Volatile Cedar

Volatile Cedar is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. Volatile Cedar has been operating since 2012 and is motivated by political and ideological interests.[1][2]

ID: G0123
Associated Groups: Lebanese Cedar
Version: 1.1
Created: 08 February 2021
Last Modified: 20 April 2022

Associated Group Descriptions

Name Description
Lebanese Cedar


Techniques Used

Domain ID Name Use
Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

Volatile Cedar has performed vulnerability scans of the target server.[1][2]

.003 Active Scanning: Wordlist Scanning

Volatile Cedar has used DirBuster and GoBuster to brute force web directories and DNS subdomains.[2]

Enterprise T1190 Exploit Public-Facing Application

Volatile Cedar has targeted publicly facing web servers, with both automatic and manual vulnerability discovery.[1] [2]

Enterprise T1105 Ingress Tool Transfer

Volatile Cedar can deploy additional tools.[2]

Enterprise T1505 .003 Server Software Component: Web Shell

Volatile Cedar can inject web shell code into a server.[1][2]


ID Name References Techniques
S0572 Caterpillar WebShell [2][1] Brute Force, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Exfiltration Over C2 Channel, File and Directory Discovery, Ingress Tool Transfer, Modify Registry, Network Service Discovery, Permission Groups Discovery: Local Groups, Process Discovery, Rootkit, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Service Discovery
S0569 Explosive [1][2] Application Layer Protocol: Web Protocols, Clipboard Data, Data from Removable Media, Encrypted Channel: Symmetric Cryptography, Hide Artifacts: Hidden Files and Directories, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery