| ASLR/HEASLR defeat (info leak, partial overwrite, non-ASLR module) | T1211 | CWE-330 | references/memory-safety-mitigations.md | scripts/find_nonaslr_modules.py |
| DEP/NX bypass (ROP→VirtualProtect, ret2libc) | T1211 | CWE-119 | references/memory-safety-mitigations.md | scripts/cfg_dispatch_gadget_finder.py |
| CFG/XFG bypass (valid-target dispatch gadget, type-hash collision) | T1211 | CWE-1240 | references/memory-safety-mitigations.md | scripts/cfg_dispatch_gadget_finder.py |
| CET shadow stack / IBT evasion (non-CET process, JOP, exception unwind) | T1211 | CWE-1419 | references/memory-safety-mitigations.md | scripts/Get-ProcessMitigationMap.ps1 |
| ACG/CIG bypass (signed-code reuse, JIT exemption, cross-process) | T1211, T1055 | CWE-94 | references/acg-cig-dynamic-code.md | scripts/Get-ProcessMitigationMap.ps1 |
| WDAC / App Control bypass (LOLBin, signed Electron/V8, sideload) | T1218 | CWE-693 | references/wdac-app-control-bypass.md | scripts/mitigation_recon.ps1 |
| ASR rule bypass (excluded path/process hollow, COM, syscalls) | T1562.001 | CWE-693 | references/asr-amsi-etw-blinding.md | scripts/extract_asr_exclusions.py |
| AMSI bypass (amsiInitFailed, AmsiScanBuffer patch, hardware bp) | T1562.001 | CWE-693 | references/asr-amsi-etw-blinding.md | scripts/mitigation_recon.ps1 |
| ETW blinding (EtwEventWrite patch, provider disable, NtTraceControl) | T1562.006 | CWE-778 | references/asr-amsi-etw-blinding.md | scripts/mitigation_recon.ps1 |
| PPL / LSA Protection bypass (PPLmedic userland chain, BYOVD) | T1003.001, T1562.001 | CWE-269 | references/ppl-lsa-protection.md | scripts/Get-ProcessMitigationMap.ps1 |
| BYOVD kernel R/W (unblocked driver, EPROCESS.Protection wipe) | T1068, T1562.001 | CWE-822 | references/byovd-vbs-hvci.md | scripts/check_driver_blocklist.py |
| VBS/HVCI/Credential Guard evasion (blocklist evasion, data-only) | T1068, T1562.001 | CWE-693 | references/byovd-vbs-hvci.md | scripts/check_driver_blocklist.py |