- Tactics
- Lateral Movement
- Platforms
- ESXi, Linux, macOS
- Reference
- attack.mitre.org/techniques/T1021.004
Description
Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. On ESXi, SSH can be enabled either directly on the host (e.g., via vim-cmd hostsvc/enable_ssh) or via vCenter.(Citation: Sygnia ESXi Ransomware 2025)(Citation: TrendMicro ESXI Ransomware)(Citation: Sygnia Abyss Locker 2025) The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user (i.e., SSH Authorized Keys).
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Lateral Movement tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1021 — Remote Services
- T1072 — Software Deployment Tools
- T1080 — Taint Shared Content
- T1091 — Replication Through Removable Media
- T1210 — Exploitation of Remote Services
- T1534 — Internal Spearphishing
- T1550 — Use Alternate Authentication Material
- T1563 — Remote Service Session Hijacking
- T1570 — Lateral Tool Transfer