T1021.004: T1021.004

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 11/02/2020 19:27 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID: T1021.004
Confidence: 100/100
Revoked: No
Published: 11/02/2020 19:27
Modified: 27/03/2026 01:09
Author / Source: The MITRE Corporation

Aliases

SSH

Platforms

macos linux ESXi

Description

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user. SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. On ESXi, SSH can be enabled either directly on the host (e.g., via `vim-cmd hostsvc/enable_ssh`) or via vCenter.(Citation: Sygnia ESXi Ransomware 2025)(Citation: TrendMicro ESXI Ransomware)(Citation: Sygnia Abyss Locker 2025) The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user (i.e., [SSH Authorized Keys](https://attack.mitre.org/techniques/T1098/004)).

Kill chain phases

Kill chain	Phase
mitre-attack	lateral-movement

Marking (TLP)

External references

TrendMicro ESXI Ransomware
mitre-attack (T1021.004)
Sygnia Abyss Locker 2025
Sygnia ESXi Ransomware 2025
Apple Unified Log Analysis Remote Login and Screen Sharing

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (53)

Indrik Spider related Manatee TempestDEV-0243

The MITRE Corporation Confidence 100

[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Leviathan related MUDCARPKryptonite Panda

The MITRE Corporation Confidence 100

[Leviathan](https://attack.mitre.org/groups/G0065) is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
LightBasin related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Nexus Team related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Poisson related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Rocke related

The MITRE Corporation Confidence 100

[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Salt Typhoon related

The MITRE Corporation Confidence 100

[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Scattered Spider related Roasted 0ktapusOcto Tempest

The MITRE Corporation Confidence 100

[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group active since at least 2022. (Citation: CrowdStrike Scattered Spider Profile) (Citation: MSTIC Octo Tempest Operations October 2023) The group initially…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Silver Dragon related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-1811 related

The MITRE Corporation Confidence 100

[Storm-1811](https://attack.mitre.org/groups/G1046) is a financially-motivated entity linked to [Black Basta](https://attack.mitre.org/software/S1070) ransomware deployment. [Storm-1811](https://attack.mitre.org/groups/G1046) is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TeamPCP related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAC-0125 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

37–48 of 53

UPDTAE uses

Family
zylogin uses

Family
RushDrop uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Monster uses

Family
BUSYBOX uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
EarthWorm uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
XWorm uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PowerShort uses

Family
ReverseSocks5 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
httd uses

Family
Powertrash uses

Family
Dota uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

1–12 of 73

Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day … related

12 CVEs 20 MITREs 2 Malwares 4 Observables 1 APT
Analysis of Attack Activities Using SSH+TOR Tunnels to … related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables 1 APT
VECT: Ransomware by design, Wiper by accident related

AlienVault Confidence 100 21 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
Attack Activity Analysis Using SSH+TOR Tunnels for Covert … related

19 MITREs 10 Observables 1 APT
Kyber Ransomware Double Trouble: Windows and ESXi Attacks … related

19 MITREs 1 Malware 3 Observables 1 APT
Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet … related

2 CVEs 19 MITREs 2 Malwares 14 Observables 1 APT
Live off the Land? How About Bringing Your … related

2 CVEs 20 MITREs 10 Malwares 5 Observables 1 APT
CVE-2026-39987 update: How attackers weaponized marimo to deploy … related

2 CVEs 21 MITREs 2 Malwares 12 Observables
Q1 2026 Malware Statistics Report for Linux SSH … related

16 MITREs 10 Malwares 1 Observable
Beast Ransomware Toolkit: A Proactive Threat Intelligence Report related

12 MITREs 2 Malwares 7 Observables 1 APT
Operation Roundish: Uncovering an APT28 Roundcube Exploitation Toolkit … related

20 MITREs 2 Malwares 5 Observables 1 APT
Iranian Botnet Exposed via Open Directory: 15-Node Relay … related

9 MITREs 1 Malware 16 Observables

← Previous

Page / 5

13–24 of 50

Vulnerabilities (CVE) (78)

CVE-2025-49596 targets

9.4 Critical

The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to …

Published: 20/12/2025
Modified: 21/12/2025

Received

CVE-2026-1340 KEV targets

9.8 Critical

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Attack vector: NETWORK
Complexity: LOW
Published: 29/01/2026
Modified: 10/04/2026

CWE-94 Received

CVE-2016-15047 targets

8.7 High

AVTECH devices that include the CloudSetup.cgi management endpoint are vulnerable to authenticated OS command injection. The `exefile` parameter in CloudSetup.cgi is passed …

EPSS: 0.0037 (P58.9%)
Published: 04/06/2026
Modified: 04/06/2026

Received

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2026-20128 KEV targets

7.5 High

A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker to gain …

Attack vector: Local
Complexity: High
Published: 25/02/2026
Modified: 15/05/2026

CWE-257 Received

CVE-2026-20122 KEV targets

5.4 Medium

A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the …

Attack vector: NETWORK
Complexity: LOW
Published: 25/02/2026
Modified: 15/05/2026

CWE-648 Received

CVE-2025-21590 KEV targets

4.4 Medium

An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to …

Attack vector: Local
Published: 13/03/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2021-27137 targets

Published: 04/06/2026
Modified: 04/06/2026

CVE-2025-14847 KEV targets

8.7 High

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue …

Attack vector: NETWORK
Published: 19/12/2025
Modified: 26/01/2026

Awaiting Analysis

CVE-2025-20333 KEV targets

9.9 Critical

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …

Attack vector: Network
Published: 25/09/2025
Modified: 21/12/2025

Analyzed

CVE-2024-9381 targets

7.2 High

Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.

Attack vector: NETWORK
Published: 08/10/2024
Modified: 21/12/2025

Analyzed

CVE-2026-20127 KEV targets

10.0 Critical

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, …

Attack vector: NETWORK
Complexity: LOW
Published: 25/02/2026
Modified: 18/06/2026

CWE-287 Analyzed

← Previous

Page / 7

13–24 of 78

T1021 subtechnique-of

Remote Services MITRE

Campaign (1)

Leviathan Australian Intrusions uses

Course Of Action (1)

Disable or Remove Feature or Program mitigates

Tool (1)

Empire uses

The MITRE Corporation Confidence 100

[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…

Contact About Legal notice Privacy policy Terms of use