Identifies an SSH session performing broad system, network, identity, filesystem, and service enumeration in a single execution sequence. The behavior combines environment fingerprinting (kernel, CPU, uptime), user and credential surface inspection (/etc/passwd, /etc/shadow, history), network topology discovery (interfaces, routes, listening ports), process and service inventory, writable directory validation, and connectivity testing. This pattern reflects automated post-compromise host profiling used by botnets, cryptominers, and lateral-movement frameworks to determine system suitability and operational value.

Identifies structured post-authentication SSH activity consistent with automated host qualification and capability assessment. The session performs broad system enumeration including kernel and version queries, CPU and process inspection, network configuration and listening service discovery, service inventory via systemctl, credential file probing (/etc/passwd, /etc/shadow), hostname retrieval (command and file read), root and filesystem inspection, connectivity validation via ping, temporary file creation and cleanup, and command resolution checks to evaluate system suitability for further exploitation or staging.

Automated SSH session performing a structured full-system census following successful authentication. The activity enumerates kernel, hardware, memory, environment variables, network topology, listening services, running processes, mounted filesystems, and root directories while probing /etc/passwd and /etc/shadow, validating command availability, and performing temporary file write/delete tests. The pattern indicates scripted post-compromise host inventory and credential surface validation prior to persistence or payload deployment.