Source: Microsoft Security Blog
Author: Microsoft Defender Security Research Team
URL: https://www.microsoft.com/en-us/security/blog/2026/04/17/domain-compromise-predictive-shielding-shut-down-lateral-movement/
ONE SENTENCE SUMMARY:
Microsoft Defender predictive shielding preemptively contains likely-exposed privileged identities, disrupting credential-based Active Directory attacks and limiting lateral movement before abuse.
MAIN POINTS:
- Domain-admin compromise enables ACL changes, ticket minting, secret replication, and GPO abuse.
- Speed of credential reuse often outpaces responders’ ability to scope and remediate.
- Identity infrastructure cannot be simply shut down without major business disruption.
- Predictive shielding acts on credential exposure signals, not just observed malicious use.
- Defender evaluates which privileged identities were likely exposed on compromised devices.
- Just-in-time restrictions block sign-ins and pivots, reducing lateral movement paths.
- Attack began via IIS file-upload vulnerability and web shell deployment.
- BadPotato-style token impersonation escalated privileges to NT AUTHORITY\SYSTEM.
- NTDS snapshot/packaging enabled offline directory credential materialization at scale.
- Mid-campaign activation contained high-tier admins pre-abuse, exhausting attacker momentum.
TAKEAWAYS:
- Host-scoped containment early can prevent escalation into identity infrastructure.
- Exposure-based controls close the “speed gap” between theft and credential replay.
- Protecting domain controllers and privileged identities is decisive after credential materialization.
- Automated session revocation plus sign-in blocking forces adversaries into weaker pivot paths.
- Persistent attacker tradecraft shifts signal effective containment, requiring continual tracking of blast radius.