In post-engagement cleanup, which action is best to address persistence mechanisms such as hidden shells?

The key idea is to eliminate attacker persistence. Hidden shells are covert access points that can survive routine cleanup, so the cleanup must actively hunt for and remove all backdoors and shells that may be lurking on the systems. This means a thorough audit to uncover persistence mechanisms—hidden shells, rogue services, startup items, scheduled tasks, unauthorized accounts, and any covert processes—and then removing them and validating that no entry points remain. Doing only a surface removal ignores hidden access points and may leave the system compromised. Disabling user accounts can disrupt legitimate access and doesn’t guarantee removal of covert threats, and rebuilding the OS is a drastic step not needed if you can locate and purge the persistence mechanisms. After confirming cleanup, implement hardening and monitoring to prevent reinfection.