Summary
- Microsoft Defender disrupted a human operated ransomware incident targeting a large educational institution with more than a couple of thousand devices.
- The attacker attempted to weaponize Group Policy Objects (GPOs) to tamper with security controls and distribute ransomware via scheduled tasks.
- Defender’s predictive shielding detected the attack before ransomware was deployed and proactively hardened against malicious GPO propagation across 700 devices.
- Defender blocked ~97% of the attacker’s attempted encryption activity in total, and zero machines were encrypted via the GPO path.
The growing threat: GPO abuse in ransomware operations
Modern ransomware operators have evolved well beyond simple payload delivery. Today’s attackers understand enterprise infrastructure intimately. They actively exploit the administrative mechanisms that organizations depend on to both neutralize security products and distribute ransomware at scale.
Group Policy Objects (GPOs) have become a favored tool for exactly this purpose. GPOs are a built-in, trusted mechanism for pushing configuration changes across domain-joined devices. Attackers have learned to abuse them: pushing tampering configurations to disable security tools, deploying scheduled tasks that distribute and execute ransomware, and achieving wide organizational impact without needing to touch each machine individually.
In this blog, we examine a real incident where an attacker weaponized GPOs in exactly this way, and how Defender’s predictive shielding responded by catching the attack before the ransomware was even deployed.
The incident
The target was a large educational institution with approximately more than a couple of thousand devices onboarded to Microsoft Defender and the full Defender suite deployed. The infrastructure included 33 servers, 11 domain controllers, and 2 Entra Connect servers.
Attack chain overview
The attacker’s progression through the environment was methodical:
Initial Access and Privilege Escalation: The attacker began operating from an unmanaged device. At this stage, one Domain Admin account had already been compromised. Due to limited visibility, the initial access vector and the method used to obtain Domain Admin privileges remain unknown.
Day 1: Reconnaissance: The attacker began reconnaissance activity using AD Explorer for Active Directory enumeration and brute force techniques to map the environment. Defender generated alerts in response to these activities.
Day 2: Credential Access and Lateral Movement: The attacker obtained credentials for multiple high privilege accounts, with Kerberoasting and NTDS dump activity observed leading up to this point. During this phase, the attacker also created multiple local accounts on compromised systems to establish additional persistent access. Using some of the acquired credentials, the attacker then began moving laterally within the network.
During these activities, Defender initiated attack disruption against five compromised accounts. This action caused the attacker’s lateral movement attempts to be blocked at scale, resulting in thousands of blocked authentication and access attempts and a significant slowdown of the attack.
With attack disruption in place, the attacker’s progress was significantly constrained at this stage, limiting lateral movement and preventing rapid escalation. Without this intervention, the customer would have faced a far more severe outcome.
Day 5: Defense Evasion and Impact: While some accounts were disrupted and blocked, the attacker was still able to leverage additional privileged accounts still in their hands. Using these accounts, the attacker transitioned to the impact phase and leveraged Group Policy as the primary distribution mechanism.
Just prior to the ransomware deployment, the attacker used GPO to propagate a tampering policy that disabled Defender protections.
Ransomware payload was then distributed via GPO, while in parallel, the attacker executed additional remote ransomware operations, delivering the payload over SMB using multiple compromised accounts.
A second round of attack disruption was initiated by Defender as a reaction to this new stage, this time alongside predictive shielding. More than a dozen compromised entities were disrupted, together with GPO hardening, ultimately neutralizing the attack and preventing the attacker from making any further progress.
Step 1: Tampering with security controls
The attacker’s first move was to create a malicious GPO designed to tamper with endpoint security controls. The policy disabled key Defender protections, including behavioral monitoring and real-time protection, with the goal of weakening defenses ahead of ransomware deployment.
This tampering attempt triggered a Defender tampering alert. In response, predictive shielding activated GPO hardening, temporarily pausing the propagation of new GPO policies, across all MDE onboarded devices reachable from the attacker’s standpoint – achieved protection of ~85% of devices against the tampering policy.
Step 2: Ransomware distribution via scheduled tasks
Approximately ten minutes after creating the tampering GPO, without being aware of Defender’s GPO Hardening policy being deployed and activated, the attacker attempted to proceed with the next stage of the attack: ransomware payload distribution[EF2] .
- The attacker placed three malicious files: run.bat, run.exe and run.dll under the SYSVOL share. These files were responsible for deploying the ransomware payload.
- A second malicious GPO was created to configure a scheduled task on targeted devices.
- The scheduled task copied the payload files locally and executed them using the following chain:
cmd /c start run.bat → cmd /c c:\users\…\run.exe → rundll32 c:\users\…\run.dll Encryptor
This approach is effective because each device pulls the payload to itself through the scheduled task. The attacker sets the GPO once, and the devices do the rest. It’s a self-service distribution model that leverages the infrastructure the organization depends on.
Because GPO hardening had already been applied during the tampering stage, by the time the attacker created the ransomware GPO ten minutes later, the environment was already hardened. The system recognized that GPO tampering is a precursor to ransomware distribution and acted preemptively. The system didn’t wait for ransomware to appear. It acted on what the attacker was about to do.
The results
The numbers speak for themselves:
- Zero machines were encrypted via the GPO path.
- Roughly 97% of devices the attacker attempted to encrypt were fully protected by Defender. A limited number of devices experienced encryption during concurrent ransomware activity over SMB; however, attack disruption successfully contained the incident and stopped further impact.
