Using user-mode APC functions to execute code in remote processes.
Offensive PowerShell
Using GetDelegateForFunctionPointer to execute Win32 API’s from memory in Powershell.
Active Directory Schema Modification
Changing default security descriptor properties to escalate from a child to parent domain.