Post-Exploitation Tactics That Still Work in 2025

If you hang around security conferences or Red-Team Slack channels long enough, you’ll hear the same refrain: “Everything old is new again.” Attackers rarely invent brand-new magic; they keep polishing tactics that already work—because defenders keep giving them room to breathe. Below are six post-exploitation techniques that remain stubbornly effective in 2025, plus pragmatic ways security teams can trip them up without breaking the budget or the business.

Living-off-the-Land Binaries (LOLBins)

Why It Still Works

PowerShell, MSHTA, CertUtil, and a dozen other native tools still ship with every modern Windows build (and their *nix cousins ship with Linux distros). They’re code-signed, pre-installed, and whitelisted by default. Attackers love them because each one cuts down on the need to drop obvious malware.

In 2025, the technique has evolved more than the tooling. Threat actors now chain multiple LOLBins—using, say, `wsl.exe` to hop into the Windows Subsystem for Linux, then `curl` inside WSL to pull payloads over IPv6 to dodge legacy egress filters.

What Defenders Can Do

• Baseline legitimate admin usage of core binaries and alert on outliers (for example, `cscript.exe` executing at 2 a.m. from HR’s workstation).

• Feed script-block logs from both PowerShell and GPO-hardening for WSL into the SIEM.

• Remember that “don’t block, just alert” is no longer enough; auto-contain hosts that deviate from their normal LOLBin pattern, then let IR triage.

Kerberoasting—Now With Hybrid Identities

Why It Still Works

Kerberoasting has existed for a decade, but hybrid environments make it freshly dangerous. Adversaries request Kerberos service tickets for on-prem accounts synchronized with Azure AD. They crack the ticket offline, obtain the plaintext password, and flip that knowledge into cloud control—sometimes without ever triggering MFA prompts.

What Defenders Can Do

• Rotate on-prem service account passwords regularly and migrate them to Group Managed Service Accounts (gMSAs) where feasible.

• Enforce long, random passwords (30+ characters) for any legacy SPNs that absolutely must stay.

• Turn on Azure AD sign-in risk policies to look for impossible travel or anomalous IP ranges immediately after a Kerberos ticket request.

Token Theft in the Cloud Control Plane

Why It Still Works

Endpoint MFA fatigue campaigns get the headlines, but once an attacker lands on a developer box the juicy prize is often buried token files or cached CLI credentials. Cloud providers have tightened token lifetimes, yet the window is still big enough for lateral movement. Attackers spin up anonymizing compute instances, exfiltrate data to ephemeral object stores, then nuke the evidence before billing alerts even fire.

What Defenders Can Do

• Shift log collection from “every 24 hours” to near-real-time streaming into a central data lake; lag time is the attacker’s friend.

• Assign fine-grained, short-lived, just-in-time (JIT) roles—preferably minted via automated pipelines rather than long-standing IAM keys living on disk.

• Hunt for “deny-all” deletion events followed by rapid resource creation; that odd combo remains a reliable Indicator of Cloud Compromise (IoCC).

EDR Tampering and Bring-Your-Own-Driver Abuse

Why It Still Works

Endpoint Detection and Response tools are way better than the AV engines of yesteryear, but they’re still software installed on the box an attacker just captured. In 2025, the popular move is to sideload a vulnerable or expired driver, gain kernel-level privileges, and either blind the EDR agent or trick it into failing gracefully. Because the driver carries a valid signature, many operating systems load it without protest.

What Defenders Can Do

• Enable Kernel Mode Code Signing (KMCI) or its Linux equivalent to block drivers not present in an approved hash list.

• Keep velocity metrics on EDR service restarts; repeated stops followed by a driver install is a red flag.

• Cross-check known vulnerable driver hashes against the global “Blocklist Project” or your own curated deny list; automation here saves hours of reverse-engineering toil.

Adversary-in-the-Middle (AitM) Phishing Against Modern MFA

Why It Still Works

Push-based and OTP-based MFA mechanisms have eroded credential-only phishing, but adversary-in-the-middle toolkits (think evilginx and friends) bypass those by proxying the session and snagging the resulting session cookie. In 2025, the twist is the integration of real-time vision APIs that flag a failed captcha or mis-rendered branding, letting the attacker tweak the phishing page on the fly for higher conversion rates.

What Defenders Can Do

• Graduate from “basic MFA” to phishing-resistant authentication such as FIDO2 security keys or passkeys.

• Deploy Conditional Access policies that bind the session cookie to device posture and user risk, not just IP.

• Run an internal “red rag” program: fish your own workforce with AitM kits and provide just-in-time micro-training—five minutes after the click, not five months later.

SaaS-to-SaaS Lateral Movement

Why It Still Works

The average enterprise now runs north of 100 sanctioned SaaS apps, many connected through OAuth grants that fly under the radar of the traditional SOC. Attackers compromise a low-value marketing tool, hop into the CRM via over-permissive scopes, and finally reach the financial data warehouse. Because each hop is “API-legit,” network-centric defenses never bark.

What Defenders Can Do

• Inventory every OAuth grant, then enforce least privilege on scopes (“read-only CRM data” beats “full access” every day).

• Route SaaS audit logs (yes, even the clunky CSV exports) into the same analytics stack as endpoint and cloud telemetry. Unified visibility is the only way to follow API-native hops.

• Consider adding an SSPM (SaaS Security Posture Management) layer that auto-revokes dormant OAuth grants after, say, 30 days of inactivity.

Pulling It All Together

If you see a common thread, it’s this: attackers thrive on gaps—between cloud and on-prem, between identity stores, between security teams and IT operations. None of the tactics above are brand-new, yet they still rake in ransomware payouts and fuel data-breach headlines because organizations patch technology faster than they patch process.

Three closing thoughts to keep your footing in 2025:

• Time matters more than tech. A 30-second automated containment beats a 30-minute manual investigation, even if your threat intel feed is Nobel-Prize-worthy.

• Telemetry without context is noise. Make sure every log source funnels into the same place and that your analytics layer understands identity, not just IP addresses.

• Security fatigue is real. Automate the boring stuff—certificate rotation, driver allow-listing, token lifespan enforcement—so your humans can focus on hunting and strategy.

The attackers aren’t standing still, but they’re not magicians either. Learn their enduring tricks, close the age-old gaps, and you’ll make “everything old” feel genuinely old—at least on your network.