This is a defensive tool-intelligence page. It is intended for analyst navigation, source review, and hunt planning. It is not a malware-analysis report and does not contain sample code or binaries.
Summary
- Associated actor(s): Lebanese Cedar
- Tool type(s): Web Shell
- Confidence level(s): Medium
- Source ID(s):
SRC-CLEARSKY-LEBANESE-CEDAR
Behavior
| Actor | Behavior Summary |
|---|
| Lebanese Cedar | Modified JSP file browser/webshell used by Lebanese Cedar for persistence on public-facing servers. |
Hash And IOC Status
| Actor | Status | Reference |
|---|
| Lebanese Cedar | Hash not committed; use ClearSky report references. | SRC-CLEARSKY-LEBANESE-CEDAR |
Hashes and IOCs on this page are source pointers or representative public indicators. They SHOULD be refreshed from the linked source before operational use and MUST NOT be used alone for actor attribution.
Defensive Hunting Notes
| Actor | Hunting Notes |
|---|
| Lebanese Cedar | Hunt modified JSP files, unexpected upload paths, and web server process spawning shells. |
Handling Notes
| Actor | Handling Notes |
|---|
| Lebanese Cedar | Use behavior and webroot integrity monitoring. |
Crosslinks
Mapped ATT&CK Techniques For Associated Actor(s)
| Actor | Technique | Tactic | Mapping Quality | Source |
|---|
| Lebanese Cedar | T1190 Exploit Public-Facing Application | Initial Access | M2 | SRC-CLEARSKY-LEBANESE-CEDAR |
| Lebanese Cedar | T1505.003 Web Shell | Persistence | M2 | SRC-CLEARSKY-LEBANESE-CEDAR |
These detections are mapped through the associated actor or scenario and are not automatically tool-specific. Promote a tool-specific detection only after the behavior is tied to telemetry and test evidence.
These hunts are mapped through the associated actor or scenario and may need narrowing before they are used for this specific tool.
Source Review
If a source publishes a large or frequently changing IOC appendix, keep the current IOC list in the source system or TIP and store only the pointer here.