T1021.004: T1021.004

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 11/02/2020 19:27 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID: T1021.004
Confidence: 100/100
Revoked: No
Published: 11/02/2020 19:27
Modified: 27/03/2026 01:09
Author / Source: The MITRE Corporation

Aliases

SSH

Platforms

macos linux ESXi

Description

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user. SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. On ESXi, SSH can be enabled either directly on the host (e.g., via `vim-cmd hostsvc/enable_ssh`) or via vCenter.(Citation: Sygnia ESXi Ransomware 2025)(Citation: TrendMicro ESXI Ransomware)(Citation: Sygnia Abyss Locker 2025) The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user (i.e., [SSH Authorized Keys](https://attack.mitre.org/techniques/T1098/004)).

Kill chain phases

Kill chain	Phase
mitre-attack	lateral-movement

Marking (TLP)

External references

TrendMicro ESXI Ransomware
mitre-attack (T1021.004)
Sygnia Abyss Locker 2025
Sygnia ESXi Ransomware 2025
Apple Unified Log Analysis Remote Login and Screen Sharing

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (53)

UNC3886 uses

The MITRE Corporation Confidence 100

[UNC3886](https://attack.mitre.org/groups/G1048) is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan…

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-STA-1132 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Outlaw uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
GCMAN uses

The MITRE Corporation Confidence 100

[GCMAN](https://attack.mitre.org/groups/G0036) is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services. (Citation: Securelist GCMAN)

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT28 uses IRON TWILIGHTSNAKEMACKEREL

The MITRE Corporation Confidence 100

[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Quad7 botnet operators uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kyber uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
menuPass uses CicadaPOTASSIUM

The MITRE Corporation Confidence 100

[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://attack.mitre.org/groups/G0045) are known to have acted in association with the Chinese Ministry…

First seen 01/01/1970 · Last seen 16/11/5138 ·
OilRig uses COBALT GYPSYIRN2

The MITRE Corporation Confidence 100

[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including…

First seen 01/01/1970 · Last seen 16/11/5138 ·
vpmdhaj uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TeamTNT uses

The MITRE Corporation Confidence 100

[TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Magic Hound uses COBALT ILLUSIONITG18

The MITRE Corporation Confidence 100

[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European,…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

13–24 of 53

PCPJack uses

Family
Vect uses

Family
MicrosoftPrt.exe uses

Family
Dark Crystal RAT uses

Family
gsocket uses

Family
reGeorg uses
Chaos - S0220 uses

Family
Cobalt Strike - S0154 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Superfetch.exe uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kraken uses

Family
Kinsing uses
SLAYSTYLE uses

Family

← Previous

Page / 7

25–36 of 73

Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst … related

AlienVault Confidence 100 3 CVEs 19 MITREs 9 IOCs 8 Observables
Inside the FortiBleed Open Directory: A Technical Analysis … related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables
Operation Poisson – Analyzing a Cybercriminal’s Entire Operation related

AlienVault Confidence 100 20 MITREs 2 Malwares 13 IOCs 6 Observables 1 APT
Targets Education Sector with Oracle PeopleSoft Exploit related

AlienVault Confidence 100 1 CVE 20 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
VerdantBamboo: Just Another BRICKSTORM in the Firewall related

19 MITREs 3 Malwares 32 Observables 1 APT
Inside the Cross-Platform Propagation of a New Gafgyt … related

AlienVault Confidence 100 5 CVEs 20 MITREs 2 Malwares 18 IOCs 18 Observables
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Typosquatted npm packages used to steal cloud and … related

20 MITREs 4 Observables 1 APT
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
From edge appliance to enterprise compromise: Multi-stage Linux … related

5 CVEs 14 MITREs 2 Malwares 5 Observables
Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities related

AlienVault Confidence 100 7 CVEs 20 MITREs 9 Malwares 26 IOCs 26 Observables 1 APT
PCPJack | Cloud Worm Evicts TeamPCP and Steals … related

AlienVault Confidence 100 5 CVEs 24 MITREs 2 Malwares 4 IOCs 4 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (78)

CVE-2025-49596 targets

9.4 Critical

The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to …

Published: 20/12/2025
Modified: 21/12/2025

Received

CVE-2026-1340 KEV targets

9.8 Critical

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Attack vector: NETWORK
Complexity: LOW
Published: 29/01/2026
Modified: 10/04/2026

CWE-94 Received

CVE-2016-15047 targets

8.7 High

AVTECH devices that include the CloudSetup.cgi management endpoint are vulnerable to authenticated OS command injection. The `exefile` parameter in CloudSetup.cgi is passed …

EPSS: 0.0037 (P58.9%)
Published: 04/06/2026
Modified: 04/06/2026

Received

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2026-20128 KEV targets

7.5 High

A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker to gain …

Attack vector: Local
Complexity: High
Published: 25/02/2026
Modified: 15/05/2026

CWE-257 Received

CVE-2026-20122 KEV targets

5.4 Medium

A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the …

Attack vector: NETWORK
Complexity: LOW
Published: 25/02/2026
Modified: 15/05/2026

CWE-648 Received

CVE-2025-21590 KEV targets

4.4 Medium

An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to …

Attack vector: Local
Published: 13/03/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2021-27137 targets

Published: 04/06/2026
Modified: 04/06/2026

CVE-2025-14847 KEV targets

8.7 High

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue …

Attack vector: NETWORK
Published: 19/12/2025
Modified: 26/01/2026

Awaiting Analysis

CVE-2025-20333 KEV targets

9.9 Critical

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …

Attack vector: Network
Published: 25/09/2025
Modified: 21/12/2025

Analyzed

CVE-2024-9381 targets

7.2 High

Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.

Attack vector: NETWORK
Published: 08/10/2024
Modified: 21/12/2025

Analyzed

CVE-2026-20127 KEV targets

10.0 Critical

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, …

Attack vector: NETWORK
Complexity: LOW
Published: 25/02/2026
Modified: 18/06/2026

CWE-287 Analyzed

← Previous

Page / 7

13–24 of 78

T1021 subtechnique-of

Remote Services MITRE

Campaign (1)

Leviathan Australian Intrusions uses

Course Of Action (1)

Disable or Remove Feature or Program mitigates

Tool (1)

Empire uses

The MITRE Corporation Confidence 100

[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…

Contact About Legal notice Privacy policy Terms of use