ta0003-persistence

# TA0003 — Persistence ## Descrição A Persistência abrange as técnicas que permitem ao adversário **manter acesso** ao sistema comprometido mesmo após reinicializações, mudanças de credenciais ou outras interrupções. Sem persistência, um atacante perde o acesso assim que a sessão termina; com ela, pode permanecer oculto por meses ou anos. As técnicas de persistência variam amplamente em sofisticação: desde simples entradas no registro do Windows ([[t1547-001-registry-run-keys|Run Keys]]) até backdoors em firmware ([[t1542-001-system-firmware|System Firmware]]) e web shells em servidores ([[t1505-003-web-shell|T1505.003]]). Grupos APT nação-estado como [[g1017-volt-typhoon|Volt Typhoon]] utilizam técnicas de persistência extremamente discretas — evitando arquivos em disco sempre que possível (fileless persistence). A detecção de persistência é crítica: quanto mais cedo detectada, menor o dano. Em incidentes de ransomware, os operadores frequentemente mantêm múltiplos mecanismos de persistência simultâneos — garantindo que a eliminação de um não encerre o acesso. Grupos como [[lockbit|LockBit Operators]] e [[cl0p|Cl0p]] são conhecidos por estabelecer backdoors semanas antes do deploy do ransomware. ## Posição no Kill Chain ```mermaid graph TB R["Reconhecimento"]:::inactive --> RD["Desenvolvimento<br/>de Recursos"]:::inactive RD --> IA["Acesso Inicial"]:::inactive IA --> EX["Execução"]:::inactive EX --> PE["🔗 Persistência"]:::active PE --> PR["Esc. Privilégios"]:::inactive PR --> DE["Evasão de Defesas"]:::inactive DE --> CA["Acesso a<br/>Credenciais"]:::inactive CA --> DI["Descoberta"]:::inactive DI --> LM["Mov. Lateral"]:::inactive LM --> CO["Coleta"]:::inactive CO --> C2["Comando e<br/>Controle"]:::inactive C2 --> EXF["Exfiltração"]:::inactive EXF --> IM["Impacto"]:::inactive classDef active fill:#e74c3c,color:#fff,stroke:#c0392b,stroke-width:3px classDef inactive fill:#2c3e50,color:#95a5a6,stroke:#1a252f ``` ## Técnicas desta Tática no Vault %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nota", mitre-id AS "ID", title AS "Técnica", platforms AS "Plataformas" FROM "ttp/techniques" WHERE contains(mitre-tactic, "Persistence") SORT mitre-id ASC ``` %%   | Nota | ID | Técnica | Plataformas | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [[t1037-boot-or-logon-initialization-scripts\|T1037 - Boot or Logon Initialization Scripts]] | T1037 | T1037 - Boot or Logon Initialization Scripts | <ul><li>macOS</li><li>Windows</li><li>Linux</li><li>Network Devices</li><li>ESXi</li></ul> | | [[t1037-001-logon-script-windows\|T1037.001 - Logon Script (Windows)]] | T1037.001 | T1037.001 - Logon Script (Windows) | <ul><li>Windows</li></ul> | | [[t1037-002-login-hook\|T1037.002 - Login Hook]] | T1037.002 | T1037.002 - Login Hook | <ul><li>macOS</li></ul> | | [[t1037-003-network-logon-script\|T1037.003 - Network Logon Script]] | T1037.003 | T1037.003 - Network Logon Script | <ul><li>Windows</li></ul> | | [[t1037-004-rc-scripts\|T1037.004 - RC Scripts]] | T1037.004 | T1037.004 - RC Scripts | <ul><li>macOS</li><li>Linux</li><li>Network Devices</li><li>ESXi</li></ul> | | [[t1037-005-startup-items\|T1037.005 - Startup Items]] | T1037.005 | T1037.005 - Startup Items | <ul><li>macOS</li></ul> | | [[t1053-scheduled-task-job\|T1053 - Scheduled Task/Job]] | T1053 | T1053 - Scheduled Task/Job | <ul><li>Windows</li><li>Linux</li><li>macOS</li><li>Containers</li></ul> | | [[t1098-account-manipulation\|T1098 - Account Manipulation]] | T1098 | T1098 - Account Manipulation | <ul><li>Containers</li><li>ESXi</li><li>IaaS</li><li>Identity Provider</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Office Suite</li><li>SaaS</li><li>Windows</li></ul> | | [[t1098-001-additional-cloud-credentials\|T1098.001 - Additional Cloud Credentials]] | T1098.001 | T1098.001 - Additional Cloud Credentials | <ul><li>IaaS</li><li>Identity Provider</li><li>SaaS</li></ul> | | [[t1098-002-additional-email-delegate-permissions\|T1098.002 - Additional Email Delegaté Permissions]] | T1098.002 | T1098.002 - Additional Email Delegaté Permissions | <ul><li>Windows</li><li>Office Suite</li></ul> | | [[t1098-003-additional-cloud-roles\|T1098.003 - Funções Adicionais em Nuvem]] | T1098.003 | T1098.003 - Funções Adicionais em Nuvem | <ul><li>IaaS</li><li>Identity Provider</li><li>Office Suite</li><li>SaaS</li></ul> | | [[t1098-004-ssh-authorized-keys\|T1098.004 - SSH Authorized Keys]] | T1098.004 | T1098.004 - SSH Authorized Keys | <ul><li>Linux</li><li>macOS</li><li>IaaS</li><li>Network Devices</li><li>ESXi</li></ul> | | [[t1098-005-device-registration\|T1098.005 - Device Registration]] | T1098.005 | T1098.005 - Device Registration | <ul><li>Windows</li><li>Identity Provider</li></ul> | | [[t1098-006-additional-container-cluster-roles\|T1098.006 - Additional Container Cluster Roles]] | T1098.006 | T1098.006 - Additional Container Cluster Roles | <ul><li>Containers</li></ul> | | [[t1098-007-additional-local-or-domain-groups\|T1098.007 - Additional Local or Domain Groups]] | T1098.007 | T1098.007 - Additional Local or Domain Groups | <ul><li>Windows</li><li>macOS</li><li>Linux</li></ul> | | [[t1133-external-remote-services\|T1133 - External Remote Services]] | T1133 | T1133 - External Remote Services | <ul><li>Containers</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1136-create-account\|T1136 - Criar Conta]] | T1136 | T1136 - Criar Conta | <ul><li>Windows</li><li>IaaS</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Containers</li><li>SaaS</li><li>Office Suite</li><li>Identity Provider</li><li>ESXi</li></ul> | | [[t1136-001-local-account\|T1136.001 - Local Account]] | T1136.001 | T1136.001 - Local Account | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>Network Devices</li><li>Containers</li><li>ESXi</li></ul> | | [[t1136-002-domain-account\|T1136.002 - Domain Account]] | T1136.002 | T1136.002 - Domain Account | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1136-003-cloud-account\|T1136.003 - Criação de Conta em Nuvem]] | T1136.003 | T1136.003 - Criação de Conta em Nuvem | <ul><li>IaaS</li><li>SaaS</li><li>Office Suite</li><li>Identity Provider</li></ul> | | [[t1137-office-application-startup\|T1137 - Office Application Startup]] | T1137 | T1137 - Office Application Startup | <ul><li>Windows</li><li>Office Suite</li></ul> | | [[t1137-001-office-template-macros\|T1137.001 - Office Templaté Macros]] | T1137.001 | T1137.001 - Office Templaté Macros | <ul><li>Windows</li><li>Office Suite</li></ul> | | [[t1137-002-office-test\|T1137.002 - Office Test]] | T1137.002 | T1137.002 - Office Test | <ul><li>Windows</li><li>Office Suite</li></ul> | | [[t1137-003-outlook-forms\|T1137.003 - Outlook Forms]] | T1137.003 | T1137.003 - Outlook Forms | <ul><li>Windows</li><li>Office Suite</li></ul> | | [[t1137-004-outlook-home-page\|T1137.004 - Outlook Home Page]] | T1137.004 | T1137.004 - Outlook Home Page | <ul><li>Windows</li><li>Office Suite</li></ul> | | [[t1137-005-outlook-rules\|T1137.005 - Outlook Rules]] | T1137.005 | T1137.005 - Outlook Rules | <ul><li>Windows</li><li>Office Suite</li></ul> | | [[t1137-006-add-ins\|T1137.006 - Add-ins]] | T1137.006 | T1137.006 - Add-ins | <ul><li>Windows</li><li>Office Suite</li></ul> | | [[t1176-browser-extensions\|T1176 - Browser Extensions]] | T1176 | T1176 - Browser Extensions | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1176-software-extensions\|T1176 - Software Extensions]] | T1176 | T1176 - Software Extensions | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1176-001-browser-extensions\|T1176.001 - Browser Extensions]] | T1176.001 | T1176.001 - Browser Extensions | <ul><li>Linux</li><li>Windows</li><li>macOS</li></ul> | | [[t1176-002-ide-extensions\|T1176.002 - IDE Extensions]] | T1176.002 | T1176.002 - IDE Extensions | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1505-server-software-component\|T1505 - Server Software Component]] | T1505 | T1505 - Server Software Component | <ul><li>Windows</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>ESXi</li></ul> | | [[t1505-001-sql-stored-procedures\|T1505.001 - SQL Stored Procedures]] | T1505.001 | T1505.001 - SQL Stored Procedures | <ul><li>Windows</li><li>Linux</li></ul> | | [[t1505-002-transport-agent\|T1505.002 - Agente de Transporte]] | T1505.002 | T1505.002 - Agente de Transporte | <ul><li>Linux</li><li>Windows</li></ul> | | [[t1505-003-web-shell\|T1505.003 - Server Software Component: Web Shell]] | T1505.003 | T1505.003 - Server Software Component: Web Shell | <ul><li>Windows</li><li>Linux</li><li>macOS</li><li>Network</li></ul> | | [[t1505-004-iis-components\|T1505.004 - IIS Components]] | T1505.004 | T1505.004 - IIS Components | <ul><li>Windows</li></ul> | | [[t1505-005-terminal-services-dll\|T1505.005 - Terminal Services DLL]] | T1505.005 | T1505.005 - Terminal Services DLL | <ul><li>Windows</li></ul> | | [[t1505-006-vsphere-installation-bundles\|T1505.006 - vSphere Installation Bundles]] | T1505.006 | T1505.006 - vSphere Installation Bundles | <ul><li>ESXi</li></ul> | | [[t1525-implant-internal-image\|T1525 - Implant Internal Image]] | T1525 | T1525 - Implant Internal Image | <ul><li>IaaS</li><li>Containers</li></ul> | | [[t1542-001-system-firmware\|T1542.001 - Firmware do Sistema]] | T1542.001 | T1542.001 - Firmware do Sistema | <ul><li>Windows</li><li>Network Devices</li></ul> | | [[t1542-002-component-firmware\|T1542.002 - Component Firmware]] | T1542.002 | T1542.002 - Component Firmware | <ul><li>Windows</li><li>Linux</li><li>macOS</li></ul> | | [[t1542-003-bootkit\|T1542.003 - Pre-OS Boot: Bootkit]] | T1542.003 | T1542.003 - Pre-OS Boot: Bootkit | <ul><li>Windows</li><li>Linux</li></ul> | | [[t1543-create-or-modify-system-process\|T1543 - Creaté or Modify System Process]] | T1543 | T1543 - Creaté or Modify System Process | <ul><li>Windows</li><li>macOS</li><li>Linux</li><li>Containers</li></ul> | | [[t1543-001-launch-agent\|T1543.001 - Launch Agent]] | T1543.001 | T1543.001 - Launch Agent | <ul><li>macOS</li></ul> | | [[t1543-002-systemd-service\|T1543.002 - Systemd Service]] | T1543.002 | T1543.002 - Systemd Service | <ul><li>Linux</li></ul> | | [[t1543-003-windows-service\|T1543.003 - Windows Service]] | T1543.003 | T1543.003 - Windows Service | <ul><li>Windows</li></ul> | | [[t1543-004-launch-daemon\|T1543.004 - Launch Daemon]] | T1543.004 | T1543.004 - Launch Daemon | <ul><li>macOS</li></ul> | | [[t1543-005-container-service\|T1543.005 - Container Service]] | T1543.005 | T1543.005 - Container Service | <ul><li>Containers</li></ul> | | [[ttp/techniques/persistence/t1546-003-windows-management-instrumentation-event-subscription.md\|T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription]] | T1546.003 | T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription | <ul><li>Windows</li></ul> | | [[ttp/techniques/persistence/t1546-014-emond.md\|T1546.014 - Event Triggered Execution: Emond]] | T1546.014 | T1546.014 - Event Triggered Execution: Emond | <ul><li>macOS</li></ul> | | [[ttp/techniques/persistence/t1546-015-component-object-model-hijacking.md\|T1546.015 - Event Triggered Execution: Component Object Model Hijacking]] | T1546.015 | T1546.015 - Event Triggered Execution: Component Object Model Hijacking | <ul><li>Windows</li></ul> | | [[t1546-017-udev-rules\|T1546.017 - Udev Rules]] | T1546.017 | T1546.017 - Udev Rules | <ul><li>Linux</li></ul> | | [[t1546-018-python-startup-hooks\|T1546.018 - Python Startup Hooks]] | T1546.018 | T1546.018 - Python Startup Hooks | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1547-boot-logon-autostart-execution\|T1547 - Boot or Logon Autostart Execution]] | T1547 | T1547 - Boot or Logon Autostart Execution | <ul><li>Windows</li><li>macOS</li><li>Linux</li></ul> | | [[t1547-boot-or-logon-autostart-execution\|T1547 - Boot or Logon Autostart Execution]] | T1547 | T1547 - Boot or Logon Autostart Execution | <ul><li>Windows</li><li>macOS</li><li>Linux</li><li>Network Devices</li></ul> | | [[t1547-001-registry-run-keys-startup-folder\|T1547.001 - Registry Run Keys / Startup Folder]] | T1547.001 | T1547.001 - Registry Run Keys / Startup Folder | <ul><li>Windows</li></ul> | | [[t1547-001-registry-run-keys\|T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys]] | T1547.001 | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys | <ul><li>Windows</li></ul> | | [[t1547-002-authentication-package\|T1547.002 - Authentication Package]] | T1547.002 | T1547.002 - Authentication Package | <ul><li>Windows</li></ul> | | [[t1547-003-time-providers\|T1547.003 - Time Providers]] | T1547.003 | T1547.003 - Time Providers | <ul><li>Windows</li></ul> | | [[t1547-004-winlogon-helper-dll\|T1547.004 - Winlogon Helper DLL]] | T1547.004 | T1547.004 - Winlogon Helper DLL | <ul><li>Windows</li></ul> | | [[t1547-005-security-support-provider\|T1547.005 - Security Support Provider]] | T1547.005 | T1547.005 - Security Support Provider | <ul><li>Windows</li></ul> | | [[t1547-006-kernel-modules-and-extensions\|T1547.006 - Kernel Modules and Extensions]] | T1547.006 | T1547.006 - Kernel Modules and Extensions | <ul><li>macOS</li><li>Linux</li></ul> | | [[t1547-007-re-opened-applications\|T1547.007 - Re-opened Applications]] | T1547.007 | T1547.007 - Re-opened Applications | <ul><li>macOS</li></ul> | | [[t1547-008-lsass-driver\|T1547.008 - LSASS Driver]] | T1547.008 | T1547.008 - LSASS Driver | <ul><li>Windows</li></ul> | | [[t1547-009-shortcut-modification\|T1547.009 - Shortcut Modification]] | T1547.009 | T1547.009 - Shortcut Modification | <ul><li>Windows</li></ul> | | [[t1547-010-port-monitors\|T1547.010 - Port Monitors]] | T1547.010 | T1547.010 - Port Monitors | <ul><li>Windows</li></ul> | | [[t1547-012-print-processors\|T1547.012 - Print Processors]] | T1547.012 | T1547.012 - Print Processors | <ul><li>Windows</li></ul> | | [[t1547-013-xdg-autostart-entries\|T1547.013 - XDG Autostart Entries]] | T1547.013 | T1547.013 - XDG Autostart Entries | <ul><li>Linux</li></ul> | | [[t1547-014-active-setup\|T1547.014 - Active Setup]] | T1547.014 | T1547.014 - Active Setup | <ul><li>Windows</li></ul> | | [[t1547-015-login-items\|T1547.015 - Login Items]] | T1547.015 | T1547.015 - Login Items | <ul><li>macOS</li></ul> | | [[t1554-compromise-host-software-binary\|T1554 - Compromise Host Software Binary]] | T1554 | T1554 - Compromise Host Software Binary | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>ESXi</li></ul> | | [[t1574-hijack-execution-flow\|T1574 - Hijack Execution Flow]] | T1574 | T1574 - Hijack Execution Flow | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1574-001-dll\|T1574.001 - DLL]] | T1574.001 | T1574.001 - DLL | <ul><li>Windows</li></ul> | | [[t1574-004-dylib-hijacking\|T1574.004 - Dylib Hijacking]] | T1574.004 | T1574.004 - Dylib Hijacking | <ul><li>macOS</li></ul> | | [[t1574-005-executable-installer-file-permissions-weakness\|T1574.005 - Executable Installer File Permissions Weakness]] | T1574.005 | T1574.005 - Executable Installer File Permissions Weakness | <ul><li>Windows</li></ul> | | [[t1574-006-dynamic-linker-hijacking\|T1574.006 - Sequestro do Vinculador Dinâmico]] | T1574.006 | T1574.006 - Sequestro do Vinculador Dinâmico | <ul><li>Linux</li><li>macOS</li></ul> | | [[t1574-007-path-interception-by-path-environment-variable\|T1574.007 - Path Interception by PATH Environment Variable]] | T1574.007 | T1574.007 - Path Interception by PATH Environment Variable | <ul><li>Windows</li><li>macOS</li><li>Linux</li></ul> | | [[t1574-008-path-interception-by-search-order-hijacking\|T1574.008 - Interceptação de Caminho por Sequestro de Ordem de Busca]] | T1574.008 | T1574.008 - Interceptação de Caminho por Sequestro de Ordem de Busca | <ul><li>Windows</li></ul> | | [[t1574-009-path-interception-by-unquoted-path\|T1574.009 - Path Interception by Unquoted Path]] | T1574.009 | T1574.009 - Path Interception by Unquoted Path | <ul><li>Windows</li></ul> | | [[t1574-010-services-file-permissions-weakness\|T1574.010 - Services File Permissions Weakness]] | T1574.010 | T1574.010 - Services File Permissions Weakness | <ul><li>Windows</li></ul> | | [[t1574-011-services-registry-permissions-weakness\|T1574.011 - Services Registry Permissions Weakness]] | T1574.011 | T1574.011 - Services Registry Permissions Weakness | <ul><li>Windows</li></ul> | | [[t1574-012-corprofiler\|T1574.012 - COR_PROFILER]] | T1574.012 | T1574.012 - COR_PROFILER | <ul><li>Windows</li></ul> | | [[t1574-013-kernelcallbacktable\|T1574.013 - KernelCallbackTable]] | T1574.013 | T1574.013 - KernelCallbackTable | <ul><li>Windows</li></ul> | | [[t1574-014-appdomainmanager\|T1574.014 - AppDomainManager]] | T1574.014 | T1574.014 - AppDomainManager | <ul><li>Windows</li></ul> | | [[t1653-power-settings\|T1653 - Power Settings]] | T1653 | T1653 - Power Settings | <ul><li>Windows</li><li>Linux</li><li>macOS</li><li>Network Devices</li></ul> | | [[t1668-exclusive-control\|T1668 - Exclusive Control]] | T1668 | T1668 - Exclusive Control | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[ttp/techniques/persistence/t1671-cloud-application-integration.md\|T1671 - Cloud Application