Identifies the use of SCP in quiet mode (-q) with “to” mode (-t), indicating the remote system is receiving a file. This pattern is commonly associated with post-authentication payload delivery, lateral movement staging, or tool transfer to a compromised host.

Identifies SSH sessions where the actor executes uname -s -v -n -r -m to retrieve detailed kernel, hostname, architecture, and OS version information for environment profiling and post-access decision making.