Identifies an SSH session performing broad system, network, identity, filesystem, and service enumeration in a single execution sequence. The behavior combines environment fingerprinting (kernel, CPU, uptime), user and credential surface inspection (/etc/passwd, /etc/shadow, history), network topology discovery (interfaces, routes, listening ports), process and service inventory, writable directory validation, and connectivity testing. This pattern reflects automated post-compromise host profiling used by botnets, cryptominers, and lateral-movement frameworks to determine system suitability and operational value.