| win32k / dxgkrnl UAF → kernel R/W → token steal | T1068 | CWE-416 | references/kernel-user-boundary.md | scripts/ioctl_fuzzer.py |
| Driver IOCTL abuse (METHOD_NEITHER arb-R/W) | T1068 | CWE-781 | references/kernel-user-boundary.md | scripts/ioctl_fuzzer.py |
| BYOVD load + MSR/LSTAR or phys R/W → SYSTEM | T1068, T1543.003 | CWE-1188 | references/byovd-kernel-rw.md | scripts/byovd_kernel_rw.c |
| BYOVD EDR-kill (callback nulling) | T1562.001, T1014 | CWE-1188 | references/byovd-kernel-rw.md | scripts/byovd_kernel_rw.c |
| UAC bypass — ICMLuaUtil elevated COM moniker | T1548.002 | CWE-269 | references/integrity-uac-com.md | scripts/uac_com_elevate.cpp |
| UAC bypass — fodhelper HKCU registry hijack | T1548.002, T1112 | CWE-269 | references/integrity-uac-com.md | scripts/uac_com_elevate.cpp |
| AppContainer/LPAC broker abuse / cap over-grant | T1211 | CWE-668 | references/sandbox-appcontainer-escape.md | scripts/sandbox_escape_probe.py |
| Chromium/Edge Mojo IPC sandbox escape | T1211 | CWE-501 | references/sandbox-appcontainer-escape.md | scripts/sandbox_escape_probe.py |
| Named-object / symbolic-link squatting | T1211 | CWE-59 | references/sandbox-appcontainer-escape.md | scripts/sandbox_escape_probe.py |
| PPL bypass — BYOVDLL (old signed DLL into PPL) | T1003.001, T1211 | CWE-426 | references/ppl-protected-process.md | scripts/ppl_byovdll.c |
| PPL bypass — live-dump / WER / Protection-clear | T1003.001, T1562.001 | CWE-269 | references/ppl-protected-process.md | scripts/byovd_kernel_rw.c |
| RPC server spoof / endpoint squat (PhantomRPC) | T1559, T1134.001 | CWE-287 | references/rpc-alpc-boundary.md | scripts/named_pipe_impersonate.c |
| Named-pipe client impersonation (Potato family) | T1134.002, T1134.001 | CWE-294 | references/rpc-alpc-boundary.md | scripts/named_pipe_impersonate.c |
| Host boundary posture enumeration | T1082 | CWE-693 | (all) | scripts/enum_boundaries.ps1 |