| BH12108 | Accesses the httpd.conf file. | uncommon |
| BH12115 | Accesses the operating system's file system table. | uncommon |
| BH12122 | Accesses the wp-config.php file. | uncommon |
| BH12153 | Changes file ownership. | uncommon |
| BH12160 | Changes security permissions of a file or a directory using WMI. | anomalous |
| BH12161 | Changes security permissions of a file using WMI. | anomalous |
| BH12174 | Checks file permissions. | uncommon |
| BH12178 | Accesses the Openbox environment configuration file. | anomalous uncommon |
| BH12194 | Contains references to UNIX/Linux login log files. | uncommon |
| BH12196 | Copies files to Windows system directories. | uncommon |
| BH12206 | Creates a virtual file system. | anomalous |
| BH12217 | Creates new files, folders or registry keys. | uncommon |
| BH12221 | Deletes a file or a directory using WMI. | anomalous |
| BH12222 | Deletes a file using WMI. | anomalous |
| BH12223 | Deletes a file/directory. | |
| BH12232 | Deletes an object identifier (OID). | anomalous |
| BH12237 | Deletes files in Windows system directories. | uncommon |
| BH12239 | Deletes files in common user, data, or temporary directories. | uncommon |
| BH12357 | Formats a disk. | uncommon anomalous |
| BH12369 | Imports form fields from file. | uncommon anomalous |
| BH12370 | Imports icon data from another file. | uncommon anomalous |
| BH12374 | Imports security settings from an embedded file. | anomalous |
| BH12375 | Imports values from .PSD1 file. | uncommon |
| BH12377 | Imports watermark from file. | anomalous |
| BH12378 | Includes a file with the compiled script. | anomalous |
| BH12379 | Includes and installs a file with the compiled script. | uncommon anomalous |
| BH12387 | Installs packages via apt. | uncommon |
| BH12388 | Installs packages via dpkg. | uncommon |
| BH12389 | Installs packages via pip. | uncommon |
| BH12390 | Installs packages via yum. | uncommon |
| BH12420 | Modifies an object identifier (OID). | anomalous |
| BH12422 | Modifies file/directory attributes. | uncommon |
| BH12423 | Modifies file/directory ownership. | uncommon |
| BH12427 | Modifies the timestamp of a file. | |
| BH12449 | Might tamper with volume shadow copies. | anomalous important uncommon |
| BH12454 | Mounts a volume inside a backup so that the files on the volume can be browsed. | uncommon anomalous |
| BH12455 | Mounts ISO or VHD disk images. | uncommon |
| BH12456 | Mounts WIM or VHD disk image files. | uncommon |
| BH12490 | Removes shadow copies using WMI. | anomalous important uncommon |
| BH12498 | Replaces locked operating system files. | anomalous |
| BH12562 | Sets the 'system file' attribute to files/directories. | uncommon anomalous |
| BH12591 | Tampers with access control lists (DACLs) on files or directories. | uncommon anomalous |
| BH12599 | Tampers with Authenticode signatures. | uncommon |
| BH12613 | Tampers with command line execution history. | uncommon |
| BH12624 | Tampers with discretionary access control lists (DACL) on specified files. | anomalous uncommon |
| BH12625 | Tampers with disk quotas on NTFS volumes. | anomalous |
| BH12666 | Tampers with iSCSI storage. | uncommon |
| BH12700 | Tampers with NTFS volume behavior. | anomalous |
| BH12701 | Tampers with object identifiers (OIDs). | anomalous |
| BH12736 | Tampers with storage tiers. | anomalous |
| BH12763 | Tampers with volume labels of a disk. | uncommon anomalous |
| BH12765 | Tampers with WIM or VHD disk image files. | uncommon |
| BH12768 | Tampers with Windows Catalog files. | uncommon anomalous |
| BH12820 | Writes to files in Windows system directories. | uncommon |
