S0572: Caterpillar WebShell
Caterpillar WebShell is a self-developed Web Shell tool created by the group Volatile Cedar.[1]
Analyst context for executives and security teams
Caterpillar WebShell matters because ATT&CK identifies it as a self-developed web shell associated with Volatile Cedar and linked to behaviors that can turn a compromised Windows web server into a staging point for discovery, command execution, tool transfer, data collection, and exfiltration. For leaders, the practical issue is not the malware name alone; it is whether internet-facing Windows systems have enough logging, hardening, and response readiness to prove what commands ran, what data was accessed, and whether follow-on activity occurred.
Executive priority
Prioritize this as a web-server compromise and post-compromise visibility problem. Security leaders should ask whether Windows web servers are covered by endpoint telemetry, web server logs, command-line logging, registry monitoring, outbound network monitoring, and incident response playbooks. The business decision value is in reducing dwell time and preserving evidence for containment, legal, audit, and customer-impact decisions if a web shell is found.
Technical view
ATT&CK lists Caterpillar WebShell as Windows malware with relationships to execution via Windows Command Shell, extensive discovery, registry modification, tool transfer, brute force, local data collection, and exfiltration over an existing C2 channel. SOC and IR teams should validate whether they can correlate web-facing process activity with child command-shell execution, discovery commands, registry changes, new or transferred files, suspicious outbound connections, and data access from local file systems. Because ATT&CK provides no official detection text for this object, detections should be built from the related techniques rather than from a single malware-specific analytic.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Web server access/error logs and application logs from Windows-hosted services
- File creation, file modification, and directory enumeration evidence on web roots and sensitive local paths
- Windows Registry modification telemetry
- Network connection, DNS, proxy, and firewall logs for outbound C2-like or exfiltration activity
Detection direction
- Validate alerts for web server worker processes spawning cmd.exe or other administrative utilities, with tuning for legitimate administration and maintenance activity.
- Correlate discovery behaviors across related techniques: service, process, network configuration, user, group, system information, and file/directory discovery.
- Monitor for registry modifications on Windows servers, especially when temporally linked to web process activity or unexpected command execution.
- Look for ingress tool transfer and suspicious new files on compromised hosts; prioritize events where files appear shortly after unusual web requests or command-shell activity.
- Review outbound network sessions from web servers for unusual destinations, protocols, volumes, or timing that could support exfiltration over a C2 channel.
Mitigation priorities
- Harden and continuously monitor internet-facing Windows web servers, with emphasis on least privilege for service accounts and reducing unnecessary local privileges.
- Ensure endpoint detection and centralized logging are deployed on web servers, not only user workstations.
- Segment web servers from sensitive internal systems and restrict outbound connectivity to business-required destinations.
- Maintain strong authentication controls and monitoring for brute force behavior where applicable.
- Prepare IR procedures for suspected web shell activity, including evidence preservation, host isolation, credential review, and scoping for discovery, tool transfer, and exfiltration behaviors.
Analyst notes and limits
ATT&CK associates Caterpillar WebShell with Volatile Cedar and lists multiple technique relationships, including Windows Command Shell, Modify Registry, Brute Force, Ingress Tool Transfer, discovery techniques, Data from Local System, and Exfiltration Over C2 Channel. This take frames defensive priorities around those relationships and the Windows platform listed for the malware.
The supplied ATT&CK object has no official detection guidance, no aliases, and no explicit tactics listed for the malware itself. Local validation is required to determine whether affected systems are Windows web servers, what logging exists, and which behaviors are normal for each environment.
Caterpillar WebShell
Caterpillar WebShell is a self-developed Web Shell tool created by the group Volatile Cedar.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1057 | Process Discovery | Caterpillar WebShell can gather a list of processes running on the machine.CitationClearSky Lebanese Cedar Jan 2021 |
| Enterprise | T1005 | Data from Local System | Caterpillar WebShell has a module to collect information from the local database.CitationClearSky Lebanese Cedar Jan 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | Caterpillar WebShell can gather the IP address from the victim's machine using the IP config command.CitationClearSky Lebanese Cedar Jan 2021 |
| Enterprise | T1083 | File and Directory Discovery | Caterpillar WebShell can search for files in directories.CitationClearSky Lebanese Cedar Jan 2021 |
| Enterprise | T1110 | Brute Force | Caterpillar WebShell has a module to perform brute force attacks on a system.CitationClearSky Lebanese Cedar Jan 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Caterpillar WebShell can run commands on the compromised asset with CMD functions.CitationClearSky Lebanese Cedar Jan 2021 |
| Enterprise | T1007 | System Service Discovery | Caterpillar WebShell can obtain a list of the services from a system.CitationClearSky Lebanese Cedar Jan 2021 |
| Enterprise | T1112 | Modify Registry | Caterpillar WebShell has a command to modify a Registry key.CitationClearSky Lebanese Cedar Jan 2021 |
| Enterprise | T1069.001 | Local Groups Sub-technique | Caterpillar WebShell can obtain a list of local groups of users from a system.CitationClearSky Lebanese Cedar Jan 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Caterpillar WebShell can upload files over the C2 channel.CitationClearSky Lebanese Cedar Jan 2021 |
| Enterprise | T1082 | System Information Discovery | Caterpillar WebShell has a module to gather information from the compromised asset, including the computer version, computer name, IIS version, and more.CitationClearSky Lebanese Cedar Jan 2021 |
| Enterprise | T1033 | System Owner/User Discovery | Caterpillar WebShell can obtain a list of user accounts from a victim's machine.CitationClearSky Lebanese Cedar Jan 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Caterpillar WebShell has a module to download and upload files to the system.CitationClearSky Lebanese Cedar Jan 2021 |
| Enterprise | T1014 | Rootkit | Caterpillar WebShell has a module to use a rootkit on a system.CitationClearSky Lebanese Cedar Jan 2021 |
| Enterprise | T1046 | Network Service Discovery | Caterpillar WebShell has a module to use a port scanner on a system.CitationClearSky Lebanese Cedar Jan 2021 |
Groups, software, and campaigns
G0123: Volatile Cedar
Volatile Cedar is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. Volatile Cedar has been operating since 2012 and is motivated by political and ideological interests.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 21fa5b13d0a0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ClearSky Lebanese Cedar Jan 2021
ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
Open source URL -
[2]
Caterpillar WebShell
(Citation: ClearSky Lebanese Cedar Jan 2021)(Citation: CheckPoint Volatile Cedar March 2015)
-
[3]
CheckPoint Volatile Cedar March 2015
Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.
Open source URL -
[4]
mitre-attack S0572Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.