| BH12163 | Changes settings that enable remote users to run commands on the local computer. | uncommon |
| BH12253 | Disables Office's macro virus protection capabilities. | anomalous important uncommon |
| BH12281 | Disables the Network Inspection service (NIS). | anomalous |
| BH12296 | Disables the Windows Event Log service. | anomalous |
| BH12297 | Disables the Windows Firewall service. | anomalous |
| BH12302 | Disables the Windows Update service. | anomalous uncommon |
| BH12303 | Disables Windows Patchguard. | anomalous |
| BH12425 | Modifies handler for F11 function key, used to access the macro editor. | anomalous |
| BH12426 | Modifies handler for F8 function key, used to open the macro dialog box. | anomalous |
| BH12462 | Overwrites free space and prevents file recovery. | anomalous |
| BH12469 | Prevents the user from aborting the batch execution. | anomalous |
| BH12574 | Starts a PowerShell session with execution policy set to 'bypass'. | uncommon |
| BH12619 | Tampers with debugger. | uncommon |
| BH12805 | Detects presence of debuggers. | |
| BH12813 | Uses JavaScript debugger. | anomalous |
| BH12814 | Uses ping utility to delay the execution of the application, commonly used as an anti-emulation and anti-tracing technique. | uncommon anomalous |
| BH12816 | Uses VBA anti-emulation techniques. | anomalous uncommon |
| BH13260 | Uses debugging methods. | uncommon |
| BH13549 | Might start profiling. | |
| BH14101 | Attempts to evade UAC by abusing AppInfo command line parser. | anomalous important |
| BH14102 | Attempts to evade UAC by abusing COM entry hijack. | anomalous important |
| BH14103 | Attempts to evade UAC by abusing GetLongPathNameW behavior in Application Information Service. | anomalous important |
| BH14104 | Attempts to evade UAC by combining NTFS reparse point and DLL hijack UAC bypass. | anomalous important |
| BH14105 | Attempts to evade UAC by controlling App Path registry key data. | anomalous important |
| BH14106 | Attempts to evade UAC by DLL hijack of SystemProperties commands. | anomalous important |
| BH14107 | Attempts to evade UAC by hijacking mscfile shell command. | anomalous important |
| BH14108 | Attempts to evade UAC by manipulating current user environment variables. | anomalous important |
| BH14109 | Attempts to evade UAC by obtaining the token of an auto-elevated process. | anomalous important uncommon |
| BH14110 | Attempts to evade UAC by overwriting ms-settings shell command. | anomalous important |
| BH14111 | Attempts to evade UAC by reusing token from UIAccess application. | anomalous important |
| BH14112 | Attempts to evade UAC by tricking Clean Manager. | anomalous important |
| BH14113 | Attempts to evade UAC by using AccessibilityCplAdmin elevated launch. | anomalous important |
| BH14114 | Attempts to evade UAC by using BitlockerWizardElev race condition. | anomalous important |
| BH14115 | Attempts to evade UAC by using a Cerber-style UAC bypass. | anomalous important |
| BH14116 | Attempts to evade UAC by using CMLuaUtil interface. | anomalous important |
| BH14117 | Attempts to evade UAC by using ColorDataProxy/CCMLuaUtil undocumented COM interfaces. | anomalous important |
| BH14118 | Attempts to evade UAC by using COM handlers hijacking. | anomalous important |
| BH14119 | Attempts to evade UAC by using COR profiler. | anomalous important |
| BH14120 | Attempts to evade UAC by using CreateNewLink autoelevated interface. | anomalous important |
| BH14121 | Attempts to evade UAC by using DiskCleanup environment variable. | anomalous important |
| BH14122 | Attempts to evade UAC by using EditionUpgradeManager autoelevated interface. | anomalous important |
| BH14123 | Attempts to evade UAC by using FwCplLua undocumented COM interface. | anomalous important |
| BH14124 | Attempts to evade UAC by using IDateTimeStateWriter COM interface. | anomalous important |
| BH14125 | Attempts to evade UAC by using IsolatedCommand UAC bypass. | anomalous important |
| BH14126 | Attempts to evade UAC by using Microsoft Management Console via ALPC. | anomalous important |
| BH14127 | Attempts to evade UAC by using self-defined SystemRoot environment. | anomalous important |
| BH14128 | Attempts to evade UAC by using SLUI elevated launch. | anomalous important |
| BH14129 | Attempts to evade UAC by using SPPLUAObject COM interface. | anomalous important |
| BH14130 | Attempts to evade UAC by using uiAccess UAC bypass. | anomalous important |
| BH14131 | Attempts to evade UAC by using undocumented IARPUninstallStringLauncher interface. | anomalous important |