| BH12852 | Erases backup catalog stored on the local computer. | anomalous important |
| BH12853 | Erases system state backups. | anomalous |
| BH12854 | Erases Volume Shadow copies. | anomalous important |
| BH12855 | Copies the permission bits of a file. | uncommon |
| BH12856 | Copies the permission bits, last access time, last modification time, and flags of a file. | uncommon |
| BH12860 | Accesses a shell configuration file. | uncommon |
| BH12861 | Accesses an Xorg configuration file. | uncommon |
| BH12862 | Accesses an SSH configuration file. | uncommon |
| BH12863 | Accesses the Openbox autostart configuration file. | uncommon anomalous |
| BH12864 | Accesses the Fluxbox configuration directory. | uncommon anomalous |
| BH12865 | Accesses the .gnupg/gpg-agent.conf file. | uncommon anomalous |
| BH12866 | Accesses the Herbsluftwm configuration directory. | anomalous |
| BH12867 | Accesses the Xfce4 configuration directory. | uncommon anomalous |
| BH12868 | Accesses a block device pseudo-file. | uncommon |
| BH12869 | Accesses data from the proc filesystem. | uncommon |
| BH12870 | Installs packages via pacman. | uncommon |
| BH12871 | Installs packages via emerge. | uncommon |
| BH12880 | Accesses a systemd service file. | uncommon |
| BH12881 | Accesses the /efi partition. | uncommon anomalous |
| BH12882 | Accesses the /boot directory. | uncommon |
| BH12884 | Accesses a systemd timer file. | uncommon anomalous |
| BH12885 | Unmounts a filesystem. | uncommon |
| BH12887 | Accesses the /etc/polkit-1/rules.d directory. | uncommon anomalous |
| BH12902 | Accesses a PAM configuration file. | uncommon anomalous |
| BH12904 | Accesses an external mountpoint. | uncommon |
| BH12926 | Accesses the /etc/ssl directory. | uncommon |
| BH12927 | Accesses the Cinnamon configuration directory. | uncommon anomalous |
| BH12928 | Mounts a filesystem. | uncommon |
| BH12940 | Accesses a systemd socket file. | uncommon anomalous |
| BH12941 | Accesses a systemd device file. | anomalous |
| BH12942 | Accesses a systemd mount file. | uncommon anomalous |
| BH12943 | Accesses a systemd target file. | uncommon anomalous |
| BH12944 | Accesses a systemd path file. | uncommon anomalous |
| BH12950 | Accesses the /proc/sys directory. | uncommon |
| BH12961 | Access the /etc/security directory. | uncommon |
| BH12965 | Copies files/folders between a Docker container and the local filesystem. | uncommon |
| BH12979 | Accesses the /etc/dbus-1 directory. | uncommon anomalous |
| BH12980 | Accesses the /etc/grub.d directory. | uncommon anomalous |
| BH12981 | Accesses the /etc/firewalld directory. | uncommon anomalous |
| BH12982 | Accesses the /etc/modprobe.d directory. | uncommon anomalous |
| BH12983 | Accesses the /etc/modules-load.d directory. | uncommon anomalous |
| BH12984 | Accesses the /etc/resolv.conf file. | uncommon |
| BH12985 | Accesses the /etc/named.conf file. | uncommon anomalous |
| BH12986 | Accesses the /etc/ld.so.conf file. | uncommon |
| BH12987 | Accesses the /etc/ld.so.conf.d directory. | uncommon |
| BH12988 | Accesses the /etc/nftables.conf file. | anomalous |
| BH12989 | Accesses the /etc/pacman.conf file. | uncommon |
| BH12990 | Accesses the /etc/mkinitcpio.conf file. | uncommon anomalous |
| BH12991 | Accesses the /etc/apt directory. | uncommon |
| BH12992 | Accesses the /etc/sudoers file. | uncommon |
| BH12993 | Accesses the /etc/sudoers.d directory. | uncommon |
| BH12994 | Accesses the /etc/sudo.conf file. | uncommon anomalous |
| BH12995 | Accesses the /etc/doas.conf file. | uncommon anomalous |
| BH12996 | Accesses the /etc/default directory. | uncommon |
