T1021.004: T1021.004

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 11/02/2020 19:27 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID: T1021.004
Confidence: 100/100
Revoked: No
Published: 11/02/2020 19:27
Modified: 27/03/2026 01:09
Author / Source: The MITRE Corporation

Aliases

SSH

Platforms

macos linux ESXi

Description

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user. SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. On ESXi, SSH can be enabled either directly on the host (e.g., via `vim-cmd hostsvc/enable_ssh`) or via vCenter.(Citation: Sygnia ESXi Ransomware 2025)(Citation: TrendMicro ESXI Ransomware)(Citation: Sygnia Abyss Locker 2025) The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user (i.e., [SSH Authorized Keys](https://attack.mitre.org/techniques/T1098/004)).

Kill chain phases

Kill chain	Phase
mitre-attack	lateral-movement

Marking (TLP)

External references

TrendMicro ESXI Ransomware
mitre-attack (T1021.004)
Sygnia Abyss Locker 2025
Sygnia ESXi Ransomware 2025
Apple Unified Log Analysis Remote Login and Screen Sharing

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (53)

8220 Gang related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-13 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-13, Sandworm, FROZENBARENTS related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT39 related ITG07Chafer

The MITRE Corporation Confidence 100

[APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT5 related Mulberry TyphoonMANGANESE

The MITRE Corporation Confidence 100

[APT5](https://attack.mitre.org/groups/G1023) is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia.…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Aquatic Panda related

The MITRE Corporation Confidence 100

[Aquatic Panda](https://attack.mitre.org/groups/G0143) is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, [Aquatic Panda](https://attack.mitre.org/groups/G0143) has primarily…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Beast related

Ransomware.Live Confidence 100

Beast is a Ransomware-as-a-service (RaaS) product which provides functionality such as SMB scanning, file encryption, service and process starting and stopping, and geographic identification to avoid encryption in…

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackTech related Palmerworm

The MITRE Corporation Confidence 100

[BlackTech](https://attack.mitre.org/groups/G0098) is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. [BlackTech](https://attack.mitre.org/groups/G0098)…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Curly COMrades related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Daggerfly related BRONZE HIGHLANDEvasive Panda

The MITRE Corporation Confidence 100

[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN13 related Elephant Beetle

The MITRE Corporation Confidence 100

[FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Fox Kitten related UNC757Parisite

The MITRE Corporation Confidence 100

[Fox Kitten](https://attack.mitre.org/groups/G0117) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

25–36 of 53

UPDTAE uses

Family
zylogin uses

Family
RushDrop uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Monster uses

Family
BUSYBOX uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
EarthWorm uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
XWorm uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PowerShort uses

Family
ReverseSocks5 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
httd uses

Family
Powertrash uses

Family
Dota uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

1–12 of 73

Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst … related

AlienVault Confidence 100 3 CVEs 19 MITREs 9 IOCs 8 Observables
Inside the FortiBleed Open Directory: A Technical Analysis … related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables
Operation Poisson – Analyzing a Cybercriminal’s Entire Operation related

AlienVault Confidence 100 20 MITREs 2 Malwares 13 IOCs 6 Observables 1 APT
Targets Education Sector with Oracle PeopleSoft Exploit related

AlienVault Confidence 100 1 CVE 20 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
VerdantBamboo: Just Another BRICKSTORM in the Firewall related

19 MITREs 3 Malwares 32 Observables 1 APT
Inside the Cross-Platform Propagation of a New Gafgyt … related

AlienVault Confidence 100 5 CVEs 20 MITREs 2 Malwares 18 IOCs 18 Observables
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Typosquatted npm packages used to steal cloud and … related

20 MITREs 4 Observables 1 APT
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
From edge appliance to enterprise compromise: Multi-stage Linux … related

5 CVEs 14 MITREs 2 Malwares 5 Observables
Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities related

AlienVault Confidence 100 7 CVEs 20 MITREs 9 Malwares 26 IOCs 26 Observables 1 APT
PCPJack | Cloud Worm Evicts TeamPCP and Steals … related

AlienVault Confidence 100 5 CVEs 24 MITREs 2 Malwares 4 IOCs 4 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (78)

CVE-2025-55184 targets

7.5 High

A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the …

Attack vector: NETWORK
Published: 11/12/2025
Modified: 21/12/2025

Modified

CVE-2022-22963

targets

CVE-2025-48703 KEV targets

9.0 Critical

CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell …

Attack vector: Network
Published: 04/11/2025
Modified: 08/05/2026

Received

CVE-2024-8963 KEV targets

9.4 Critical

Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If …

Attack vector: Network
Published: 19/09/2024
Modified: 21/12/2025

Analyzed

CVE-2021-4034 KEV targets

The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.

Published: 27/06/2022
Modified: 20/12/2025

CVE-2021-45461 targets

9.8 Critical

FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 is installed, allows remote attackers to execute arbitrary code, as …

Attack vector: NETWORK
Published: 22/12/2021
Modified: 28/01/2026

CVE-2025-8110 KEV targets

8.7 High

Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution.

Attack vector: NETWORK
Published: 20/12/2025
Modified: 22/01/2026

Awaiting Analysis

CVE-2022-41328 KEV targets

6.7 Medium

Fortinet FortiOS contains a path traversal vulnerability that may allow a local privileged attacker to read and write files via crafted CLI …

Attack vector: Local
Published: 14/03/2023
Modified: 21/12/2025

CVE-2019-19006 KEV targets

9.8 Critical

Sangoma FreePBX contains an improper authentication vulnerability that potentially allows unauthorized users to bypass password authentication and access services provided by the …

Attack vector: NETWORK
Complexity: Low
Published: 21/11/2019
Modified: 18/06/2026

CWE-287

CVE-2025-32819 targets

8.8 High

A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges to bypass the path traversal checks and delete an …

Attack vector: NETWORK
Published: 07/05/2025
Modified: 21/12/2025

Received

CVE-2023-3519 KEV targets

9.8 Critical

Citrix NetScaler ADC and NetScaler Gateway contains a code injection vulnerability that allows for unauthenticated remote code execution.

Attack vector: Network
Published: 19/07/2023
Modified: 27/05/2026

CVE-2026-1357 targets

9.8 Critical

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up …

Attack vector: Network
Published: 11/02/2026
Modified: 08/05/2026

Awaiting Analysis

← Previous

Page / 7

1–12 of 78

T1021 subtechnique-of

Remote Services MITRE

Campaign (1)

Leviathan Australian Intrusions uses

Course Of Action (1)

Disable or Remove Feature or Program mitigates

Tool (1)

Empire uses

The MITRE Corporation Confidence 100

[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…

Contact About Legal notice Privacy policy Terms of use