| LLMNR/NBT-NS/mDNS poisoning (Responder) | T1557.001 | CWE-300 | references/l2-attacks.md | scripts/responder_loot_parser.py |
| ARP spoofing MitM | T1557.002 | CWE-300 | references/l2-attacks.md | scripts/bettercap_mitm.sh |
| DHCP starvation / rogue DHCP | T1557.003 | CWE-300 | references/l2-attacks.md | - |
| IPv6 takeover (mitm6 DHCPv6/DNS → relay) | T1557.001 | CWE-300 | references/l2-attacks.md | scripts/mitm6_relay_launcher.sh |
| STP root hijack / VLAN hopping (DTP, 802.1Q) | T1599 | CWE-284 | references/l2-attacks.md | scripts/vlan_hop.py |
| Coercion (PetitPotam/PrinterBug/DFSCoerce/WebDAV) | T1187 | CWE-294 | references/coercion-relay-network.md | scripts/relay_target_finder.py |
| NTLM relay (SMB/MSSQL/WinRM) | T1557.001 | CWE-294 | references/coercion-relay-network.md | scripts/relay_target_finder.py |
| NTLM reflection → SYSTEM (CVE-2025-33073) | T1187, T1557.001 | CWE-287 | references/coercion-relay-network.md | scripts/relay_target_finder.py |
| TUN pivoting (Ligolo-ng autoroute/multiplayer) | T1090.001 | CWE-923 | references/pivoting-tunneling.md | scripts/pivot_autoroute.sh |
| HTTP-SOCKS tunnel (Chisel) / SSH pivot | T1090.001, T1572 | CWE-923 | references/pivoting-tunneling.md | scripts/pivot_autoroute.sh |
| DNS tunneling (iodine/dnscat2) | T1071.004, T1572 | CWE-923 | references/pivoting-tunneling.md | - |
| Traffic interception / sslstrip / DNS spoof | T1557, T1040 | CWE-319 | references/mitm-interception.md | scripts/bettercap_mitm.sh |
| RDP/SSH/STARTTLS MitM & downgrade | T1557, T1185 | CWE-300 | references/mitm-interception.md | scripts/bettercap_mitm.sh |
| MadLicense RDL RCE (CVE-2024-38077) | T1210 | CWE-122 | references/protocol-rce.md | scripts/net_service_scan.py |
| NEGOEX wormable RCE (CVE-2025-47981) | T1210 | CWE-122 | references/protocol-rce.md | scripts/net_service_scan.py |
| RMCAST RCE (CVE-2025-21307) / RDS (CVE-2025-24035/45) | T1210 | CWE-787 | references/protocol-rce.md | scripts/net_service_scan.py |
| SMB EternalBlue (MS17-010) legacy | T1210 | CWE-119 | references/protocol-rce.md | scripts/net_service_scan.py |
| MSSQL xp_cmdshell / link crawl, WinRM, LDAP passback | T1210, T1021.006 | CWE-89 | references/protocol-rce.md | scripts/net_service_scan.py |
| WPA2 handshake/PMKID crack | T1110 | CWE-326 | references/wireless-attacks.md | scripts/wifi_attack.sh |
| WPA3-Transition downgrade (Dragonblood) | T1557 | CWE-757 | references/wireless-attacks.md | scripts/wifi_attack.sh |
| Evil-twin WPA-Enterprise (802.1X) cred capture | T1556 | CWE-295 | references/wireless-attacks.md | scripts/wifi_attack.sh |