| BH12997 | Accesses the /dev/random pseudo-file. | uncommon |
| BH12998 | Accesses the /dev/urandom pseudo-file. | uncommon |
| BH12999 | Accesses the /dev/zero pseudo-file. | uncommon |
| BH13000 | Accesses the /dev/null pseudo-file. | uncommon |
| BH13001 | Accesses the /proc/net directory. | uncommon anomalous |
| BH13002 | Accesses the /proc/self directory. | uncommon |
| BH13003 | Accesses the /etc/audit directory. | uncommon anomalous |
| BH13004 | Accesses the /run/systemd directory. | uncommon |
| BH13005 | Accesses the Wayland weston.ini file. | uncommon anomalous |
| BH13006 | Accesses the systemd-boot loader.conf file. | uncommon anomalous |
| BH13009 | Truncates a file. | uncommon |
| BH13019 | Installs a Ruby gem package. | uncommon |
| BH13020 | Installs a NodeJS package via npm. | uncommon |
| BH13021 | Installs a NodeJS package via yarn. | uncommon anomalous |
| BH13022 | Accesses the /etc/conf.d directory. | uncommon anomalous |
| BH13023 | Adds an OpenRC service. | uncommon anomalous |
| BH13024 | Deletes an OpenRC service. | anomalous uncommon |
| BH13029 | Accesses the OpenRC service directory. | uncommon anomalous |
| BH13030 | Accesses the /var/service directory. | uncommon anomalous |
| BH13041 | Accesses an OpenLDAP server configuration. | anomalous |
| BH13042 | Accesses an OpenLDAP client configuration. | uncommon anomalous |
| BH13043 | Accesses the /etc/krb5.conf file. | uncommon anomalous |
| BH13050 | Accesses the /sys/firmware directory. | uncommon anomalous |
| BH13051 | Accesses the Kafka server configuration. | anomalous uncommon |
| BH13053 | Accesses the /etc/supervisor/conf.d directory. | uncommon anomalous |
| BH13054 | Accesses the /etc/supervisor/supervisord.conf file. | uncommon anomalous |
| BH13055 | Accesses the /etc/skel directory. | uncommon |
| BH13056 | Accesses the /etc/incron.d directory. | uncommon anomalous important |
| BH13057 | Accesses the /etc/incron.conf file. | uncommon anomalous |
| BH13058 | Accesses a .git directory. | uncommon |
| BH13059 | Accesses a .svn directory. | uncommon |
| BH13066 | Accesses the /etc/environment.d directory. | anomalous |
| BH13067 | Accesses /etc/exports. | uncommon anomalous |
| BH13068 | Accesses the /etc/lxc/default.conf file. | uncommon anomalous |
| BH13069 | Accesses the /etc/lxc/lxc-usernet file. | uncommon anomalous |
| BH13119 | Accesses OfflineIMAP configuration file. | uncommon anomalous |
| BH13120 | Accesses the KDE daemon configuration file. | anomalous |
| BH13121 | Accesses the KDE desktop session configuration file. | anomalous |
| BH13123 | Accesses the i3wm configuration. | uncommon anomalous |
| BH13124 | Accesses the Sway configuration. | anomalous |
| BH13125 | Accesses the bspwm configuration. | anomalous |
| BH13128 | Deletes a file/directory using reflection. | uncommon |
| BH13129 | Modifies file/directory permissions using reflection. | uncommon |
| BH13149 | Modifies file/directory attributes using reflection. | uncommon |
| BH13150 | Changes file ownership using reflection. | anomalous |
| BH13151 | Changes group ownership of a file or directory using reflection. | anomalous |
| BH13153 | Sets the 'system file' attribute to files/directories using reflection. | anomalous |
| BH13173 | Creates a virtual sysfs attribute file for a device. | uncommon |
| BH13174 | Removes a virtual sysfs attribute file from a device. | uncommon |
| BH13179 | Creates a virtual sysfs attribute file for a device driver. | uncommon |
| BH13180 | Removes a virtual sysfs attribute file from a device driver. | uncommon |
| BH13194 | Modifies a shell configuration file. | uncommon |
