Loading threats
Post-authentication SSH activity performing structured host viability assessment. The session probes credential files (/etc/passwd, /etc/shadow), enumerates root and mounted filesystems, inspects running services and processes, snapshots listening ports, resolves command availability, and performs temporary file write/delete testing. The pattern indicates automated evaluation of a compromised Linux system to determine privilege level, credential exposure, persistence opportunities, and suitability for payload deployment.
This behavioral pattern is part of the SikkerAPI detection catalog and is actively monitored across our global honeypot network. No IPs in the current retention window have triggered this detection signature.
When an attacker exhibits this behavior, matched IPs will appear here with confidence scores, geolocation, and session details. Browse other SSH detections or look up a specific IP to check its threat profile.