T1021.004 SSH Mappings

Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.

SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.(Citation: SSH Secure Shell)



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1021.004 SSH
AC-2 Account Management Protects T1021.004 SSH
AC-20 Use of External Systems Protects T1021.004 SSH
AC-3 Access Enforcement Protects T1021.004 SSH
AC-5 Separation of Duties Protects T1021.004 SSH
AC-6 Least Privilege Protects T1021.004 SSH
AC-7 Unsuccessful Logon Attempts Protects T1021.004 SSH
CM-2 Baseline Configuration Protects T1021.004 SSH
CM-5 Access Restrictions for Change Protects T1021.004 SSH
CM-6 Configuration Settings Protects T1021.004 SSH
CM-8 System Component Inventory Protects T1021.004 SSH
IA-2 Identification and Authentication (organizational Users) Protects T1021.004 SSH
IA-5 Authenticator Management Protects T1021.004 SSH
RA-5 Vulnerability Monitoring and Scanning Protects T1021.004 SSH
SI-4 System Monitoring Protects T1021.004 SSH
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration technique_scores T1021.004 SSH
network_security_groups Network Security Groups technique_scores T1021.004 SSH
azure_sentinel Azure Sentinel technique_scores T1021.004 SSH
azure_policy Azure Policy technique_scores T1021.004 SSH
azure_network_traffic_analytics Azure Network Traffic Analytics technique_scores T1021.004 SSH
docker_host_hardening Docker Host Hardening technique_scores T1021.004 SSH