| BH13219 | Uses Linux kernel APIs for access to the virtual filesystem. | uncommon |
| BH13220 | Uses Linux kernel APIs for access to the debugfs filesystem. | uncommon |
| BH13221 | Uses Linux kernel APIs for access to the sysfs filesystem. | uncommon |
| BH13222 | Uses Linux kernel APIs for access to the procfs filesystem. | uncommon |
| BH13247 | Serializes data into the standard URL-encoded notation. | uncommon |
| BH13248 | Serializes data into the JSON format. | |
| BH13292 | Serializes data into the XML format. | uncommon |
| BH13312 | Uses methods for manipulating other Pickle files in Pickle-serialized data. | malicious uncommon anomalous |
| BH13313 | Deletes temporary files. | anomalous |
| BH13327 | Creates/Opens a file. | |
| BH13328 | Reads from files. | |
| BH13329 | Writes to files. | |
| BH13335 | Creates/opens files in Windows system directories. | |
| BH13336 | Reads from files in Windows system directories. | |
| BH13337 | Creates/opens files in common user, data or temporary directories. | |
| BH13338 | Reads from files in common user, data, or temporary directories. | |
| BH13339 | Writes to files in common user, data, or temporary directories. | |
| BH13352 | Creates a directory. | |
| BH13353 | Removes a directory. | |
| BH13354 | Writes data to Outlook contact/address book. | |
| BH13369 | Creates symbolic\hard links to files or directories. | |
| BH13370 | Mounts filesystems or other media. | |
| BH13371 | Unmounts filesystems or other media. | |
| BH13372 | Lists directory contents. | |
| BH13373 | Accesses command line execution history. | |
| BH13379 | Renames files. | |
| BH13382 | Empties the Recycle Bin. | |
| BH13385 | Copies, moves, renames, or deletes a file system object. | |
| BH13389 | Creates temporary files. | |
| BH13391 | Copies a file. | |
| BH13392 | Copies files to common user, data, or temporary directories. | |
| BH13401 | Opens a file for reading or writing. | |
| BH13405 | Sets or updates the file pointer position within an open file. | |
| BH13407 | Flushes the file's buffer to disk. | |
| BH13410 | Queries the size of a file. | |
| BH13416 | Queries file attributes. | |
| BH13423 | Changes the current directory. | |
| BH13425 | Queries the timestamp of a file/directory. | |
| BH13426 | Queries version information of a file. | |
| BH13433 | Checks if a file or a directory exists. | |
| BH13434 | Closes a previously open file. | |
| BH13441 | Queries the file type of a file. | |
| BH13442 | Changes the size of a file. | |
| BH13444 | Queries file information. | |
| BH13445 | Changes file information. | |
| BH13453 | Reads a value from a standard format .ini file. | |
| BH13454 | Writes a value to a standard format .ini file. | |
| BH13465 | Changes the current working directory. | |
| BH13466 | Opens a file. | |
| BH13467 | Queries the text encoding used in a file. | |
| BH13468 | Moves a file. | |
| BH13481 | Copies a file/directory. | |
| BH13497 | Creates a symbolic link to a file or directory. | |
| BH13521 | Imports the java.nio.file.Files class, which contains methods for file manipulation. | |
| BH13538 | Exports data to file. | |
| BH13546 | Might cache requests. | |
| BH13555 | Might store data using IndexedDB. | |
| BH13578 | Uses json-related functions. | |
| BH13581 | Renames a file or directory. | |
| BH13800 | Accesses a previously opened file in VS Code. | |
| BH13801 | Saves a file. | |
| BH13820 | Accesses the file system. | |
| BH13826 | Makes changes to files in the workspace. | |
| BH13828 | Accesses the VS Code extension secrets storage. | |
| BH15146 | Encrypts a file. | anomalous |
| BH15148 | Encrypts files using cipher tool. | anomalous |
