title: SSH (T1021.004)
id: df00tech-t1021-004
status: experimental
description: "Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). SSH allows authorized users to open remote shells on Linux, macOS, and ESXi systems. Adversaries leverage existing SSH keys or stolen passwords to pivot between systems. Notable actors using SSH for lateral movement include FIN7, Lazarus Group, Leviathan, Scattered Spider, BlackTech, and APT groups targeting cloud and ESXi environments. SSH lateral movement may also involve agent forwarding abuse, key theft, adding attacker-controlled public keys to authorized_keys files, or chaining through multiple hosts to obscure the original source."
references:
  - https://attack.mitre.org/techniques/T1021/004/
  - https://df00tech.com/detections/T1021.004
author: df00tech
date: 2026/04/13
tags:
  - attack.t1021.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - System administrators using SSH tunnels for legitimate remote administration and database connectivity
  - "Automated deployment tools (Ansible, Fabric, Capistrano) using SSH with key-based auth and StrictHostKeyChecking=no in provisioning scripts"
  - "CI/CD pipelines (Jenkins, GitLab) using SSH for deployment to multiple servers"
  - Bastion host or jump server configurations that establish SSH connections to internal hosts on behalf of users
  - "Developers using SSH port forwarding for local development against remote services (database tunnels, etc.)"
level: high