T1021.004: T1021.004
Essential information
- MITRE technique ID
T1021.004- Confidence
- 100/100
- Revoked
- No
- Published
- 11/02/2020 19:27
- Modified
- 27/03/2026 01:09
- Author / Source
- The MITRE Corporation
Aliases
SSH
Platforms
macos linux ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | lateral-movement |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (53)
-
The MITRE Corporation Confidence 100
[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Leviathan](https://attack.mitre.org/groups/G0065) is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
LightBasin relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Nexus Team relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Poisson relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Rocke relatedThe MITRE Corporation Confidence 100
[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Salt Typhoon relatedThe MITRE Corporation Confidence 100
[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group active since at least 2022. (Citation: CrowdStrike Scattered Spider Profile) (Citation: MSTIC Octo Tempest Operations October 2023) The group initially…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Silver Dragon relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Storm-1811 relatedThe MITRE Corporation Confidence 100
[Storm-1811](https://attack.mitre.org/groups/G1046) is a financially-motivated entity linked to [Black Basta](https://attack.mitre.org/software/S1070) ransomware deployment. [Storm-1811](https://attack.mitre.org/groups/G1046) is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim…
First seen 01/01/1970 · Last seen 16/11/5138 · -
TeamPCP relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UAC-0125 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (73)
-
UPDTAE usesFamily
-
zylogin usesFamily
-
RushDrop usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Monster usesFamily
-
BUSYBOX usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
EarthWorm usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
XWorm usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PowerShort usesFamily
-
ReverseSocks5 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
httd usesFamily
-
Powertrash usesFamily
-
Dota usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
AlienVault Confidence 100 3 CVEs 19 MITREs 9 IOCs 8 Observables
-
AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables
-
AlienVault Confidence 100 20 MITREs 2 Malwares 13 IOCs 6 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 20 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
-
19 MITREs 3 Malwares 32 Observables 1 APT
-
AlienVault Confidence 100 5 CVEs 20 MITREs 2 Malwares 18 IOCs 18 Observables
-
Threat landscape — Belgium relatedConfidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
-
20 MITREs 4 Observables 1 APT
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
5 CVEs 14 MITREs 2 Malwares 5 Observables
-
AlienVault Confidence 100 7 CVEs 20 MITREs 9 Malwares 26 IOCs 26 Observables 1 APT
-
AlienVault Confidence 100 5 CVEs 24 MITREs 2 Malwares 4 IOCs 4 Observables
Vulnerabilities (CVE) (78)
F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, …
- Published
- 10/05/2022
- Modified
- 20/12/2025
An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to …
- EPSS
- 0.0230 (P85.0%)
- Published
- 04/06/2026
- Modified
- 04/06/2026
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore …
- Attack vector
- Network
- Complexity
- Low
- Published
- 07/11/2025
- Modified
- 18/06/2026
Oracle Solaris and Oracle ZFS Storage Appliance Kit contain an unspecified vulnerability causing high impacts to confidentiality, integrity, and availability of affected …
- Published
- 03/11/2021
- Modified
- 20/04/2026
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position …
- Attack vector
- NETWORK
- Published
- 28/11/2023
- Modified
- 21/12/2025
When a BIG-IP APM Access Policy is configured on a virtual server, undisclosed traffic can cause TMM to terminate. Note: Software versions …
- Attack vector
- Network
- Complexity
- Low
- Published
- 15/10/2025
- Modified
- 04/04/2026
Execution with Unnecessary Privileges vulnerability in multiple services of Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 …
- Attack vector
- Local
- Complexity
- LOW
- Published
- 16/05/2025
- Modified
- 17/04/2026
Oracle Corporation WebLogic Server contains a vulnerability that allows for remote code execution.
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 19/10/2017
- Modified
- 22/04/2026
Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory …
- Published
- 24/06/2025
- Modified
- 24/06/2025
Apache Struts Jakarta Multipart parser allows for malicious file upload using the Content-Type value, leading to remote code execution.
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 11/03/2017
- Modified
- 22/04/2026
Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to …
- Attack vector
- Network
- Published
- 02/11/2023
- Modified
- 21/12/2025
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may …
- Attack vector
- Network
- Published
- 09/06/2025
- Modified
- 27/05/2026
Campaign (1)
-
Leviathan Australian Intrusions uses
Course Of Action (1)
-
Disable or Remove Feature or Program mitigates
Tool (1)
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…