MITRE ATT&CK Technique
Description
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user. SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. On ESXi, SSH can be enabled either directly on the host (e.g., via `vim-cmd hostsvc/enable_ssh`) or via vCenter.(Citation: Sygnia ESXi Ransomware 2025)(Citation: TrendMicro ESXI Ransomware)(Citation: Sygnia Abyss Locker 2025) The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user (i.e., [SSH Authorized Keys](https://attack.mitre.org/techniques/T1098/004)).
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-11T18:27:15.774Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may use [Valid '
'Accounts](https://attack.mitre.org/techniques/T1078) to log '
'into remote machines using Secure Shell (SSH). The adversary '
'may then perform actions as the logged-on user.\n'
'\n'
'SSH is a protocol that allows authorized users to open remote '
'shells on other computers. Many Linux and macOS versions come '
'with SSH installed by default, although typically disabled '
'until the user enables it. On ESXi, SSH can be enabled either '
'directly on the host (e.g., via `vim-cmd hostsvc/enable_ssh`) '
'or via vCenter.(Citation: Sygnia ESXi Ransomware '
'2025)(Citation: TrendMicro ESXI Ransomware)(Citation: Sygnia '
'Abyss Locker 2025) The SSH server can be configured to use '
'standard password authentication or public-private keypairs '
'in lieu of or in addition to a password. In this '
'authentication scenario, the user’s public key must be in a '
'special file on the computer running the server that lists '
'which keypairs are allowed to login as that user (i.e., [SSH '
'Authorized '
'Keys](https://attack.mitre.org/techniques/T1098/004)).',
'external_references': [{'external_id': 'T1021.004',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1021/004'},
{'description': 'Abigail See, Zhongyuan (Aaron) Hau, '
'Ren Jie Yow, Yoav Mazor, Omer '
'Kidron, and Oren Biderman. (2025, '
'February 4). The Anatomy of Abyss '
'Locker Ransomware Attack. Retrieved '
'April 4, 2025.',
'source_name': 'Sygnia Abyss Locker 2025',
'url': 'https://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/'},
{'description': 'Junestherry Dela Cruz. (2022, '
'January 24). Analysis and Impact of '
'LockBit Ransomware’s First Linux and '
'VMware ESXi Variant. Retrieved March '
'26, 2025.',
'source_name': 'TrendMicro ESXI Ransomware',
'url': 'https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html'},
{'description': 'Sarah Edwards. (2020, April 30). '
'Analysis of Apple Unified Logs: '
'Quarantine Edition [Entry 6] – '
'Working From Home? Remote Logins. '
'Retrieved August 19, 2021.',
'source_name': 'Apple Unified Log Analysis Remote '
'Login and Screen Sharing',
'url': 'https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins'},
{'description': 'Zhongyuan Hau (Aaron), Ren Jie Yow, '
'and Yoav Mazor. (2025, January 21). '
'ESXi Ransomware Attacks: Stealthy '
'Persistence through. Retrieved March '
'27, 2025.',
'source_name': 'Sygnia ESXi Ransomware 2025',
'url': 'https://www.sygnia.co/blog/esxi-ransomware-ssh-tunneling-defense-strategies/'}],
'id': 'attack-pattern--2db31dcd-54da-405d-acef-b9129b816ed6',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'lateral-movement'}],
'modified': '2025-10-24T17:48:34.985Z',
'name': 'SSH',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Janantha Marasinghe'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['ESXi', 'Linux', 'macOS'],
'x_mitre_version': '1.3'}