An IIS foothold, a defense-impairment script, and a WDigest downgrade show how quickly server-side access can turn into a credential-theft workflow.