MITRE ATT&CK / T1021.004
T1021.004
SSH
Description
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. On ESXi, SSH can be enabled either directly on the host (e.g., via `vim-cmd hostsvc/enable_ssh`) or via vCenter.(Citation: Sygnia ESXi Ransomware 2025)(Citation: TrendMicro ESXI Ransomware)(Citation: Sygnia Abyss Locker 2025) The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user (i.e., [SSH Authorized Keys](https://attack.mitre.org/techniques/T1098/004)).
Platforms
Mitigations
- M1042 — Disable or Remove Feature or Program
- M1032 — Multi-factor Authentication
- M1018 — User Account Management
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Our coverage
- CVE-2026-9082: Critical Drupal SQL Injection Under Attack on Thousands of Sites
- Megalodon: Supply Chain Attack Backdoors 5,561 GitHub Repos in Six Hours via CI/CD Workflow Injection
- Stack String Obfuscation in C: The Technique That Blinds AV, YARA, and Static Scanners
- JDownloader Site Hacked, Installers Swapped with Python RAT Malware
- TrustFall: AI Coding Agents Exploitable with One Enter Keypress
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →