A sophisticated identity-based attack targeting a public sector organization in 2025 has revealed critical gaps in traditional incident response and how Microsoft’s predictive shielding capability is closing them before attackers can capitalize.
In one of the most detailed case studies of Active Directory (AD) domain compromise published to date, Microsoft’s security research team has documented a multi-month intrusion campaign that began with a web shell planted on an internet-facing IIS server and nearly ended with full enterprise-wide credential control.
The incident, which unfolded between June and July 2025, underscores why identity-based attack campaigns remain among the most operationally devastating threats facing organizations today and why reactive defenses are no longer sufficient.
Attack Unfolded
The threat actor obtained initial access via a file upload vulnerability on an internet-facing Internet Information Services (IIS) server, enabling them to deploy a web shell and begin reconnaissance.
From there, they escalated privileges to NT AUTHORITY\SYSTEM using a Potato-class token-impersonation exploit, specifically the BadPotato primitive, effectively owning the compromised host within the first hours of the intrusion.
What followed was a methodical progression through the ATT&CK framework. The attacker deployed Mimikatz to dump LSASS memory, harvested MSV and SAM credentials, and attempted to reset passwords on high-impact identity accounts, a credential-access technique designed to avoid the noise typically associated with dumping tools.
Within 24 hours of initial access, the threat actor had remotely created a scheduled task on a domain controller and triggered NTDS snapshot activity using ntdsutil, packaging the output with makecab.exe for offline analysis.
At that point, the attack had crossed the critical threshold: with a full NTDS dump in hand, every Active Directory credential in the environment was effectively compromised.
Exchange Takeover and Lateral Spread
The threat actor then pivoted to the Microsoft Exchange infrastructure, deploying a Godzilla web shell and leveraging privileged context to enumerate accounts with ApplicationImpersonation role assignments.
Using PowerShell’s Add-MailboxPermission cmdlet, the attacker granted themselves delegated full access across all mailboxes, enabling complete read and manipulation of organizational email content.
Impacket atexec.py was used for remote role enumeration, which triggered Microsoft Defender’s automatic attack disruption capability and revoked the abused admin account’s session. Despite the disruption, the attacker returned weeks later with expanded Impacket tooling, including secretsdump and PsExec.
Repeated Defender-triggered disruptions forced them to rotate through compromised accounts and ultimately launch a broad password spray from the originally compromised IIS server, unlocking access to at least 14 additional servers through credential reuse across the environment.
Predictive Shielding Changes the Equation
The pivotal shift occurred when Microsoft activated predictive shielding mid-campaign, unlike traditional detection-based responses, which wait for an account to exhibit malicious behavior.
Before acting, predictive shielding evaluates exposure risk in real time, identifying which high-privilege identities were likely exposed on a compromised device and applying containment before those credentials are abused.
When credential-dumping signals surfaced, including attempts against domain controllers and additional IIS servers, predictive shielding automatically restricted exposed accounts and context-linked identities sharing the same compromised surfaces.
Crucially, when an Enterprise Admin and Schema Admin credential was identified as exposed, the system contained it pre-abuse, blocking what would otherwise have been a catastrophic escalation to full forest control.
Forced into a corner, the threat actor pivoted to Apache Tomcat servers, compromising three instances and dropping additional Godzilla web shells.
They launched PowerShell-based Invoke-Mimikatz commands and attempted to extract Microsoft Entra Connect synchronization credentials using Impacket’s WmiExec a move that would have enabled Azure AD credential harvesting at scale. Defender’s containment blocked the pivot account shortly after, limiting further lateral reach.
By July 28, 2025, after repeated session revocations and blocked sign-in attempts, the attack campaign lost momentum and ceased activity entirely.
What makes Active Directory domain compromise particularly severe is the operational paradox it creates for defenders. Incident responders cannot simply take domain controllers or identity infrastructure offline without risking business continuity.
Credential artifacts, particularly Kerberos tickets, derived from a compromised krbtgt account can be replayed across the environment long after initial theft, enabling persistent access even after password resets.
Restoring a domain to a trusted state requires a carefully sequenced set of remediation steps: rotating the krbtgt password (twice, to invalidate all existing Kerberos tickets), auditing and cleaning Group Policy Objects, validating Access Control Lists across the directory, and confirming no backdoor accounts or delegated permissions remain.
MITRE ATT&CK Techniques Observed
The campaign mapped to a broad range of ATT&CK techniques, including T1190 (Exploit Public-Facing Application), T1003.001, and T1003.003 (LSASS and NTDS credential dumping).
T1110.003 (Password Spraying), T1114.002 (Remote Email Collection), T1053.005 (Scheduled Task), and T1098 (Account Manipulation). Defense evasion included file deletion via cleanup scripts, such as del.bat to remove dumping artifacts post-exfiltration.
What Defenders Should Prioritize
- Containment at the host level first, early-stage credential theft must be stopped before it reaches the identity infrastructure.
- Protect domain controllers and privileged identities as the highest-priority assets during any intrusion.
- Deploy exposure-based detection, not just behavior-based alerting, to close the speed gap between credential theft and abuse.
- Enable Microsoft Defender for Endpoint P2 with automatic attack disruption prerequisites to take advantage of predictive shielding out of the box.
- Pre-plan krbtgt rotation and GPO cleanup procedures so remediation can begin immediately upon domain compromise confirmation
Predictive shielding is available for Microsoft Defender for Endpoint P2 customers who meet the platform prerequisites and represents a fundamental shift in how identity-based attacks can be disrupted, as reported by Microsoft Defender, moving defense from reactive forensics to proactive exposure containment.
Frequently Asked Questions
What is predictive shielding in Microsoft Defender?
It is an automatic attack-disruption feature that proactively contains high-privilege accounts that are likely exposed to credential theft before those credentials are actively abused by a threat actor.
How do attackers achieve Active Directory domain compromise?
They typically exploit public-facing applications to gain initial access, escalate privileges locally, dump NTDS or LSASS credential stores, and abuse domain admin accounts to gain full directory control.
Why is recovering from a domain compromise so difficult?
Because credential artifacts like Kerberos tickets can be replayed across the network, restoring trust requires multi-step processes including krbtgt rotation, GPO cleanup, and ACL auditing, all under active incident pressure.
What is the Godzilla web shell used by threat actors? Godzilla is an open-source, cross-platform web shell commonly used by threat actors for persistent remote access to compromised web servers, supporting encrypted communication and modular payload execution.
Site: http://thecybrdef.com
About the Author