| BH15151 | Encrypts or encodes data in memory using the Windows Cryptography API. | uncommon |
| BH15152 | Encrypts or encodes files and other data using the Windows Cryptography API. | uncommon |
| BH15187 | Encodes data using the Base32 algorithm. | uncommon |
| BH15189 | Encodes data using the Base16 algorithm. | |
| BH15190 | Decodes data using the Base16 algorithm. | uncommon |
| BH15191 | Encodes data using the Ascii85 algorithm. | uncommon anomalous |
| BH15192 | Decodes data using the Ascii85 algorithm. | uncommon anomalous |
| BH15193 | Encodes data using the Base85 algorithm. | uncommon anomalous |
| BH15194 | Decodes data using the Base85 algorithm. | uncommon anomalous |
| BH15199 | Encodes data using the BinHex4 algorithm. | uncommon |
| BH15200 | Decodes data using the BinHex4 algorithm. | uncommon |
| BH15210 | Decrypts encrypted data with openssl. | anomalous |
| BH15211 | Encrypts data with openssl. | uncommon anomalous |
| BH15212 | Encrypts data with gpg. | uncommon anomalous |
| BH15213 | Decrypts data with gpg. | uncommon |
| BH15214 | Decompresses a Zip archive. | uncommon |
| BH15215 | Decompresses a Rar archive. | uncommon |
| BH15216 | Decompresses a Tar archive. | uncommon |
| BH15229 | Encodes data using the Base64 algorithm using reflection. | uncommon |
| BH15230 | Decodes data using the Base64 algorithm using reflection. | uncommon |
| BH15231 | Creates/Opens a Zip archive for writing. | uncommon |
| BH15232 | Adds files to a Zip archive. | uncommon |
| BH15233 | Writes compressed data to a Zip archive. | uncommon |
| BH15237 | Calculates the MD5 hash of data. | |
| BH15238 | Calculates the SHA-1 hash of data. | |
| BH15239 | Calculates the SHA-256 hash of data. | |
| BH15240 | Calculates the MD4 hash of data. | uncommon |
| BH15241 | Calculates the RIPEMD160 hash of data. | uncommon |
| BH15242 | Calculates the SHA-224 hash of data. | uncommon |
| BH15243 | Calculates the SHA-3 hash of data. | uncommon |
| BH15244 | Calculates the SHA-384 hash of data. | uncommon |
| BH15245 | Calculates the SHA-512 hash of data. | uncommon |
| BH15246 | Calculates the SM3 hash of data. | uncommon anomalous |
| BH15247 | Calculates the BLAKE-2 hash of data. | uncommon anomalous |
| BH15248 | Calculates the SHAKE-128 hash of data. | uncommon |
| BH15249 | Calculates the SHAKE-256 hash of data. | uncommon |
| BH15250 | Calculates the WHIRLPOOL hash of data. | uncommon |
| BH15287 | Calculates the MD5 hash of data and encodes it using the Base64 algorithm. | uncommon anomalous |
| BH15288 | Calculates the RIPEMD160 hash of data and encodes it using the Base64 algorithm. | uncommon anomalous |
| BH15289 | Calculates the SHA-1 hash of data and encodes it using the Base64 algorithm. | uncommon anomalous |
| BH15290 | Calculates the SHA-256 hash of data and encodes it using the Base64 algorithm. | uncommon anomalous |
| BH15291 | Calculates the SHA-384 hash of data and encodes it using the Base64 algorithm. | uncommon anomalous |
| BH15292 | Calculates the SHA-512 hash of data and encodes it using the Base64 algorithm. | uncommon anomalous |
| BH15293 | Encodes data using the Bubble Babble algorithm. | uncommon anomalous |
| BH15298 | Calculates a cryptographic hash of data and encodes it using the Base64 algorithm. | uncommon anomalous |
| BH15299 | Creates a cryptographic hash of file contents. | uncommon |
| BH15301 | Calculates the SHA-512/224 hash of data. | uncommon |
| BH15302 | Calculates the SHA-512/256 hash of data. | uncommon |
| BH15313 | Encodes data using the ASN.1 DER encoding. | uncommon |
| BH15314 | Decodes data using the ASN.1 DER encoding. | uncommon |
