Comprehensive post-authentication SSH reconnaissance behavior where an actor performs broad system, network, and environment enumeration in a single session. This includes kernel and OS fingerprinting, CPU and memory inspection, network interface and routing discovery, open port enumeration, process listing, credential file probing, service enumeration, and temporary file write/delete testing. The pattern indicates automated host profiling for capability assessment and potential lateral movement preparation.

Identifies SSH post-auth activity combining resilient multi-source CPU enumeration (explicit /usr/bin/nproc fallback) with removal of the immutable flag from ~/.shellrc via chattr, indicating host profiling followed by shell configuration tampering for persistence preparation.