T1021.004: T1021.004
Essential information
- MITRE technique ID
T1021.004- Confidence
- 100/100
- Revoked
- No
- Published
- 11/02/2020 19:27
- Modified
- 27/03/2026 01:09
- Author / Source
- The MITRE Corporation
Aliases
SSH
Platforms
macos linux ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | lateral-movement |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (53)
-
8220 Gang relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
APT-C-13 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[APT5](https://attack.mitre.org/groups/G1023) is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia.…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Aquatic Panda relatedThe MITRE Corporation Confidence 100
[Aquatic Panda](https://attack.mitre.org/groups/G0143) is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, [Aquatic Panda](https://attack.mitre.org/groups/G0143) has primarily…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Beast relatedRansomware.Live Confidence 100
Beast is a Ransomware-as-a-service (RaaS) product which provides functionality such as SMB scanning, file encryption, service and process starting and stopping, and geographic identification to avoid encryption in…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[BlackTech](https://attack.mitre.org/groups/G0098) is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. [BlackTech](https://attack.mitre.org/groups/G0098)…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Curly COMrades relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Fox Kitten](https://attack.mitre.org/groups/G0117) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (73)
-
UPDTAE usesFamily
-
zylogin usesFamily
-
RushDrop usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Monster usesFamily
-
BUSYBOX usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
EarthWorm usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
XWorm usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PowerShort usesFamily
-
ReverseSocks5 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
httd usesFamily
-
Powertrash usesFamily
-
Dota usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
20 MITREs 4 Malwares 31 Observables 1 APT
-
1 CVE 16 MITREs 3 Malwares 9 Observables 1 APT
-
3 CVEs 15 MITREs 1 Malware 5 Observables 1 APT
-
5 CVEs 17 MITREs 6 Malwares 7 Observables
-
6 CVEs 11 MITREs 1 Malware
-
19 MITREs 2 Malwares 1 APT
-
17 MITREs 1 Malware 11 Observables 1 APT
-
11 MITREs 2 Malwares 4 Observables 1 APT
-
11 MITREs 1 Malware 3 Observables
-
8 MITREs 1 Observable
-
5 MITREs 3 Observables
-
7 MITREs
Vulnerabilities (CVE) (78)
F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow …
- Attack vector
- Network
- Published
- 31/10/2023
- Modified
- 21/12/2025
marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication …
- Attack vector
- Network
- Complexity
- Low
- Published
- 09/04/2026
- Modified
- 29/04/2026
Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …
- Attack vector
- Local
- Published
- 03/11/2021
- Modified
- 27/05/2026
Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can …
- Attack vector
- Network
- Published
- 09/10/2024
- Modified
- 21/12/2025
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be …
- Attack vector
- Network
- Published
- 16/06/2025
- Modified
- 21/12/2025
targets
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including …
- Attack vector
- NETWORK
- Published
- 11/12/2025
- Modified
- 21/12/2025
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service …
- Attack vector
- NETWORK
- Published
- 12/12/2025
- Modified
- 21/12/2025
BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker …
- Attack vector
- Network
- Published
- 13/02/2026
- Modified
- 20/02/2026
D-Link DIR-645 Wired/Wireless Router allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.
- Attack vector
- Adjacent
- Complexity
- LOW
- Published
- 23/02/2015
- Modified
- 22/04/2026
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an unauthenticated …
- Attack vector
- NETWORK
- Published
- 17/02/2026
- Modified
- 22/02/2026
Campaign (1)
-
Leviathan Australian Intrusions uses
Course Of Action (1)
-
Disable or Remove Feature or Program mitigates
Tool (1)
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…