S0572 Caterpillar WebShell
Caterpillar WebShell is a self-developed Web Shell tool created by the group Volatile Cedar.1
| Item | Value |
|---|---|
| ID | S0572 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 10 February 2021 |
| Last Modified | 27 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1110 | Brute Force | Caterpillar WebShell has a module to perform brute force attacks on a system.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Caterpillar WebShell can run commands on the compromised asset with CMD functions.1 |
| enterprise | T1005 | Data from Local System | Caterpillar WebShell has a module to collect information from the local database.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Caterpillar WebShell can upload files over the C2 channel.1 |
| enterprise | T1083 | File and Directory Discovery | Caterpillar WebShell can search for files in directories.1 |
| enterprise | T1105 | Ingress Tool Transfer | Caterpillar WebShell has a module to download and upload files to the system.1 |
| enterprise | T1112 | Modify Registry | Caterpillar WebShell has a command to modify a Registry key.1 |
| enterprise | T1046 | Network Service Discovery | Caterpillar WebShell has a module to use a port scanner on a system.1 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.001 | Local Groups | Caterpillar WebShell can obtain a list of local groups of users from a system.1 |
| enterprise | T1057 | Process Discovery | Caterpillar WebShell can gather a list of processes running on the machine.1 |
| enterprise | T1014 | Rootkit | Caterpillar WebShell has a module to use a rootkit on a system.1 |
| enterprise | T1082 | System Information Discovery | Caterpillar WebShell has a module to gather information from the compromrised asset, including the computer version, computer name, IIS version, and more.1 |
| enterprise | T1016 | System Network Configuration Discovery | Caterpillar WebShell can gather the IP address from the victim’s machine using the IP config command.1 |
| enterprise | T1033 | System Owner/User Discovery | Caterpillar WebShell can obtain a list of user accounts from a victim’s machine.1 |
| enterprise | T1007 | System Service Discovery | Caterpillar WebShell can obtain a list of the services from a system.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0123 | Volatile Cedar | 12 |