Token impersonation — Steal or impersonate tokens from privileged processes (e.g. Potato attacks, SeImpersonatePrivilege)
• Registry autorun abuse — Modify registry run keys or service configurations pointing to writable executables
• AlwaysInstallElevated — Group Policy misconfiguration allowing any MSI package to install with SYSTEM privileges

Verdict: Both platforms have unique escalation vectors. Automated tools like LinPEAS and WinPEAS enumerate these systematically.

Use case

Penetration testers must be comfortable with both platforms. SOC analysts should recognise the artefacts these techniques leave behind.

Blue Team Perspective

How defenders detect system compromise: Windows Event ID 4688 (process creation) and Sysmon logs reveal unusual parent-child process relationships and suspicious command execution. Event ID 7045 flags new service installations used for persistence. See Log Analysis for the critical Windows Event IDs that reveal system compromise.

What Does System Hacking Look Like in Practice?

The tools below are referenced in the MITRE ATT&CK technique descriptions, the CEH v13 practical exam, and NIST SP 800-115. They represent the standard toolkit used by penetration testers and red teams during exploitation and post-exploitation phases.

These commands should only be run in your home lab against intentionally vulnerable machines. Never use these against systems without explicit written authorisation.

Password Cracking with John the Ripper

# Identify hash type
hashid '$6$rounds=5000$salt$hashvalue'

# Crack Linux shadow hashes with a wordlist
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

# Crack NTLM hashes (Windows)
john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt ntlm_hashes.txt

# Show cracked passwords
john --show hashes.txt

# Use rules for password mutations (appending numbers, capitalisation)
john --wordlist=rockyou.txt --rules hashes.txt

Password Cracking with Hashcat

# Crack MD5 hashes with a wordlist
hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

# Crack NTLM hashes (mode 1000)
hashcat -m 1000 -a 0 ntlm_hashes.txt rockyou.txt

# Brute force — 8-character lowercase alpha
hashcat -m 0 -a 3 hashes.txt ?l?l?l?l?l?l?l?l

# Rule-based attack for common mutations
hashcat -m 0 -a 0 hashes.txt rockyou.txt -r rules/best64.rule

Linux Privilege Escalation Enumeration

# Check current user and groups
whoami && id

# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Check sudo permissions
sudo -l

# Check kernel version for known exploits
uname -a

# Run LinPEAS (automated enumeration)
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

Windows Privilege Escalation Enumeration

# Check current user and privileges
whoami /all

# Find unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\"

# Check AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# Run WinPEAS (automated enumeration)
.\winPEASx64.exe

Persistence Techniques (For Understanding Defences)

# Linux — cron job persistence (attacker perspective, for defence awareness)
# Attacker would add a reverse shell to crontab
crontab -l  # Defenders: check for unexpected cron entries

# Linux — SSH key persistence
# Attacker would add their public key to ~/.ssh/authorized_keys
cat ~/.ssh/authorized_keys  # Defenders: audit authorized_keys regularly

# Windows — registry run key (for defence awareness)
# Check for suspicious autorun entries
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

What Are the Limitations of System Hacking Techniques?

NIST SP 800-123 and the ASD Essential Eight document the layered defences that significantly constrain system hacking effectiveness — strong authentication, MFA, least privilege, patching, EDR, and centralised logging each break a different link in the attack chain.

Factor	Limitation	How to handle it
Strong password policies	Long, complex, unique passwords resist cracking; bcrypt/scrypt hashes are computationally expensive to crack	Focus on other vectors — misconfigurations, token theft, or application-level vulnerabilities
Multi-factor authentication	MFA blocks password-only attacks even if credentials are compromised	Test for MFA bypass or phishing-resistant MFA weaknesses
Endpoint Detection and Response	EDR tools detect privilege escalation tools like Mimikatz, LinPEAS, and known exploit binaries	In real engagements, red teams use custom or obfuscated tools; in labs, EDR is usually absent
Centralised logging	SIEM systems detect log clearing and suspicious authentication patterns	Covering tracks is far harder when logs ship to a central server in real time
Patched systems	Kernel exploits require unpatched systems; modern OS versions close many escalation paths	Focus on misconfigurations rather than exploits on well-maintained systems
Account lockout policies	Brute force and spraying trigger lockouts after failed attempts	Use slow spraying (1-2 attempts per hour) or focus on offline hash cracking

A common beginner mistake is spending hours trying to crack strong password hashes when the system has a misconfiguration that grants admin access without needing a password at all. Privilege escalation is often about finding the path of least resistance, not brute-forcing the front door.

What Interview Questions Should You Expect About System Hacking?

CompTIA Security+ SY0-701 tests password attack types, privilege escalation concepts, and persistence mechanisms. CEH v13 includes hands-on practical questions requiring candidates to demonstrate password cracking and privilege escalation. Interviewers for SOC analyst, penetration testing, and incident response roles consistently assess these skills.

