Comprehensive and Detailed Explanation:
A reverse shell that is left on a target to maintain access is a form of persistence/backdoor. The action described — removing the reverse shell at the end of the engagement — is specifically the removal of a persistence mechanism. Post-engagement cleanup requires removal of any artifacts that provide continued access (web shells, scheduled tasks, reverse shells, cron jobs, created accounts, etc.) so the environment is returned to its pre-test state and to prevent later compromise.
Why not the others:
B (Uninstalling tools): Removing tools is also a cleanup activity, but the question explicitly references removing the reverse shell (persistence).
C (Preserving artifacts): Preserving artifacts is the opposite (saving logs/evidence) for incident response — not removing access.
D (Reverting configuration changes): Important, but the best single match for removing a reverse shell is “removing persistence mechanisms.â€
PT0-003 mapping: Domain 5 — post-engagement cleanup and returning environment to baseline.
