Identifies SSH post-auth activity combining resilient multi-source CPU enumeration (explicit /usr/bin/nproc fallback) with removal of the immutable flag from ~/.shellrc via chattr, indicating host profiling followed by shell configuration tampering for persistence preparation.

Post-access host reconnaissance performed over SSH to evaluate system capabilities and confirm shell privilege context. The activity fingerprints the operating system and kernel, determines CPU architecture and core count, checks for GPU presence, enumerates interactive users, extracts network routing information, validates the hosting organization via external IP lookup, and confirms the current execution identity. This pattern is commonly observed after initial access when attackers assess whether the compromised host is suitable for compute-intensive workloads, lateral movement, or payload deployment.