System hacking questions test whether you understand attacker methodology and can think about defence from both sides.

Q1: What is the difference between a brute force attack and a dictionary attack?

Strong answer: “A brute force attack tries every possible character combination systematically — it is guaranteed to find the password eventually but is extremely slow for long passwords. A dictionary attack tries words from a pre-compiled list of common passwords and known leaked credentials. Dictionary attacks are much faster but only work if the password is in the wordlist. In practice, most password cracking starts with a dictionary attack because the majority of weak passwords appear in common wordlists like rockyou.txt.”

Q2: Explain the difference between vertical and horizontal privilege escalation.

Strong answer: “Vertical privilege escalation means moving from a lower privilege level to a higher one — for example, going from a standard user account to root or administrator. Horizontal privilege escalation means moving to another account at the same privilege level that has access to different data or resources. An example of horizontal escalation is a regular employee accessing another employee’s email. Both types are security risks, but vertical escalation typically has greater impact because it gives complete system control.”

Q3: How would you defend against pass-the-hash attacks?

Strong answer: “Pass-the-hash exploits the fact that Windows NTLM authentication uses password hashes directly. Defences include: enforcing Kerberos authentication instead of NTLM where possible, using credential guard to protect hashes in memory, implementing privileged access workstations so admin credentials are only used on hardened systems, enabling Protected Users security group, and monitoring for unusual authentication patterns. Disabling NTLM entirely is the strongest defence but requires thorough testing for compatibility.”

Q4: What indicators would alert a SOC analyst to a privilege escalation attempt?

Strong answer: “Indicators include: unexpected processes running as SYSTEM or root, new user accounts appearing in administrative groups, unusual sudo or runas activity, process creation events from unusual parent processes (for example, cmd.exe spawned from a web server process), modifications to SUID permissions or scheduled tasks, and Event ID 4672 (special privileges assigned to new logon) appearing for accounts that should not have special privileges. A SIEM with proper correlation rules can detect these patterns automatically.”

How Is System Hacking Used in Real Security Operations?

The MITRE ATT&CK framework provides detection guidance for every Credential Access, Privilege Escalation, and Persistence technique, enabling SOC teams to build targeted detection rules. The Verizon 2024 DBIR consistently ranks credential-based attacks among the top breach vectors, making system hacking detection a core SOC competency.

Day-One SOC Scenarios

As a new SOC analyst, system hacking concepts connect directly to your daily work:

• Failed authentication monitoring. You will review alerts for accounts with multiple failed logon attempts. Distinguishing between a user who forgot their password and a credential spraying attack is a core skill.
• Privilege escalation detection. EDR and SIEM rules flag when low-privilege users suddenly perform administrative actions, when SUID permissions change, or when known escalation tools are detected on endpoints.
• Persistence hunting. Threat hunting teams periodically search for unauthorised scheduled tasks, registry run keys, SSH authorised keys, and other persistence mechanisms that automated tools might miss.
• Log integrity monitoring. If an attacker clears Windows Event Logs or truncates Linux auth logs, the gap itself is a detection opportunity. Missing logs are suspicious.

Australian Context

The ASD Essential Eight directly addresses system hacking defences:

• Restrict administrative privileges — limits the impact of privilege escalation by ensuring admin accounts are only used for administrative tasks and are tightly controlled.
• Multi-factor authentication — blocks password-only attacks even when credentials are compromised through cracking or credential stuffing.
• Application control — prevents execution of unauthorised tools like Mimikatz, LinPEAS, and custom backdoors.
• Patch operating systems — closes kernel exploit paths that attackers use for privilege escalation.

The ACSC’s Information Security Manual (ISM) includes controls for credential management, privileged access management, and security monitoring that map directly to defending against system hacking techniques. Organisations subject to the Security of Critical Infrastructure Act 2018 (SOCI Act) must demonstrate they have controls to prevent and detect system compromise.

Summary and Key Takeaways

System hacking is the core of the ethical hacking methodology — the phase where theoretical vulnerabilities become demonstrated compromises.

• Password cracking starts with dictionary attacks against common wordlists. Brute force is a last resort. Tools like John the Ripper and Hashcat are the industry standards.
• Privilege escalation exploits misconfigurations more often than vulnerabilities. SUID binaries, sudo misconfigurations, unquoted service paths, and weak file permissions are low-hanging fruit.
• Persistence mechanisms let attackers survive reboots and password changes. Backdoors, scheduled tasks, registry run keys, and SSH keys are common techniques.
• Covering tracks is increasingly difficult with centralised logging and EDR. Defenders should focus on log integrity and shipping logs to a SIEM in real time.
• Defence is multi-layered. Strong passwords, MFA, least privilege, patching, EDR, and centralised logging each break a different link in the attack chain.
• Practise in your lab. Set up vulnerable VMs, extract hashes, crack them, escalate privileges, and document what you find. Hands-on experience is irreplaceable.
• Always operate ethically. The techniques on this page are powerful. Use them only with authorisation, document everything, and report responsibly.