Integration]] | T1671 | T1671 - Cloud Application Integration | <ul><li>Office Suite</li><li>SaaS</li></ul> |  ## Mindmap — Técnicas de Persistência ```mermaid mindmap root((TA0003<br/>Persistence)) Registro e Autostart T1547 Boot/Logon Autostart T1547.001 Registry Run Keys T1547.004 Winlogon Helper DLL T1547.009 Shortcut Modification Agendamento T1053 Scheduled Task/Job T1053.005 Scheduled Task T1053.003 Cron Jobs Servidores T1505 Server Software Component T1505.003 Web Shell T1505.004 IIS Components Contas T1098 Account Manipulation T1136 Creaté Account T1078 Valid Accounts Firmware e Boot T1542 Pre-OS Boot T1542.001 System Firmware T1542.003 Bootkit Hijacking T1574 Hijack Execution Flow T1574.002 DLL Side-Loading T1574.001 DLL Search Order ``` ## Atores que Utilizam esta Tática | Ator | Técnica de Persistência Preferida | |------|-----------------------------------| | [[g1017-volt-typhoon\|Volt Typhoon]] | Web shells, credenciais válidas, scripts de inicialização | | [[Cozy Bear]] | Scheduled tasks, Registry Run Keys, Web shells | | [[g0034-sandworm\|Sandworm]] | Firmware modification, bootkit implants | | [[g0032-lazarus-group\|Lazarus Group]] | DLL side-loading, Registry persistence | | [[TA505]] | Web shells pós-exploração de T1190 | ## Detecção e Mitigação ### Detecção - **Sysmon Event ID 13:** Modificações no registro (RunKeys, Winlogon) - **Auditoria de Scheduled Tasks:** Event ID 4698 (tarefa criada), 4702 (modificada) - **File Integrity Monitoring:** Monitorar diretórios de startup, System32, diretórios web - **Threat Hunting:** Buscar web shells via assinaturas em diretórios wwwroot, htdocs - **EDR:** Alertas para DLL loading de locais não-padrão, processos em startup incomuns ### Mitigação - Hardening de registro: restringir escrita em chaves Run/RunOnce a administradores - Auditar e remover web shells regularmente em servidores expostos - Implementar Secure Boot para dificultar persistência em firmware - Restringir criação de scheduled tasks a usuários privilegiados - Monitorar contas de serviço para modificações não autorizadas ## Relevância LATAM/Brasil Web shells são amplamente usados por grupos que comprometem servidores web brasileiros — especialmente em portais governamentais e corporativos com plataformas desatualizadas (WordPress, Joomla, PHP legado). A persistência via [[t1547-001-registry-run-keys|Registry Run Keys]] é a abordagem favorita de malware bancário como [[s0531-grandoreiro|Grandoreiro]] e [[mekotio|Mekotio]] para sobreviver a reinicializações. - [[ta0002-execution|TA0002 - Execution]] — fase anterior - [[ta0004-privilege-escalation|TA0004 - Privilege Escalation]] — fase seguinte - [[t1547-001-registry-run-keys|T1547.001 - Registry Run Keys]] — persistência via registro - [[t1505-003-web-shell|T1505.003 - Web Shell]] — backdoor em servidor web - [[t1053-005-scheduled-task|T1053.005 - Scheduled Task]] — persistência via agendamento - [[t1098-account-manipulation|T1098 - Account Manipulation]] — backdoor via conta - [[t1542-001-system-firmware|T1542.001 - System Firmware]] — persistência de firmware - [[g1017-volt-typhoon|Volt Typhoon]] — referência de persistência discreta - [[_techniques|Índice de Técnicas]] — visão geral de todas as técnicas documentadas ## Referências - [[ta0003-*|MITRE ATT&CK - TA0003 Persistence]] - [CISA — Web Shells Detection and Prevention](https://www.cisa.gov/news-events/cybersecurity-advisories)