Identifies a structured MongoDB reconnaissance sequence performed by a modern PyMongo client operating from a Kubernetes-orchestrated Linux container. The actor negotiates server capabilities using a hello / ismaster handshake, enumerates server build metadata via buildinfo, performs lightweight database name discovery using listDatabases with nameOnly, and explicitly terminates logical sessions using endSessions. This pattern reflects automated tooling or scripted workflows conducting deployment fingerprinting, access surface mapping, and compatibility validation prior to further database interaction.

Composite behavior identifying authenticated SMB activity where a client accesses both IPC$ and data shares, performs root directory reads, and binds to SAMR and SRVSVC RPC interfaces. This sequence is consistent with structured remote enumeration of host configuration, shared resources, and account information, often conducted prior to lateral movement or privilege escalation attempts.

FTP session where the client enters passive mode (PASV) and issues a LIST command to retrieve a directory listing from the server.

FTP session where the client authenticates, queries the working directory, sets transfer mode, and enters passive mode without performing any file transfer or directory listing.

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

HTTP request using GET method.