Live Active security incident? Get immediate response
MITRE ATT&CK® Tactic

TA0028: Persistence

The adversary is trying to maintain their foothold.

Persistence is any access, action, or configuration change to a mobile device that gives an attacker a persistent presence on the device. Attackers often will need to maintain access to mobile devices through interruptions such as device reboots and potentially even factory data resets.

MobileTA0028TacticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Mobile Persistence matters because it represents an attacker’s effort to keep access to a mobile device despite disruptions such as reboots, and potentially even factory data resets. For leaders, the decision point is whether mobile security, identity controls, and incident response processes can prove that a compromised device has been fully contained and that access did not quietly survive normal remediation steps.

Executive priority

Treat this tactic as a resilience and trust issue for mobile-enabled workforces. If mobile devices are used for executive communications, authentication, operations, or access to business applications, persistence can undermine incident closure, compliance evidence, and confidence in device recovery. Security leaders should ask whether mobile incident response playbooks define when to isolate, wipe, re-enroll, revoke credentials, or replace a device, and what evidence is required before returning it to service.

Technical view

ATT&CK provides this as a mobile tactic, not a specific technique, and no official detection guidance or platform list is supplied. SOC, IR, and mobile security teams should therefore validate coverage at the tactic level: can they observe mobile device configuration changes, application installation or reinstallation behavior, management state changes, device reboot or reset events, and post-remediation signs of continued access? Detection engineering should map local mobile telemetry and MDM/UEM evidence to the techniques under this tactic where available in the ATT&CK mobile matrix, rather than relying on this tactic object alone.

Likely telemetry

  • MDM/UEM device inventory, compliance state, enrollment, wipe, reset, and re-enrollment records
  • Mobile device configuration and policy change logs
  • Mobile application inventory and installation/removal history
  • Device reboot, reset, and recovery lifecycle events where available
  • Identity and access logs for mobile-authenticated sessions before and after remediation

Detection direction

  • Validate whether mobile telemetry persists across the recovery actions your team depends on, such as reboot, wipe, reset, and re-enrollment.
  • Correlate mobile device state changes with identity activity to identify cases where access continues after a device was believed to be remediated.
  • Tune detections around unauthorized or unexpected configuration changes while accounting for legitimate MDM/UEM administration and user-driven device changes.
  • Use relationship-driven technique detail from the ATT&CK mobile matrix when available; this tactic object alone does not provide technique-specific detections.
  • Document blind spots where unmanaged, personally owned, offline, or partially enrolled devices lack sufficient evidence for persistence assessment.

Mitigation priorities

  • Prioritize strong mobile device management and clear enrollment, compliance, wipe, and re-enrollment procedures.
  • Ensure incident response playbooks define when mobile credentials, sessions, certificates, and application tokens must be revoked in addition to device remediation.
  • Require evidence-based return-to-service criteria for mobile devices involved in incidents, especially when persistence is suspected.
  • Align mobile security monitoring with identity access controls so continued access can be evaluated after device remediation.
  • Maintain audit-ready records of mobile containment and recovery actions to support compliance and incident closure decisions.
Analyst notes and limits

This is a tactic-level ATT&CK object for the mobile domain. The supplied official description is intentionally broad: adversaries seek to maintain a foothold on mobile devices through access, actions, or configuration changes, including across interruptions such as reboots and potentially factory data resets. Because no relationships, platforms, or detection text were supplied, this take focuses on defensive validation and governance questions rather than specific detection logic.

No official detection guidance, platforms, aliases, labels, or relationship context were supplied for this object. Local MDM/UEM, mobile security, identity, and incident response data are required to determine actual exposure and coverage. This summary does not assert active exploitation, attribution, or guaranteed detection.

Official MITRE ATT&CK definition

Persistence

The adversary is trying to maintain their foothold.

Persistence is any access, action, or configuration change to a mobile device that gives an attacker a persistent presence on the device. Attackers often will need to maintain access to mobile devices through interruptions such as device reboots and potentially even factory data resets.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d7dfc9ca106fcd5c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d7dfc9ca106f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack TA0028
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use