Home/ MITRE Matrix/ Lateral Movement/ T1021.004

T1021.004SSH

T1021.004 — SSH is a MITRE ATT&CK technique in the Lateral Movement tactic. Clankerusecase tracks 13 detection use cases covering it and 4 threat-intel articles citing it.

Lateral Movement

View on the matrix → Filter Detection Library MITRE official spec ↗

13Use cases

4Articles

0Sub-techniques

1Tactic

↑ Parent technique: T1021 · Remote Services

Use cases covering this technique (13)

Cisco IOS XE Remote Access Probe Burst ESCU actions · hunting P ESXi SSH Enabled ESCU actions · alerting P Linux SSH Remote Services Script Execute ESCU actions · alerting P Windows Protocol Tunneling with Plink ESCU actions · alerting P Windows PuTTY Suite Utility Execution ESCU actions · hunting P Cisco Privileged Account Creation with HTTP Command Execution ESCU actions · alerting P Cisco Privileged Account Creation with Suspicious SSH Activity ESCU actions · alerting P Cisco Secure Firewall - SSH Connection to Non-Standard Port ESCU actions · hunting P Cisco Secure Firewall - SSH Connection to sshd_operns ESCU actions · hunting P [LLM] Velvet Ant air-gap bridge — fcgiwrap/uptime spawning SSH from HTTP-driven FastCGI Bespoke actions · alerting DSΣPDDCS [LLM] Internet-facing web service spawning interactive SSH into management subnet Bespoke delivery · alerting DSΣPDDCS [LLM] PeopleSoft lateral-movement script — *_fanout.sh execution and zstd compression chain Bespoke actions · hunting DSΣPDDCS [LLM] AGENTPSD-style Python reverse shell spawned by sshd on Linux / NAS Bespoke install · hunting DSΣPDDCS

Articles citing this technique (4)

crit Chinese hackers hijack auth flow, spy on isolated network for a decade art-07

crit China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade art-22

crit ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities art-37

crit VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances art-107