Attacker’s Playbook After Login (Part 2 of 5)

Modern attackers understand that the most effective way to avoid detection is to act like everyone else. Once they’ve slipped past the front door using a valid credential or hijacked session, they don’t deploy malware or launch loud exploits. They use the tools already available to them—and they use them well.

This tactic, known as "living off the land," has become the hallmark of identity-based attacks. It's how adversaries quietly explore, escalate, and exfiltrate without setting off alarms. And in most environments, it works and is extremely hard to detect.

How It Works

Once authenticated, an attacker typically follows a playbook that includes:

• Enumerating access and permissions to discover where they can go.
• Using built-in tools like PowerShell, WMI, and RDP to move laterally.
• Blending in with normal behavior to avoid triggering any EDR rules.
• Escalating privileges, often by exploiting misconfigurations in identity or endpoint policies.
• Accessing and exfiltrating data using authorized channels.

In this mode, the attacker doesn’t look like a threat. They look like a user. A trusted employee. A service account doing its job. That’s a big problem.

Why EDR Isn’t Enough

EDR excels at catching known indicators of compromise: malicious binaries, code injections, lateral movement using unknown tools. But when everything an attacker does looks legitimate, the signal gets lost in the noise.

An attacker using RDP or accessing cloud storage with a valid token won’t always trigger alerts. Even when anomalies are flagged, they may be deprioritized or ignored without the context of how access was initially gained.

Worse, if the attacker never deploys malware, there's little for traditional detection systems to analyze.

Time Is the Attacker's Advantage

The longer the attacker is in the environment, the more damage they can do:

• Escalate from user to admin
• Explore internal systems and databases
• Discover unprotected secrets and credentials
• Move laterally into production or crown-jewel systems

All of this can happen under the radar, especially if identity systems are blind post-login and endpoint tools are siloed, overburdened, or inducing alert fatigue on security teams.

Bridging the Gap

This is why the gap between identity and endpoint becomes a critical security risk. Identity systems don’t see what’s happening after login. EDR systems don’t always know whether the identity they’re monitoring is legitimate. And unfortunately, cybercriminals have realized this and now prioritize identity-based attacks. 

Without shared context, both systems are working with partial information. And attackers thrive in that blind spot.

What's Next

In the next article, we’ll explore how EDR vendors are adapting by moving up the stack into identity territory. We’ll look at the rise of ITDR (Identity Threat Detection and Response) and why the endpoint market is increasingly incorporating identity context into its detection strategy.

------------

This the 2nd article in a 5-part series.

Read: Part 1 | Part 2 | Part 3 | Part 4 | Part 5