Identifies a complete abuse sequence of an exposed Docker Remote API where an actor verifies daemon availability (_ping), probes API version, performs HTTP method interactions, creates a container, and attaches to its stream for interactive command execution. This pattern reflects deliberate remote container deployment followed by direct execution or session control inside the container.

Identifies a full Redis exploitation sequence where the attacker performs configuration introspection, modifies persistence parameters (CONFIG SET dir, CONFIG SET dbfilename), optionally disables write protections (stop-writes-on-bgsave-error), flushes existing data, implants a cron-formatted payload (base64 or Python dropper variant), and triggers SAVE to write the malicious cron file to disk. This tightly coupled chain reflects automated exploitation of exposed Redis services to achieve host-level persistence via cron injection. The behavior indicates deliberate filesystem redirection and scheduled command execution establishment, commonly observed in botnet propagation and cryptomining campaigns targeting unauthenticated Redis instances.

Identifies execution of the Redis INFO command (case-insensitive), which retrieves server configuration, version, memory usage, and runtime statistics. This behavior reflects service interrogation and environment fingerprinting activity. While INFO can be used legitimately by administrators, it is also commonly observed during automated scanning and pre-exploitation reconnaissance of exposed Redis instances.