Individual results vary. Career timelines, salary outcomes (source: BLS and CyberSeek, as of 2025), and job availability depend on your location, experience, market conditions, and effort. The information on this page is educational, not a guarantee of employment outcomes.

Related

• Scanning Networks for the reconnaissance phase that identifies targets for system hacking
• Vulnerability Analysis for assessing weaknesses before exploitation
• Enumeration for the active information gathering that feeds into system hacking
• Incident Response for detecting and responding to system compromises

Frequently Asked Questions

What is system hacking in cybersecurity?

System hacking is the phase of ethical hacking where you actively exploit vulnerabilities to gain access to systems, escalate privileges to administrator or root level, establish persistent access, and cover tracks. It follows scanning and enumeration in the ethical hacking methodology and demonstrates the real-world impact of discovered vulnerabilities.

What is the difference between password cracking and password guessing?

Password cracking works on captured password hashes offline — you extract hashes from a system and use tools like John the Ripper or Hashcat to reverse them into plaintext passwords. Password guessing (brute force or spraying) involves trying passwords directly against a live login prompt. Cracking is faster and avoids account lockouts since it works offline.

What are rainbow tables?

Rainbow tables are pre-computed lookup tables that map password hashes back to their plaintext passwords. They trade storage space for computation time — instead of computing hashes during an attack, you look them up instantly. Rainbow tables are defeated by salting, which adds a random value to each password before hashing, making pre-computation impractical.

What is pass-the-hash?

Pass-the-hash is an attack technique where the attacker uses a captured NTLM password hash to authenticate to a Windows system without needing to crack the hash into a plaintext password. This works because Windows NTLM authentication accepts the hash directly. Defences include disabling NTLM, using Kerberos, and implementing credential guard.

What is the difference between vertical and horizontal privilege escalation?

Vertical privilege escalation means gaining higher privileges than your current level — moving from a standard user to administrator or root. Horizontal privilege escalation means accessing resources of another user at the same privilege level. Vertical escalation is more impactful because it grants complete system control.

What tools are used for privilege escalation enumeration?

LinPEAS (Linux) and WinPEAS (Windows) are the most popular automated enumeration tools. They check for SUID binaries, sudo misconfigurations, kernel vulnerabilities, writable service paths, stored credentials, and hundreds of other escalation vectors. Manual checks using commands like find, sudo -l, and whoami /all are also essential skills.

What is a rootkit?

A rootkit is malware designed to maintain persistent access while hiding its presence from the operating system and security tools. Rootkits can operate at the kernel level (modifying OS internals), user level (replacing system utilities), or firmware level (surviving OS reinstallation). They are among the most difficult persistence mechanisms to detect and remove.

How do defenders detect privilege escalation?

Defenders use EDR tools to monitor for suspicious process behaviour, SIEM correlation rules to flag unusual privilege assignments (like Event ID 4672 in Windows), file integrity monitoring to detect SUID changes, and threat hunting to search for known escalation indicators. Centralised logging ensures that evidence survives even if attackers attempt to clear local logs.

What is timestomping?

Timestomping is an anti-forensic technique where an attacker modifies file timestamps (creation, modification, access times) to make malicious files appear as if they were created at the same time as legitimate system files. This makes it harder for investigators to identify recently added malicious files during timeline analysis.

How do I practise system hacking safely?

Set up a home lab with vulnerable VMs like Metasploitable 2, VulnHub machines, or Hack The Box targets. Extract password hashes and crack them, find SUID binaries and escalate privileges, and document the full attack chain. TryHackMe offers guided rooms specifically for privilege escalation practice on both Linux and Windows.

Related sections

Scanning Networks

The reconnaissance phase that identifies open ports and services — targets for system hacking.

Explore Vulnerability Analysis

Assess the weaknesses in discovered services before moving to exploitation.

Explore Incident Response

How defenders detect, contain, and recover from the system compromises that attackers create.

Explore

More resources

GTFOBins

Curated list of Unix binaries that can be exploited for privilege escalation — essential reference for Linux system hacking.

Visit LOLBAS Project

Living Off The Land Binaries, Scripts, and Libraries for Windows — legitimate tools that can be used for privilege escalation and persistence.

Visit HackTricks — Privilege Escalation

Comprehensive guide covering Linux and Windows privilege escalation techniques with practical examples.

Visit

---

Technical content verified in March 2026 against CompTIA Security+ SY0-701 exam objectives, CEH v13 syllabus, MITRE ATT&CK framework (Privilege Escalation and Persistence tactics), and NIST SP 800-115.