Identifies a complete Redis exploitation workflow where an attacker performs configuration introspection, modifies snapshot directory and filename parameters (CONFIG SET dir, CONFIG SET dbfilename), targets system cron directories (e.g., /etc/cron.d, /etc, crontabs), implants scheduled execution payloads (HTTP pipe-to-shell, wget, root cron variants, or obfuscated droppers), and triggers SAVE to write the malicious cron file to disk. This tightly coupled sequence reflects automated host-level persistence establishment via cron injection through misconfigured or unauthenticated Redis services. The behavior captures filesystem redirection, scheduled execution staging, and persistence activation in a single deterministic chain, strongly associated with botnet propagation and cryptomining campaigns.

Identifies execution of the Redis INFO command (case-insensitive), which retrieves server configuration, version, memory usage, and runtime statistics. This behavior reflects service interrogation and environment fingerprinting activity. While INFO can be used legitimately by administrators, it is also commonly observed during automated scanning and pre-exploitation reconnaissance of exposed Redis instances.