Containing a domain compromise: How predictive shielding shut down lateral movement

A public-sector organization experienced a multi-stage Active Directory compromise after an IIS file-upload vulnerability was exploited to drop web shells; the adversary escalated to SYSTEM (BadPotato), performed large-scale credential dumping (Mimikatz, NTDS snapshots), abused Exchange delegation, and conducted password spraying and lateral movement. Microsoft Defender’s attack disruption—and later the predictive shielding feature—automatically revoked sessions and preemptively contained context-linked, high-privilege accounts, blocking pivots and limiting the adversary’s blast radius until the campaign lost momentum.