Non-Interactive SSH Attacks Now Dominate Post-Login Activity, Research Shows
A new study analyzing SSH honeypots reveals a significant shift in attacker tactics, with non-interactive commands making up over 99% of post-login sessions.

The common perception of attackers gaining access to a server via SSH and then manually exploring the system with interactive commands is increasingly a relic of the past. New research analyzing data from eleven SSH honeypots deployed on cloud servers indicates a dramatic shift in post-compromise attacker behavior. The study, conducted by researchers at the Czech Technical University in Prague, found that non-interactive SSH sessions overwhelmingly dominate activity after initial authentication.
Over a fifteen-day period in late May and early June, the honeypots logged a substantial 177,622 authenticated SSH sessions. Of these, a staggering 99.23% were non-interactive. These sessions involve a client logging in, executing a single command, reading the output, and disconnecting, often completing the entire exchange in under a second. In stark contrast, traditional interactive shell sessions, where an attacker manually types commands, accounted for a mere 0.10% of the logged activity. File transfers made up the small remainder.
To validate their findings, the researchers cross-referenced their data with an independent dataset from CZ.NIC, which operates a large-scale honeypot service utilizing thousands of Cowrie sensors. This independent analysis, covering over a quarter of a million logged-in sessions during the same timeframe, corroborated the trend. Among sessions that executed at least one command, 92.67% consisted of exactly one command, reinforcing the conclusion that automated, single-command probes are the new norm.
The majority of this non-interactive traffic appears to be focused on reconnaissance. The ten most common commands observed were primarily used to gather basic system information, such as the operating system and kernel version (variants of uname), processor count, logged-in user, and system uptime. This data helps automated campaigns quickly assess a system's value and suitability for further exploitation.
A smaller but notable portion of the non-interactive commands were designed to test the integrity of the honeypot itself. Attackers sent base64-encoded strings to check for expected output, performed simple arithmetic operations, or attempted to write and read files to confirm the system was functioning as expected. This behavior is particularly relevant for newer honeypots employing AI-generated responses, as these tests can potentially detect artificial or incorrect output.
Interestingly, the study found little evidence of attackers actively trying to identify honeypots through their commands, such as looking for specific honeypot process names. Furthermore, despite growing concerns about prompt injection attacks against AI models, the researchers found no instances of prompt-injection strings or mentions of AI or model names within the attacker traffic, suggesting this specific threat vector is not yet prevalent in SSH compromise scenarios.
The trend towards non-interactive SSH attacks is not new, according to historical data. CZ.NIC's archives, dating back to 2017, show that non-interactive traffic has been the majority since around 2018. A notable spike occurred in October 2024, when the non-interactive share jumped significantly, coinciding with an increase in overall SSH attack volume.
This research carries important implications for the design and evaluation of security tools, particularly honeypots. Traditional metrics focused on attacker engagement duration or the number of commands executed may become less relevant. Honeypots that only offer interactive shells or refuse non-interactive requests might be providing an incomplete or even misleading picture of current attacker methodologies. Recognizing and analyzing this high-volume, low-interaction traffic is crucial for understanding and defending against modern post-compromise operations.