- 700 devices applied the predictive shielding GPO hardening policy, reflecting the attacker’s broad targeting scope, and blocking the propagation of the malicious policy set by the attacker within approximately 3 hours.
The hardening dilemma: Why threat actors love operational mechanisms
Enterprise environments rely on administrative mechanisms such as Group Policy, scheduled tasks, and remote management tools to manage and automate operations at scale. These capabilities are highly privileged and widely trusted, making them a natural part of everyday IT workflows. Because they are designed for legitimate administration and automation, attackers increasingly target them as a low-friction way to disable defenses and distribute malware using the same tools administrators use every day.
This creates a fundamental asymmetry. Defenders must keep these mechanisms open for legitimate use, while attackers exploit that very openness. Attackers increasingly pivot toward IT management mechanisms precisely because they can’t be hardened all the time. GPO changes are treated as legitimate administrative activity. Scheduled tasks are a normal OS function. SYSVOL and NETLOGON must remain accessible to every domain-joined device.
Traditional security approaches all fall short here. Always-on hardening breaks operations. Detection-only is too late, because by the time an alert fires, ransomware may already be distributed across the environment. Manual SOC intervention can’t keep pace with an attacker operating in minutes. This is the gap that predictive shielding is designed to close.
Predictive shielding: Contextual, just-in-time hardening
Predictive shielding is built on two pillars. The first is prediction: Defender correlates activity signals, threat intelligence, and exposure topology to infer what the attacker is likely to do next and which assets are realistically reachable. The second is enforcement: targeted, temporary controls are applied to disrupt the predicted attack path in real time.
This is a fundamentally different approach to protection: adaptive, risk-conditioned enforcement, with controls that are scoped to the blast radius, temporary, and contextual. Instead of relying on always-on controls or reacting after damage occurs, Defender applies these targeted, temporary protections only when concrete risk signals indicate an attack is unfolding.
Closing the gap
Operational mechanisms like GPO can’t be permanently hardened, and that is exactly why threat actors pivot toward them. Predictive shielding closes this gap with contextual, just-in-time hardening that acts on predicted attacker intent rather than waiting for the attack to materialize.
In this case, predictive shielding caught the attacker at the tampering stage and prevented ransomware from spreading through a malicious GPO.
700 devices were saved from encryption, achieving a 97% protection rate.
The remaining devices were encrypted through rapid remote SMB-based ransomware deployment, after which attack disruption successfully contained the incident and stopped further propagation.
Zero machines applied the attacker’s malicious ransomware deployment GPO, preventing widespread encryption and saving the customer from significant recovery costs, operational downtime, and data loss.
MITRE ATT&CK® techniques observed
The table below maps observed behaviors to ATT&CK. (Tactics shown are per technique definition)
| Tactic(s) | Technique ID | Technique name | Observed details |
| Discovery | T1087.002 | Account Discovery: Domain Account | The attacker used AD Explorer to enumerate Active Directory objects and domain accounts during initial reconnaissance. |
| Credential Access | T1110 | Brute Force | During early reconnaissance, the attacker used brute force techniques. |
| Credential Access | T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | Kerberoasting activity was observed prior to the attacker obtaining multiple high-privilege credentials. |
| Credential Access | T1003.003 | OS Credential Dumping: NTDS | NTDS dump activity was observed as part of credential harvesting prior to the attacker obtaining multiple high-privilege credentials. |
| Persistence | T1136.001 | Create Account: Local Account | The attacker created multiple new local accounts on compromised systems to establish additional persistent access prior to ransomware deployment. |
| Lateral Movement | T1021.002 | Remote Services: SMB/Windows Admin Shares | Using stolen high-privilege credentials, the attacker moved laterally across systems in the environment. |
| Persistence | T1484.001 | Domain Policy Modification: Group Policy Modification | The attacker created malicious Group Policy Objects to modify security configurations and deploy ransomware at scale. |
| Defense Evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | A malicious Group Policy Object was created to disable Defender protections, including real-time protection and behavioral monitoring. |
| Execution | T1053.005 | Scheduled Task/Job: Scheduled Task | The attacker used Group Policy to create scheduled tasks that copied ransomware payload files from SYSVOL share and executed them on target devices. |
| Execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell | Command line instructions (cmd /c) were used within scheduled tasks to copy and launch the ransomware payload. |
| Execution | T1218.011 | System Binary Proxy Execution: Rundll32 | The ransomware execution chain used rundll32.exe to execute the malicious DLL payload. |
| Impact | T1486 | Data Encrypted for Impact | Ransomware deployment via Group Policy was attempted along with remote ransomware operations. |
References
- Blog post: Microsoft Defender now prevents threats on endpoints during an attack
- Predictive shielding in Microsoft Defender
- GPO hardening in Microsoft Defender for Endpoint
This research is provided by Microsoft Defender Security Research with contributions from Tal Tzhori and Aviv Sharon.
Learn more
Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.
- Learn more about Protect your agents in real-time during runtime (Preview) – Microsoft Defender for Cloud Apps
- Explore how to build and customize agents with Copilot Studio Agent Builder
- Microsoft 365 Copilot AI security documentation
- How Microsoft discovers and mitigates evolving attacks against AI guardrails
- Learn more about securing Copilot Studio agents with Microsoft Defender
The post Case study: How predictive shielding in Defender stopped GPO-based ransomware before it started appeared first on Microsoft Security Blog.
from Microsoft Security Blog https://ift.tt/IUq0vnB
via IFTTT