| BH15315 | Encodes data using the PEM encoding. | uncommon |
| BH15316 | Decodes data using the PEM encoding. | uncommon |
| BH15326 | The file is encrypted or contains an encrypted file. | |
| BH16355 | Might use Web Storage API. | |
| BH17101 | Accesses /etc/environment file. | uncommon |
| BH17102 | Accesses /etc/group file. | uncommon |
| BH17103 | Accesses /etc/gshadow file. | uncommon anomalous |
| BH17104 | Accesses /etc/init.d directory. | uncommon |
| BH17105 | Accesses /etc/login.defs file. | uncommon |
| BH17106 | Accesses /etc/network/interfaces file. | uncommon |
| BH17107 | Accesses /etc/networks file. | uncommon anomalous |
| BH17108 | Accesses /etc/pam.d/chpasswd file. | anomalous |
| BH17109 | Accesses /etc/passwd file. | uncommon |
| BH17110 | Accesses /etc/rc.d directory. | uncommon |
| BH17112 | Accesses /etc/shells file. | uncommon |
| BH17113 | Accesses /etc/subgid file. | uncommon |
| BH17114 | Accesses /etc/subuid file. | uncommon |
| BH17115 | Accesses /etc/usertty file. | anomalous |
| BH17116 | Accesses rc.local file. | uncommon |
| BH17146 | Modifies Bitcoin wallet files. | anomalous |
| BH17147 | Accesses Bitcoin wallet files. | anomalous important |
| BH17237 | Writes data to AIM user account settings. | anomalous |
| BH17238 | Writes data to Chrome certificate databases. | uncommon anomalous |
| BH17239 | Writes data to Chrome cookie databases. | uncommon anomalous |
| BH17240 | Writes data to Chrome navigation history databases. | uncommon anomalous |
| BH17241 | Writes data to Chrome session databases. | uncommon important |
| BH17242 | Writes data to Chrome stored credentials databases. | uncommon important |
| BH17243 | Writes data to Chromium certificate databases. | uncommon anomalous |
| BH17244 | Writes data to Chromium cookie databases. | uncommon anomalous |
| BH17245 | Writes data to Chromium navigation history databases. | uncommon anomalous |
| BH17246 | Writes data to Chromium preferences databases. | uncommon anomalous |
| BH17247 | Writes data to Chromium session databases. | uncommon anomalous |
| BH17248 | Writes data to Chromium stored credentials databases. | important uncommon anomalous |
| BH17249 | Writes data to Firefox add-on databases. | anomalous |
| BH17250 | Writes data to Firefox anti-phishing databases. | anomalous |
| BH17251 | Writes data to Firefox certificate databases. | uncommon anomalous |
| BH17252 | Writes data to Firefox cookie databases. | uncommon anomalous |
| BH17253 | Writes data to Firefox MIME plugin/configuration databases. | anomalous |
| BH17254 | Writes data to Firefox navigation history databases. | uncommon anomalous |
| BH17255 | Writes data to Firefox preferences databases. | uncommon anomalous |
| BH17256 | Writes data to Firefox saved form data databases. | uncommon anomalous |
| BH17257 | Writes data to Firefox security module database. | anomalous |
| BH17258 | Writes data to Firefox session databases. | anomalous uncommon |
| BH17259 | Writes data to Firefox stored credentials databases. | uncommon |
| BH17260 | Writes data to iChat user account settings. | anomalous |
| BH17261 | Writes data to Internet Explorer cookie databases. | uncommon anomalous |
| BH17262 | Writes data to Internet Explorer navigation history databases. | uncommon anomalous |
| BH17263 | Writes data to Internet Explorer preferences databases. | anomalous |
| BH17264 | Writes data to Netscape add-on databases. | anomalous |
| BH17265 | Writes data to Netscape certificate databases. | anomalous |
| BH17266 | Writes data to Netscape contact/address book. | anomalous |
