This paper examines methods for persistence establishment of malicious software (malware) to various levels of security rings of modern processors based on the x86_64 architecture. The article discusses all levels of rings from 3 (user) to -3 (level of the control engine). In addition, for each level, the capabilities of malware are defined, which is attached to the corresponding ring. Correlating the capabilities and levels of rings makes it possible in the future to develop criteria according to which it will be possible to identify malicious software operating on a personal computer. As a result of the analysis, it was established that the methods of attachment for different rings differ, and malicious activity can only be detected from levels lower than the malware located, which imposes a number of requirements on a unified method for its detection