| BH14132 | Attempts to evade UAC by using whitelisted InfDefaultInstall interface. | anomalous important |
| BH14133 | Attempts to evade UAC by using WOW64 logger DLL. | anomalous important |
| BH14134 | Attempts to evade UAC using AppInfo AutoApproveEXEList UAC bypass. | anomalous important |
| BH14135 | Attempts to evade UAC using AppInfo Manifest UAC bypass. | anomalous important |
| BH14136 | Attempts to evade UAC using AppInfo whitelisting model UAC bypass. | anomalous important |
| BH14137 | Attempts to evade UAC using Application Verifier UAC bypass. | anomalous important |
| BH14138 | Attempts to evade UAC using AutoElevate UAC bypass. | anomalous important |
| BH14139 | Attempts to evade UAC using Deployment Image Servicing and Management UAC bypass. | anomalous important |
| BH14140 | Attempts to evade UAC using generic autoelevation UAC bypass. | anomalous important |
| BH14141 | Attempts to evade UAC using "Get Windows" marketing package UAC bypass. | anomalous important |
| BH14142 | Attempts to evade UAC using IIS InetMgr UAC bypass. | anomalous important |
| BH14143 | Attempts to evade UAC using Microsoft Management Console UAC bypass. | anomalous important |
| BH14144 | Attempts to evade UAC using OOBE AppInfo whitelisting UAC bypass. | anomalous important |
| BH14145 | Attempts to evade UAC using shim patching UAC bypass. | anomalous important |
| BH14146 | Attempts to evade UAC using shim RedirectEXE UAC bypass. | anomalous important |
| BH14147 | Attempts to evade UAC using Simda UAC bypass. | anomalous important |
| BH14148 | Attempts to evade UAC using SXS Local Redirect UAC bypass. | anomalous important |
| BH14149 | Attempts to evade UAC using Wusa Cabinet UAC bypass. | anomalous important |
| BH15185 | The file contains push-obfuscated API strings. | uncommon |
| BH15283 | Uses hex-obfuscated module import directive. | uncommon anomalous important |
| BH15286 | Uses hex-obfuscated import directive of external modules. | uncommon anomalous |
| BH15356 | Contains an uninterrupted sequence of Unicode-escaped characters. | |
| BH15357 | Contains Unicode-escaped characters that are otherwise printable. | |
| BH16101 | Contains potentially deceptive links. | uncommon |
| BH18101 | Detects Ad-Aware related security products. | uncommon anomalous |
| BH18102 | Detects Agnitum related security products. | uncommon anomalous |
| BH18103 | Detects AhnLab related security products. | anomalous uncommon |
| BH18104 | Detects Anubis sandbox related virtualized environments. | uncommon |
| BH18105 | Detects Avast related security products. | uncommon anomalous |
| BH18106 | Detects AVG related security products. | uncommon anomalous |
| BH18107 | Detects Avira related security products. | uncommon anomalous |
| BH18108 | Detects BitDefender related security products. | uncommon anomalous |
| BH18109 | Detects Bochs emulator related virtualized environments. | anomalous uncommon |
| BH18110 | Detects CA related security products. | uncommon anomalous |
| BH18111 | Detects CheckPoint related security products. | anomalous |
| BH18113 | Detects common security products, firewalls or anti-virus solutions. | uncommon |
| BH18114 | Detects Comodo related security products. | uncommon anomalous |
| BH18115 | Detects Cuckoo sandbox related virtualized environments. | anomalous |
| BH18116 | Detects CW sandbox related virtualized environments. | anomalous |
| BH18117 | Detects ESET related security products. | uncommon anomalous |
| BH18118 | Detects F-Secure related security products. | uncommon |
| BH18119 | Detects Fortinet related security products. | anomalous |
| BH18120 | Detects Fortinet sandbox related virtualized environments. | anomalous |
| BH18121 | Detects G Data related security products. | uncommon anomalous |
| BH18122 | Detects generic virtualized environments. | uncommon |
| BH18124 | Detects installed security products using WMI. | uncommon anomalous |
| BH18125 | Detects JoeBox sandbox related virtualized environments. | anomalous uncommon |
| BH18126 | Detects K7 Computing related security products. | uncommon anomalous |
| BH18127 | Detects Kaspersky related security products. | important uncommon |
| BH18128 | Detects Kingsoft related security products. | uncommon anomalous |
| BH18129 | Detects KVM related virtualized environments. | uncommon |
| BH18130 | Detects McAfee related security products. | uncommon anomalous |
| BH18131 | Detects Microsoft Hyper-V related virtualized environments. | uncommon |
| BH18132 | Detects Microsoft related security products. | uncommon anomalous |