| BH17267 | Writes data to Netscape cookie databases. | anomalous |
| BH17268 | Writes data to Netscape integrated instant messaging databases. | anomalous |
| BH17269 | Writes data to Netscape mailbox files. | anomalous |
| BH17270 | Writes data to Netscape MIME plugin/configuration databases. | anomalous |
| BH17271 | Writes data to Netscape navigation history databases. | important uncommon anomalous |
| BH17272 | Writes data to Netscape preferences databases. | uncommon anomalous |
| BH17273 | Writes data to Netscape saved form data databases. | anomalous |
| BH17274 | Writes data to Netscape security module database. | anomalous |
| BH17275 | Writes data to Netscape stored credentials databases. | important uncommon anomalous |
| BH17276 | Writes data to Opera cookie databases. | uncommon anomalous |
| BH17277 | Writes data to Opera navigation history databases. | uncommon anomalous |
| BH17278 | Writes data to Opera preferences databases. | uncommon anomalous |
| BH17279 | Writes data to Opera stored credentials databases. | important uncommon anomalous |
| BH17280 | Writes data to Outlook email/contact backups. | uncommon anomalous |
| BH17281 | Writes data to Outlook mailbox files. | uncommon anomalous |
| BH17282 | Writes data to Outlook offline/cached items. | uncommon anomalous |
| BH17283 | Writes data to Pidgin stored credentials. | anomalous |
| BH17284 | Writes data to Safari cookie databases. | uncommon anomalous |
| BH17285 | Writes data to Safari navigation history databases. | uncommon anomalous |
| BH17286 | Writes data to Safari session databases. | uncommon anomalous |
| BH17287 | Writes data to Skype chat history database. | anomalous |
| BH17288 | Writes data to Skype stored credentials. | anomalous |
| BH17289 | Writes data to Thunderbird certificate database. | anomalous |
| BH17290 | Writes data to Thunderbird cookie files. | anomalous |
| BH17291 | Writes data to Thunderbird download history database. | anomalous |
| BH17292 | Writes data to Thunderbird extension database. | anomalous |
| BH17293 | Writes data to Thunderbird mailbox files. | uncommon anomalous |
| BH17294 | Writes data to Thunderbird stored credentials. | anomalous |
| BH17295 | Writes data to Windows Mail stored credentials. | anomalous |
| BH17296 | Modifies log files. | uncommon |
| BH17297 | Modifies SSH key files. | uncommon |
| BH17298 | Modifies user login log files. | uncommon |
| BH17307 | Accesses user login log files. | uncommon |
| BH17362 | Writes data to the Chrome local state file which contains the encryption key for local databases. | uncommon important |
| BH17364 | Writes data to the Chromium local state file which contains the encryption key for local databases. | uncommon anomalous |
| BH17366 | Writes data to the Opera local state file which contains the encryption key for local databases. | uncommon anomalous |
| BH17368 | Writes data to the Vivaldi browser's local state file which contains the encryption key for local databases. | uncommon anomalous |
| BH17370 | Writes data to the Yandex browser's local state file which contains the encryption key for local databases. | uncommon anomalous |
| BH17373 | Writes data to Vivaldi browser's stored credentials databases. | important uncommon anomalous |
| BH17376 | Writes data to Yandex browser's stored credentials databases. | important uncommon anomalous |
| BH17379 | Writes data to the Firefox profiles.ini file which contains information about profiles and the path to the directory with local databases. | uncommon |
| BH17381 | Writes data to the Microsoft Edge local state file which contains the encryption key for local databases. | uncommon anomalous |
