Identifies an SSH session performing broad system, network, identity, filesystem, and service enumeration in a single execution sequence. The behavior combines environment fingerprinting (kernel, CPU, uptime), user and credential surface inspection (/etc/passwd, /etc/shadow, history), network topology discovery (interfaces, routes, listening ports), process and service inventory, writable directory validation, and connectivity testing. This pattern reflects automated post-compromise host profiling used by botnets, cryptominers, and lateral-movement frameworks to determine system suitability and operational value.

Automated SSH session performing a structured full-system census following successful authentication. The activity enumerates kernel, hardware, memory, environment variables, network topology, listening services, running processes, mounted filesystems, and root directories while probing /etc/passwd and /etc/shadow, validating command availability, and performing temporary file write/delete tests. The pattern indicates scripted post-compromise host inventory and credential surface validation prior to persistence or payload deployment.