T1021.004: T1021.004

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 11/02/2020 19:27 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID: T1021.004
Confidence: 100/100
Revoked: No
Published: 11/02/2020 19:27
Modified: 27/03/2026 01:09
Author / Source: The MITRE Corporation

Aliases

SSH

Platforms

macos linux ESXi

Description

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user. SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. On ESXi, SSH can be enabled either directly on the host (e.g., via `vim-cmd hostsvc/enable_ssh`) or via vCenter.(Citation: Sygnia ESXi Ransomware 2025)(Citation: TrendMicro ESXI Ransomware)(Citation: Sygnia Abyss Locker 2025) The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user (i.e., [SSH Authorized Keys](https://attack.mitre.org/techniques/T1098/004)).

Kill chain phases

Kill chain	Phase
mitre-attack	lateral-movement

Marking (TLP)

External references

TrendMicro ESXI Ransomware
mitre-attack (T1021.004)
Sygnia Abyss Locker 2025
Sygnia ESXi Ransomware 2025
Apple Unified Log Analysis Remote Login and Screen Sharing

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (53)

Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sandworm uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
The Gentlemen uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Jumpy Pisces uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC6148 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
INJ3CTOR3 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
IronErn440 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kraken uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAT-9244 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Black Basta uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAT-8616 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
akira uses GOLD SAHARAPUNK SPIDER

The MITRE Corporation Confidence 100

The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 53

UPDTAE uses

Family
zylogin uses

Family
RushDrop uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Monster uses

Family
BUSYBOX uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
EarthWorm uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
XWorm uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PowerShort uses

Family
ReverseSocks5 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
httd uses

Family
Powertrash uses

Family
Dota uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

1–12 of 73

Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day … related

12 CVEs 20 MITREs 2 Malwares 4 Observables 1 APT
Analysis of Attack Activities Using SSH+TOR Tunnels to … related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables 1 APT
VECT: Ransomware by design, Wiper by accident related

AlienVault Confidence 100 21 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
Attack Activity Analysis Using SSH+TOR Tunnels for Covert … related

19 MITREs 10 Observables 1 APT
Kyber Ransomware Double Trouble: Windows and ESXi Attacks … related

19 MITREs 1 Malware 3 Observables 1 APT
Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet … related

2 CVEs 19 MITREs 2 Malwares 14 Observables 1 APT
Live off the Land? How About Bringing Your … related

2 CVEs 20 MITREs 10 Malwares 5 Observables 1 APT
CVE-2026-39987 update: How attackers weaponized marimo to deploy … related

2 CVEs 21 MITREs 2 Malwares 12 Observables
Q1 2026 Malware Statistics Report for Linux SSH … related

16 MITREs 10 Malwares 1 Observable
Beast Ransomware Toolkit: A Proactive Threat Intelligence Report related

12 MITREs 2 Malwares 7 Observables 1 APT
Operation Roundish: Uncovering an APT28 Roundcube Exploitation Toolkit … related

20 MITREs 2 Malwares 5 Observables 1 APT
Iranian Botnet Exposed via Open Directory: 15-Node Relay … related

9 MITREs 1 Malware 16 Observables

← Previous

Page / 5

13–24 of 50

Vulnerabilities (CVE) (78)

CVE-2025-66478 targets

Rejected reason: This CVE is a duplicate of CVE-2025-55182.

Published: 20/12/2025
Modified: 21/12/2025

Rejected

CVE-2025-22457 KEV targets

9.0 Critical

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before …

Attack vector: Network
Published: 04/04/2025
Modified: 21/12/2025

Received

CVE-2026-35273 KEV targets

9.8 Critical

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and …

Attack vector: NETWORK
Complexity: LOW
Published: 11/06/2026
Modified: 12/06/2026

CWE-306 Analyzed

CVE-2025-23304 targets

7.8 High

NVIDIA NeMo library for all platforms contains a vulnerability in the model loading component, where an attacker could cause code injection by …

Attack vector: LOCAL
Published: 13/08/2025
Modified: 17/04/2026

Awaiting Analysis

CVE-2022-22947 KEV targets

Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.

Published: 16/05/2022
Modified: 20/12/2025

CVE-2026-20182 KEV targets

10.0 Critical

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was …

Attack vector: NETWORK
Complexity: LOW
Published: 14/05/2026
Modified: 18/06/2026

CWE-287 Analyzed

CVE-2024-3400 KEV targets

10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector: Network
Published: 12/04/2024
Modified: 21/12/2025

CVE-2024-55947 targets

Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on …

Published: 23/12/2024
Modified: 24/12/2024

Awaiting Analysis

CVE-2025-32756 KEV targets

9.8 Critical

Fortinet FortiFone, FortiVoice, FortiNDR and FortiMail contain a stack-based overflow vulnerability that may allow a remote unauthenticated attacker to execute arbitrary code …

Attack vector: Network
Published: 14/05/2025
Modified: 14/01/2026

CVE-2024-3721 targets

6.3 Medium

A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing …

Attack vector: NETWORK
Published: 13/04/2024
Modified: 21/12/2025

CVE-2022-35914 KEV targets

9.8 Critical

Teclib GLPI contains a remote code execution vulnerability in the third-party library, htmlawed.

Attack vector: Network
Published: 07/03/2023
Modified: 04/06/2026

CVE-2024-2012 targets

9.1 Critical

vulnerability exists in the FOXMAN-UN/UNEM server / API Gateway that if exploited an attacker could use to allow unintended commands or code …

Published: 11/06/2024
Modified: 11/06/2024

Received

← Previous

Page / 7

25–36 of 78

T1021 subtechnique-of

Remote Services MITRE

Campaign (1)

Leviathan Australian Intrusions uses

Course Of Action (1)

Disable or Remove Feature or Program mitigates

Tool (1)

Empire uses

The MITRE Corporation Confidence 100

[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…

Contact About Legal notice Privacy policy Terms of use