| AWS IAM privesc (CreatePolicyVersion, PassRole, AttachPolicy) | T1098.001 | CWE-269 | references/aws-iam-privesc.md | scripts/aws_privesc_enum.py |
AWS sts:AssumeRoot member-account escalation | T1078.004 | CWE-269 | references/aws-iam-privesc.md | scripts/aws_privesc_enum.py |
| Cross-account confused deputy / missing ExternalId | T1078.004 | CWE-441 | references/aws-iam-privesc.md | scripts/oidc_trust_auditor.py |
| IMDS / metadata SSRF credential theft (AWS/Azure/GCP) | T1552.005 | CWE-918 | references/imds-metadata-ssrf.md | scripts/imds_harvester.py |
| EKS node creds → IRSA / Pod Identity pivot | T1552.007 | CWE-668 | references/imds-metadata-ssrf.md | scripts/imds_harvester.py |
| Entra device-code phishing → PRT / device join | T1528 | CWE-287 | references/azure-entra-attacks.md | scripts/entra_device_code_phish.py |
| FOCI refresh-token family abuse | T1550.001 | CWE-613 | references/azure-entra-attacks.md | scripts/entra_device_code_phish.py |
| Azure Managed Identity / App-Admin → SP escalation | T1098.001 | CWE-269 | references/azure-entra-attacks.md | scripts/imds_harvester.py |
GCP actAs + resource create impersonation chain | T1078.004 | CWE-269 | references/gcp-attacks.md | scripts/gcp_impersonation_mapper.py |
GCP serviceAccountTokenCreator token chains | T1528 | CWE-269 | references/gcp-attacks.md | scripts/gcp_impersonation_mapper.py |
| Vertex AI P4SA / Ray head-node escalation | T1078.004 | CWE-732 | references/gcp-attacks.md | scripts/gcp_impersonation_mapper.py |
| Container escape (runc Leaky Vessels CVE-2024-21626) | T1611 | CWE-668 | references/kubernetes-container-escape.md | - |
| IngressNightmare (CVE-2025-1974) cluster takeover | T1190 | CWE-94 | references/kubernetes-container-escape.md | scripts/k8s_can_i_abuse.py |
| K8s RBAC privesc (pods/exec, token mount, node proxy) | T1078 | CWE-269 | references/kubernetes-container-escape.md | scripts/k8s_can_i_abuse.py |
| Terraform state secret extraction | T1552.001 | CWE-312 | references/iac-secrets-ci-cd.md | scripts/oidc_trust_auditor.py |
| OIDC federation trust-policy abuse (GitHub/TF Cloud) | T1199 | CWE-441 | references/iac-secrets-ci-cd.md | scripts/oidc_trust_auditor.py |