| BH17383 | Writes data to Microsoft Edge stored credentials databases. | uncommon anomalous |
| BH17386 | Writes data to Safari stored credentials databases. | important uncommon anomalous |
| BH17388 | Writes data to the SeaMonkey browser's profiles.ini file which contains information about profiles and the path to the directory with local databases. | important uncommon anomalous |
| BH17390 | Writes data to SeaMonkey browser's stored credentials databases. | important uncommon anomalous |
| BH17393 | Writes data to the Waterfox browser's profiles.ini file which contains information about profiles and the path to the directory with local databases. | anomalous uncommon |
| BH17395 | Writes data to Waterfox browser's stored credentials databases. | anomalous |
| BH17398 | Writes data to the Brave browser's local state file which contains the encryption key for local databases. | uncommon anomalous |
| BH17400 | Writes data to Brave browser's stored credentials databases. | uncommon anomalous |
| BH17405 | Writes data to files containing encrypted Windows Data Protection API master keys. | important uncommon anomalous |
| BH17407 | Writes data to files containing encrypted credentials from the Windows Credential Manager. | uncommon anomalous |
| BH17415 | Writes data to files containing SSL certificates installed on the system. | uncommon |
| BH17428 | Writes data to Eudora stored credentials. | anomalous |
| BH17430 | Writes data to GroupMail stored credentials. | anomalous |
| BH17437 | Accesses system logs. | uncommon |
| BH18244 | Accesses the /etc/selinux/config file. | uncommon anomalous |
| BH18246 | Accesses the /etc/apparmor directory. | uncommon anomalous |
| BH19148 | Enumerates default folder locations. | anomalous |
| BH19173 | Enumerates file systems. | anomalous |
| BH19182 | Enumerates index path. | anomalous |
| BH19357 | Gets information about .pfx certificate files on the computer. | uncommon |
| BH19360 | Gets information about document file. | uncommon |
| BH19362 | Gets information about the Authenticode signature for a file. | uncommon |
| BH19366 | Gets information about volumes that BitLocker can protect. | uncommon |
| BH19473 | Accesses the /etc/lsb-release file. | uncommon |
| BH19474 | Accesses the /proc/cpuinfo pseudo-file. | uncommon |
| BH19475 | Accesses the /proc/kmsg pseudo-file. | uncommon |
| BH19567 | Might enumerate available storage. | |
| BH20178 | Uses PowerSploit/Empire command to convert objects into a series of comma-separated (CSV) strings and save the strings in a CSV file. | anomalous malicious uncommon |
| BH20179 | Uses PowerSploit/Empire command to copy a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. | anomalous malicious uncommon |
| BH20183 | Uses PowerSploit/Empire command to create a new volume shadow copy. | anomalous malicious uncommon |
| BH20189 | Uses PowerSploit/Empire command to encrypt text file or script. | anomalous malicious uncommon |
| BH20242 | Uses PowerSploit/Empire command to mount a volume shadow copy. | anomalous malicious uncommon |
| BH20246 | Uses PowerSploit/Empire command to patch in the specified command to a pre-compiled C# service executable and write the binary out. | anomalous malicious uncommon |
| BH20254 | Uses PowerSploit/Empire command to remove a volume shadow copy. | anomalous malicious uncommon |
| BH20259 | Uses PowerSploit/Empire command to restore a service binary backed up by Install-ServiceBinary. | anomalous malicious uncommon |
| BH20311 | Uses PowerSploit/Empire command to set the binary path for a service to a specified value. | anomalous malicious uncommon |