| BH18133 | Detects Microsoft VirtualPC related virtualized environments. | uncommon anomalous |
| BH18134 | Detects Norman related security products. | uncommon anomalous |
| BH18135 | Detects Panda related security products. | uncommon anomalous |
| BH18136 | Detects Parallels related virtualized environments. | uncommon anomalous |
| BH18137 | Detects PCTools related security products. | uncommon anomalous |
| BH18138 | Detects QEMU related virtualized environments. | uncommon anomalous |
| BH18139 | Detects QuickHeal related security products. | anomalous |
| BH18140 | Detects Rising related security products. | uncommon anomalous |
| BH18142 | Detects Sandboxie sandbox related virtualized environments. | uncommon anomalous |
| BH18143 | Detects Sophos related security products. | uncommon anomalous |
| BH18144 | Detects Sunbelt related security products. | anomalous |
| BH18145 | Detects SunBelt sandbox related virtualized environments. | uncommon anomalous |
| BH18146 | Detects Sygate related security products. | anomalous |
| BH18147 | Detects Symantec related security products. | uncommon anomalous |
| BH18148 | Detects TrendMicro related security products. | uncommon |
| BH18149 | Detects VirtualBox related virtualized environments. | uncommon |
| BH18150 | Detects VMWare related virtualized environments. | uncommon |
| BH18151 | Detects Webroot related security products. | uncommon anomalous |
| BH18152 | Detects Wine related virtualized environments. | uncommon anomalous |
| BH18153 | Detects Xen related virtualized environments. | uncommon |
| BH18154 | Detects ZoneLabs related security products. | uncommon anomalous |
| BH18155 | Disables services related to Ad-Aware security products. | anomalous important uncommon |
| BH18156 | Disables services related to Agnitum security products. | anomalous uncommon |
| BH18157 | Disables services related to AhnLab security products. | anomalous important uncommon |
| BH18158 | Disables services related to Avast security products. | important uncommon anomalous |
| BH18159 | Disables services related to AVG security products. | important uncommon anomalous |
| BH18160 | Disables services related to Avira security products. | important uncommon anomalous |
| BH18161 | Disables services related to BitDefender security products. | important uncommon anomalous |
| BH18162 | Disables services related to CA security products. | anomalous important uncommon |
| BH18163 | Disables services related to ClamAV security products. | anomalous important uncommon |
| BH18164 | Disables services related to common security products, firewalls or anti-virus solutions. | uncommon |
| BH18165 | Disables services related to DrWeb security products. | anomalous uncommon |
| BH18166 | Disables services related to Emsisoft security products. | anomalous important |
| BH18167 | Disables services related to ESET security products. | important uncommon anomalous |
| BH18168 | Disables services related to F-Secure security products. | important uncommon |
| BH18169 | Disables services related to G Data security products. | anomalous important uncommon |
| BH18170 | Disables services related to Ikarus security products. | anomalous important |
| BH18171 | Disables services related to K7 Computing security products. | anomalous important uncommon |
| BH18172 | Disables services related to Kaspersky security products. | important uncommon |
| BH18173 | Disables services related to Kingsoft security products. | uncommon anomalous |
| BH18174 | Disables services related to Malwarebytes security products. | anomalous important |
| BH18175 | Disables services related to McAfee security products. | important uncommon anomalous |
| BH18176 | Disables services related to Microsoft security products. | important uncommon anomalous |
| BH18177 | Disables services related to Norman security products. | important uncommon anomalous |
| BH18178 | Disables services related to Panda security products. | important uncommon anomalous |
| BH18179 | Disables services related to QuickHeal security products. | anomalous important |
| BH18180 | Disables services related to Rising security products. | important uncommon anomalous |
| BH18181 | Disables services related to Sophos security products. | important uncommon anomalous |
| BH18182 | Disables services related to Symantec security products. | important uncommon anomalous |
| BH18183 | Disables services related to TrendMicro security products. | uncommon |
| BH18184 | Disables services related to Windows Defender. | anomalous |
| BH18185 | Disables services related to ZoneLabs security products. | important uncommon anomalous |
