| Automated + manual enumeration (LinPEAS/pspy/LES2) | T1082, T1057 | CWE-200 | references/enumeration-tooling.md | scripts/linpriv_enum.py |
| Detection-aware / low-noise enumeration | T1082 | CWE-200 | references/enumeration-tooling.md | scripts/linpriv_enum.py |
| SUID/SGID binary abuse (GTFOBins) | T1548.001 | CWE-269 | references/suid-sudo-capabilities.md | scripts/cap_suid_hunter.sh |
| sudo misconfig + GTFOBins escape | T1548.003 | CWE-269 | references/suid-sudo-capabilities.md | scripts/cap_suid_hunter.sh |
| sudo host option LPE (CVE-2025-32462) | T1548.003 | CWE-863 | references/suid-sudo-capabilities.md | scripts/sudo_cve_2025_check.sh |
| sudo chroot/NSS LPE (CVE-2025-32463) | T1548.003 | CWE-829 | references/suid-sudo-capabilities.md | scripts/sudo_cve_2025_check.sh |
| Linux capabilities abuse (setuid/dac_read/sys_admin) | T1548 | CWE-250 | references/suid-sudo-capabilities.md | scripts/cap_suid_hunter.sh |
| LD_PRELOAD / LD_LIBRARY_PATH sudo hijack | T1574.006 | CWE-426 | references/suid-sudo-capabilities.md | scripts/cap_suid_hunter.sh |
| nf_tables double-free LPE (CVE-2024-1086) | T1068 | CWE-416 | references/kernel-exploits.md | scripts/kernel_exploit_suggester.py |
| io_uring memory-sharing LPE (CVE-2024-0582/2025-21836) | T1068 | CWE-416 | references/kernel-exploits.md | scripts/kernel_exploit_suggester.py |
| Dirty Pipe page-cache overwrite (CVE-2022-0847) | T1068 | CWE-787 | references/kernel-exploits.md | scripts/kernel_exploit_suggester.py |
| GameOver(lay) OverlayFS (CVE-2023-2640/32629) | T1068 | CWE-269 | references/kernel-exploits.md | scripts/kernel_exploit_suggester.py |
| udisks/libblockdev loop-mount LPE (CVE-2025-6019) | T1068 | CWE-250 | references/service-misconfig-lpe.md | scripts/linpriv_enum.py |
| PAM allow_active bypass (CVE-2025-6018) | T1068 | CWE-863 | references/service-misconfig-lpe.md | scripts/linpriv_enum.py |
| glibc ld.so Looney Tunables (CVE-2023-4911) | T1068 | CWE-787 | references/service-misconfig-lpe.md | scripts/kernel_exploit_suggester.py |
| polkit pkexec PwnKit (CVE-2021-4034) | T1548.001 | CWE-787 | references/service-misconfig-lpe.md | scripts/linpriv_enum.py |
| Cron/systemd/PATH/writable-file abuse | T1053.003, T1574.007 | CWE-732 | references/service-misconfig-lpe.md | scripts/linpriv_enum.py |
| NFS no_root_squash SUID drop | T1222.002 | CWE-732 | references/service-misconfig-lpe.md | scripts/linpriv_enum.py |
| runc fd-leak container escape (CVE-2024-21626) | T1611 | CWE-668 | references/container-namespace-escape.md | scripts/container_escape_check.sh |
| Docker socket / privileged container escape | T1611, T1610 | CWE-269 | references/container-namespace-escape.md | scripts/container_escape_check.sh |
| cgroup release_agent / CAP_SYS_ADMIN escape | T1611 | CWE-269 | references/container-namespace-escape.md | scripts/container_escape_check.sh |
| Kubernetes pod/token escape | T1611 | CWE-668 | references/container-namespace-escape.md | scripts/container_escape_check.sh |