Exploitation gives access; installation makes it last. Attackers establish persistence so their foothold survives reboots and remediation attempts. Common mechanisms include Remote Access Trojans (RATs) disguised as legitimate processes, rootkits that hide at the kernel level, and web shells uploaded to compromised servers for browser-based command access. Attackers also achieve persistence through rogue user accounts, modified scheduled tasks, altered startup scripts, and Windows registry auto-run keys. Defenders should deploy endpoint detection and response (EDR) tools, monitor system integrity, and regularly audit scheduled tasks, startup items, and user accounts for unauthorized changes.