Description
Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. On ESXi, SSH can be enabled either directly on the host (e.g., via vim-cmd hostsvc/enable_ssh) or via vCenter.(Citation: Sygnia ESXi Ransomware 2025)(Citation: TrendMicro ESXI Ransomware)(Citation: Sygnia Abyss Locker 2025) The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user (i.e., SSH Authorized Keys).
Network Pentesting Methodology
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (3)
Disable or Remove Feature or ProgramM1042
Disable the SSH daemon on systems that do not require it, especially ESXi servers. For macOS, ensure Remote Login is disabled under Sharing Preferences.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)
Multi-factor AuthenticationM1032
Require multi-factor authentication for SSH connections wherever possible, such as password protected SSH keys.
User Account ManagementM1018
Limit which user accounts are allowed to login via SSH.
Threat Groups (19)
| ID | Group | Context |
|---|---|---|
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has used SSH to move laterally through victim environments.(Citation: CrowdStrike Carbon Spider August 2... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) used SSH and the PuTTy PSCP utility to gain access to a restricted segment of a compromised net... |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) used ssh for internal reconnaissance.(Citation: FireEye APT40 March 2019) |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has used SSH to move laterally in victim environments and to access the vSphere vCenter Serv... |
| G0098 | BlackTech | [BlackTech](https://attack.mitre.org/groups/G0098) has used Putty for remote access.(Citation: Symantec Palmerworm Sep 2020) |
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) used SSH with captured user credentials to move laterally in victim environments.(Citation: Cro... |
| G0036 | GCMAN | [GCMAN](https://attack.mitre.org/groups/G0036) uses Putty for lateral movement.(Citation: Securelist GCMAN) |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has used the PuTTY and Plink tools for lateral movement.(Citation: CISA AA20-259A Iran-Based Actor... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has used SSH to connect back to victim machines.(Citation: Intezer TeamTNT September 2020) [TeamTNT](... |
| G1046 | Storm-1811 | [Storm-1811](https://attack.mitre.org/groups/G1046) has used OpenSSH to establish an SSH tunnel to victims for persistent access.(Citation: Microsoft ... |
| G1045 | Salt Typhoon | [Salt Typhoon](https://attack.mitre.org/groups/G1045) has modified the loopback address on compromised switches and used them as the source of SSH con... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used Putty to access compromised systems.(Citation: Unit42 OilRig Playbook 2023) |
| G1023 | APT5 | [APT5](https://attack.mitre.org/groups/G1023) has used SSH for lateral movement in compromised environments including for enabling access to ESXi host... |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has established remote SSH access to targeted ESXi hosts.(Citation: Google Cloud Threat Intelligence ... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has remotely accessed compromised environments via secure shell (SSH) for lateral movement.(Citation: M... |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used Putty Secure Copy Client (PSCP) to transfer data.(Citation: PWC Cloud Hopper April 2017) |
| G0119 | Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has used SSH for lateral movement.(Citation: Mandiant_UNC2165) |
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106) has spread its coinminer via SSH.(Citation: Anomali Rocke March 2019) |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) used secure shell (SSH) to move laterally among their targets.(Citation: FireEye APT39 Jan 2019) |
Associated Software (5)
| ID | Name | Type | Context |
|---|---|---|---|
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) contains modules for executing commands over SSH as well as in-memory VNC agent injection.(Citation:... |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can SSH to a remote service.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: Cobalt Strike M... |
| S1187 | reGeorg | Malware | [reGeorg](https://attack.mitre.org/software/S1187) can communicate using SSH through an HTTP tunnel.(Citation: Fortinet reGeorg MAR 2019) |
| S0599 | Kinsing | Malware | [Kinsing](https://attack.mitre.org/software/S0599) has used SSH for lateral movement.(Citation: Aqua Kinsing April 2020) |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) can enable SSH access on ESXi hosts.(Citation: Cisco Talos Qilin Ransomware OCT 2025) |
References
- Abigail See, Zhongyuan (Aaron) Hau, Ren Jie Yow, Yoav Mazor, Omer Kidron, and Oren Biderman. (2025, February 4). The Anatomy of Abyss Locker Ransomware Attack. Retrieved April 4, 2025.
- Junestherry Dela Cruz. (2022, January 24). Analysis and Impact of LockBit Ransomware’s First Linux and VMware ESXi Variant. Retrieved March 26, 2025.
- Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021.
- Zhongyuan Hau (Aaron), Ren Jie Yow, and Yoav Mazor. (2025, January 21). ESXi Ransomware Attacks: Stealthy Persistence through. Retrieved March 27, 2025.
Frequently Asked Questions
What is T1021.004 (SSH)?
T1021.004 is a MITRE ATT&CK technique named 'SSH'. It belongs to the Lateral Movement tactic(s). Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user. SSH...
How can T1021.004 be detected?
Detection of T1021.004 (SSH) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1021.004?
There are 3 documented mitigations for T1021.004. Key mitigations include: Disable or Remove Feature or Program, Multi-factor Authentication, User Account Management.
Which threat groups use T1021.004?
Known threat groups using T1021.004 include: FIN7, Lazarus Group, Leviathan, Scattered Spider, BlackTech, Aquatic Panda, GCMAN, Fox Kitten.