| BH18214 | Tampers with services related to Ad-Aware security products. | anomalous important uncommon |
| BH18215 | Tampers with services related to Agnitum security products. | anomalous important uncommon |
| BH18216 | Tampers with services related to AhnLab security products. | anomalous important uncommon |
| BH18217 | Tampers with services related to Avast security products. | important uncommon anomalous |
| BH18218 | Tampers with services related to AVG security products. | important uncommon anomalous |
| BH18219 | Tampers with services related to Avira security products. | important uncommon anomalous |
| BH18220 | Tampers with services related to BitDefender security products. | important uncommon anomalous |
| BH18221 | Tampers with services related to CA security products. | important uncommon anomalous |
| BH18222 | Tampers with services related to ClamAV security products. | anomalous important uncommon |
| BH18223 | Tampers with services related to common security products, firewalls or anti-virus solutions. | important uncommon |
| BH18224 | Tampers with services related to DrWeb security products. | anomalous important uncommon |
| BH18225 | Tampers with services related to ESET security products. | important uncommon anomalous |
| BH18226 | Tampers with services related to F-Secure security products. | important uncommon |
| BH18227 | Tampers with services related to G Data security products. | anomalous important uncommon |
| BH18228 | Tampers with services related to Ikarus security products. | anomalous important |
| BH18229 | Tampers with services related to K7 Computing security products. | anomalous important uncommon |
| BH18230 | Tampers with services related to Kaspersky security products. | important uncommon |
| BH18231 | Tampers with services related to Kingsoft security products. | important uncommon anomalous |
| BH18232 | Tampers with services related to McAfee security products. | important uncommon |
| BH18233 | Tampers with services related to Microsoft security products. | important uncommon anomalous |
| BH18234 | Tampers with services related to Norman security products. | important uncommon anomalous |
| BH18235 | Tampers with services related to Panda security products. | important uncommon anomalous |
| BH18236 | Tampers with services related to QuickHeal security products. | anomalous important |
| BH18237 | Tampers with services related to Rising security products. | important uncommon anomalous |
| BH18238 | Tampers with services related to Sophos security products. | important uncommon anomalous |
| BH18239 | Tampers with services related to Symantec security products. | important uncommon anomalous |
| BH18240 | Tampers with services related to TrendMicro security products. | important uncommon |
| BH18241 | Tampers with services related to ZoneLabs security products. | important uncommon anomalous |
| BH18247 | Checks the AppArmor status. | uncommon anomalous |
| BH18248 | Disables AppArmor. | anomalous |
| BH18249 | Contains strings commonly used for detecting VMs. | uncommon anomalous |
| BH18250 | Detects common security products. | |
| BH18251 | Detects ClamAV related security products. | |
| BH18252 | Detects DrWeb related security products. | |
| BH19123 | Enumerates breakpoints that are set in the current session. | uncommon |
| BH19147 | Enumerates debugger breakpoints. | anomalous |
| BH19375 | Gets preferences for the Windows Defender scans and updates. | uncommon |
| BH19415 | Gets the status of antimalware software on the computer. | uncommon |
| BH19565 | Might enumerate time related performance information. | |
| BH20104 | Uses a Nishang command to bypass UAC using several known methods. | anomalous malicious uncommon |
| BH20105 | Uses a Nishang command to bypass Windows Antimalware Scan Interface. | anomalous malicious |
| BH20121 | Uses a Nishang command to detect whether it is in a known virtual machine. | anomalous malicious uncommon |
| BH20236 | Uses PowerSploit/Empire command to locate single byte AV signatures. | anomalous malicious uncommon |
| BH20247 | Uses PowerSploit/Empire command to perform a UAC bypass attack by duplicating a High Integrity security access token. | anomalous malicious |
| BH20248 | Uses PowerSploit/Empire command to perform a UAC bypass attack by abusing the lack of an embedded manifest in wscript.exe. | anomalous malicious uncommon |
| BH20249 | Uses PowerSploit/Empire command to perform a UAC bypass attack by utilizing the trusted publisher certificate through process injection. | anomalous malicious uncommon |
