Intelligence-Led Threat Hunting: The Key to Fighting Cross-Domain Attacks

This case study details a sophisticated, multi-stage intrusion: initial exploitation of a vulnerable Linux Tomcat server to obtain root, credential harvesting and lateral movement to Windows hosts, establishment of covert access (SSH keys/tunnels), and abuse of cloud control-plane mechanisms (SSM) to run commands against cloud instances, create persistent fallback resources, and exfiltrate sensitive data—activity detected and remediated through CrowdStrike OverWatch.