| BloodHound CE / SharpHound enumeration | T1482 | CWE-732 | references/bloodhound-enum-lateral.md | scripts/ad_recon.py |
| Password spray / PtH / PtT lateral movement | T1550.002, T1550.003 | CWE-522 | references/bloodhound-enum-lateral.md | scripts/ad_recon.py |
| LAPS / gMSA password read | T1003 | CWE-522 | references/bloodhound-enum-lateral.md | scripts/ad_recon.py |
| Kerberoasting | T1558.003 | CWE-261 | references/kerberos-roasting-delegation.md | scripts/kerberoast_audit.py |
| AS-REP roasting | T1558.004 | CWE-308 | references/kerberos-roasting-delegation.md | scripts/kerberoast_audit.py |
| Resource-Based Constrained Delegation (RBCD) | T1558, T1098 | CWE-269 | references/kerberos-roasting-delegation.md | scripts/rbcd_takeover.py |
| Constrained/Unconstrained delegation (S4U) | T1558 | CWE-269 | references/kerberos-roasting-delegation.md | scripts/rbcd_takeover.py |
| Coercion (PetitPotam/DFSCoerce/PrinterBug/WebDAV) | T1187 | CWE-294 | references/coercion-relay.md | scripts/coerce_relay_chain.sh |
| NTLM relay (SMB/LDAP/ADCS) | T1557.001 | CWE-294 | references/coercion-relay.md | scripts/coerce_relay_chain.sh |
| NTLM reflection (CVE-2025-33073) | T1187, T1557.001 | CWE-294 | references/coercion-relay.md | scripts/coerce_relay_chain.sh |
| Kerberos relay / DNS CNAME (CVE-2026-20929) | T1557 | CWE-294 | references/coercion-relay.md | scripts/coerce_relay_chain.sh |
| ADCS ESC1 (SAN) / ESC15 EKUwu (CVE-2024-49019) | T1649 | CWE-295 | references/adcs-abuse.md | scripts/adcs_esc_finder.py |
| ADCS ESC8 relay / ESC16 CA-wide override | T1649, T1557.001 | CWE-295 | references/adcs-abuse.md | scripts/adcs_esc_finder.py |
| Golden / Silver / Diamond / Sapphire ticket | T1558.001, T1558.002 | CWE-345 | references/ticket-forgery-dcsync.md | - |
| DCSync (DRSUAPI replication) | T1003.006 | CWE-269 | references/ticket-forgery-dcsync.md | - |
| noPac / sAMAccountName spoofing (CVE-2021-42278/87) | T1558 | CWE-287 | references/ticket-forgery-dcsync.md | - |
| dMSA BadSuccessor (CVE-2025-53779) | T1098, T1558 | CWE-269 | references/dmsa-badsuccessor.md | scripts/Get-BadSuccessorOUPermissions.ps1 |