Removal of filesystem attribute protections from the user’s .ssh directory followed by deletion and recreation of the directory and insertion of a new public key into authorized_keys. This pattern reflects deliberate modification of SSH trust configuration to establish persistent key-based access.

Identifies SSH session activity where the attacker executes uname -s -m to retrieve the operating system name and machine architecture for host fingerprinting and payload targeting.