T1021.004: T1021.004

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 11/02/2020 19:27 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID: T1021.004
Confidence: 100/100
Revoked: No
Published: 11/02/2020 19:27
Modified: 27/03/2026 01:09
Author / Source: The MITRE Corporation

Aliases

SSH

Platforms

macos linux ESXi

Description

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user. SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. On ESXi, SSH can be enabled either directly on the host (e.g., via `vim-cmd hostsvc/enable_ssh`) or via vCenter.(Citation: Sygnia ESXi Ransomware 2025)(Citation: TrendMicro ESXI Ransomware)(Citation: Sygnia Abyss Locker 2025) The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user (i.e., [SSH Authorized Keys](https://attack.mitre.org/techniques/T1098/004)).

Kill chain phases

Kill chain	Phase
mitre-attack	lateral-movement

Marking (TLP)

External references

TrendMicro ESXI Ransomware
mitre-attack (T1021.004)
Sygnia Abyss Locker 2025
Sygnia ESXi Ransomware 2025
Apple Unified Log Analysis Remote Login and Screen Sharing

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (53)

Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sandworm uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
The Gentlemen uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Jumpy Pisces uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC6148 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
INJ3CTOR3 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
IronErn440 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kraken uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAT-9244 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Black Basta uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAT-8616 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
akira uses GOLD SAHARAPUNK SPIDER

The MITRE Corporation Confidence 100

The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 53

UPDTAE uses

Family
zylogin uses

Family
RushDrop uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Monster uses

Family
BUSYBOX uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
EarthWorm uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
XWorm uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PowerShort uses

Family
ReverseSocks5 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
httd uses

Family
Powertrash uses

Family
Dota uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

1–12 of 73

Security Incident Response Team related

1 CVE 13 MITREs 6 Observables
Investigating Iranian Intrusion into Strategic Middle East Critical … related

9 MITREs 35 Observables 1 APT
TookPS distributed under the guise of UltraViewer, AutoCAD, … related

8 MITREs 3 Malwares 17 Observables
Infostealer Campaign against ISPs related

18 MITREs 5 Malwares
Sandworm APT Targets Ukrainian Users with Trojanized Microsoft … related

20 MITREs 4 Malwares 35 Observables 1 APT
Further insights into Ivanti CSA 4.6 vulnerabilities exploitation related

9 CVEs 9 MITREs 2 Malwares 19 Observables
Chinese Hackers Attacking Linux Devices With New SSH … related

12 MITREs 3 Observables 1 APT
Examining Redtail: Analyzing a Sophisticated Cryptomining Malware and … related

1 CVE 10 MITREs 2 Malwares 12 Observables
More SSH Fun! related

6 MITREs 2 Observables
BellaCPP: Discovering a new BellaCiao variant written in … related

9 MITREs 2 Malwares 2 Observables 1 APT
Cyberattack: UAC-0125 using the theme "Army+" (CERT-UA#12559) related

7 MITREs 6 Observables 1 APT
cShell DDoS Bot Attack Case Targeting Linux SSH … related

12 MITREs 2 Malwares 1 Observable

← Previous

Page / 5

37–48 of 50

Vulnerabilities (CVE) (78)

CVE-2026-20245 KEV targets

7.8 High

A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary …

Attack vector: LOCAL
Complexity: LOW
Published: 05/06/2026
Modified: 25/06/2026

CWE-116 Awaiting Analysis

CVE-2024-8190 KEV targets

7.2 High

An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to …

Attack vector: Network
Published: 13/09/2024
Modified: 21/12/2025

Analyzed

CVE-2025-9501 targets

9.0 Critical

The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute …

Attack vector: NETWORK
Published: 17/11/2025
Modified: 08/05/2026

Awaiting Analysis

CVE-2020-14883 KEV targets

Oracle WebLogic Server contains an unspecified vulnerability in the Console component with high impacts to confidentilaity, integrity, and availability.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2025-29927 targets

9.1 Critical

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and …

Attack vector: NETWORK
Published: 21/03/2025
Modified: 21/12/2025

Received

CVE-2026-0300 KEV targets

9.3 Critical

A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated …

Attack vector: Network
Complexity: Low
Published: 06/05/2026
Modified: 15/05/2026

CWE-787 Received

CVE-2026-20133 KEV targets

7.5 High

A vulnerability in Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to view sensitive information on an affected system. This …

Attack vector: Network
Complexity: Low
Published: 25/02/2026
Modified: 15/05/2026

CWE-200 Received

CVE-2025-33073 KEV targets

8.8 High

Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially …

Attack vector: Network
Published: 20/10/2025
Modified: 27/05/2026

Received

CVE-2024-50050 targets

6.3 Medium

Llama Stack prior to revision 7a8aa775e5a267cf8660d83140011a0b7f91e005 used pickle as a serialization format for socket communication, potentially allowing for remote code execution. Socket …

Attack vector: NETWORK
Published: 23/10/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2026-31431 KEV targets

7.8 High

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 …

Attack vector: LOCAL
Complexity: LOW
EPSS: 0.0001 (P0.6%)
Published: 22/04/2026
Modified: 23/05/2026

CWE-669 Awaiting Analysis

CVE-2026-1281 KEV targets

9.8 Critical

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Attack vector: NETWORK
Published: 29/01/2026
Modified: 27/03/2026

Analyzed

CVE-2022-22965

targets

← Previous

Page / 7

49–60 of 78

T1021 subtechnique-of

Remote Services MITRE

Campaign (1)

Leviathan Australian Intrusions uses

Course Of Action (1)

Disable or Remove Feature or Program mitigates

Tool (1)

Empire uses

The MITRE Corporation Confidence 100

[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…

Contact About Legal notice Privacy policy Terms of use