Identifies an SSH session performing broad system, network, identity, filesystem, and service enumeration in a single execution sequence. The behavior combines environment fingerprinting (kernel, CPU, uptime), user and credential surface inspection (/etc/passwd, /etc/shadow, history), network topology discovery (interfaces, routes, listening ports), process and service inventory, writable directory validation, and connectivity testing. This pattern reflects automated post-compromise host profiling used by botnets, cryptominers, and lateral-movement frameworks to determine system suitability and operational value.

Identifies structured post-authentication SSH activity consistent with automated host qualification and capability assessment. The session performs broad system enumeration including kernel and version queries, CPU and process inspection, network configuration and listening service discovery, service inventory via systemctl, credential file probing (/etc/passwd, /etc/shadow), hostname retrieval (command and file read), root and filesystem inspection, connectivity validation via ping, temporary file creation and cleanup, and command resolution checks to evaluate system suitability for further exploitation or staging.