Removal of filesystem attribute protections from the user’s .ssh directory followed by deletion and recreation of the directory and insertion of a new public key into authorized_keys. This pattern reflects deliberate modification of SSH trust configuration to establish persistent key-based access.

Identifies an SSH session performing comprehensive automated host reconnaissance (CPU, memory, disk, processes, users), followed by credential modification and SSH key manipulation consistent with scripted post-compromise takeover and persistence establishment.