T1021.004: T1021.004
Essential information
- MITRE technique ID
T1021.004- Confidence
- 100/100
- Revoked
- No
- Published
- 11/02/2020 19:27
- Modified
- 27/03/2026 01:09
- Author / Source
- The MITRE Corporation
Aliases
SSH
Platforms
macos linux ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | lateral-movement |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (53)
-
The MITRE Corporation Confidence 100
[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Leviathan](https://attack.mitre.org/groups/G0065) is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
LightBasin relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Nexus Team relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Poisson relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Rocke relatedThe MITRE Corporation Confidence 100
[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Salt Typhoon relatedThe MITRE Corporation Confidence 100
[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group active since at least 2022. (Citation: CrowdStrike Scattered Spider Profile) (Citation: MSTIC Octo Tempest Operations October 2023) The group initially…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Silver Dragon relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Storm-1811 relatedThe MITRE Corporation Confidence 100
[Storm-1811](https://attack.mitre.org/groups/G1046) is a financially-motivated entity linked to [Black Basta](https://attack.mitre.org/software/S1070) ransomware deployment. [Storm-1811](https://attack.mitre.org/groups/G1046) is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim…
First seen 01/01/1970 · Last seen 16/11/5138 · -
TeamPCP relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UAC-0125 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (73)
-
UPDTAE usesFamily
-
zylogin usesFamily
-
RushDrop usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Monster usesFamily
-
BUSYBOX usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
EarthWorm usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
XWorm usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PowerShort usesFamily
-
ReverseSocks5 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
httd usesFamily
-
Powertrash usesFamily
-
Dota usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
12 CVEs 20 MITREs 2 Malwares 4 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables 1 APT
-
AlienVault Confidence 100 21 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
-
19 MITREs 10 Observables 1 APT
-
19 MITREs 1 Malware 3 Observables 1 APT
-
2 CVEs 19 MITREs 2 Malwares 14 Observables 1 APT
-
2 CVEs 20 MITREs 10 Malwares 5 Observables 1 APT
-
2 CVEs 21 MITREs 2 Malwares 12 Observables
-
16 MITREs 10 Malwares 1 Observable
-
12 MITREs 2 Malwares 7 Observables 1 APT
-
20 MITREs 2 Malwares 5 Observables 1 APT
-
9 MITREs 1 Malware 16 Observables
Vulnerabilities (CVE) (78)
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the …
- Attack vector
- NETWORK
- Published
- 11/12/2025
- Modified
- 21/12/2025
targets
CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell …
- Attack vector
- Network
- Published
- 04/11/2025
- Modified
- 08/05/2026
Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If …
- Attack vector
- Network
- Published
- 19/09/2024
- Modified
- 21/12/2025
The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.
- Published
- 27/06/2022
- Modified
- 20/12/2025
FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 is installed, allows remote attackers to execute arbitrary code, as …
- Attack vector
- NETWORK
- Published
- 22/12/2021
- Modified
- 28/01/2026
Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution.
- Attack vector
- NETWORK
- Published
- 20/12/2025
- Modified
- 22/01/2026
Fortinet FortiOS contains a path traversal vulnerability that may allow a local privileged attacker to read and write files via crafted CLI …
- Attack vector
- Local
- Published
- 14/03/2023
- Modified
- 21/12/2025
Sangoma FreePBX contains an improper authentication vulnerability that potentially allows unauthorized users to bypass password authentication and access services provided by the …
- Attack vector
- NETWORK
- Complexity
- Low
- Published
- 21/11/2019
- Modified
- 18/06/2026
A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges to bypass the path traversal checks and delete an …
- Attack vector
- NETWORK
- Published
- 07/05/2025
- Modified
- 21/12/2025
Citrix NetScaler ADC and NetScaler Gateway contains a code injection vulnerability that allows for unauthenticated remote code execution.
- Attack vector
- Network
- Published
- 19/07/2023
- Modified
- 27/05/2026
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up …
- Attack vector
- Network
- Published
- 11/02/2026
- Modified
- 08/05/2026
Campaign (1)
-
Leviathan Australian Intrusions uses
Course Of Action (1)
-
Disable or Remove Feature or Program mitigates
Tool (1)
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…