Skip to main content

File

IDDescriptionSignificance / Prevalence
BH12108Accesses the httpd.conf file.uncommon
BH12115Accesses the operating system's file system table.uncommon
BH12122Accesses the wp-config.php file.uncommon
BH12153Changes file ownership. uncommon
BH12160Changes security permissions of a file or a directory using WMI.anomalous
BH12161Changes security permissions of a file using WMI.anomalous
BH12174Checks file permissions. uncommon
BH12178Accesses the Openbox environment configuration file.anomalous uncommon
BH12194Contains references to UNIX/Linux login log files.uncommon
BH12196Copies files to Windows system directories.uncommon
BH12206Creates a virtual file system.anomalous
BH12217Creates new files, folders or registry keys.uncommon
BH12221Deletes a file or a directory using WMI.anomalous
BH12222Deletes a file using WMI.anomalous
BH12223Deletes a file/directory.
BH12232Deletes an object identifier (OID).anomalous
BH12237Deletes files in Windows system directories.uncommon
BH12239Deletes files in common user, data, or temporary directories.uncommon
BH12357Formats a disk.uncommon anomalous
BH12369Imports form fields from file.uncommon anomalous
BH12370Imports icon data from another file.uncommon anomalous
BH12374Imports security settings from an embedded file.anomalous
BH12375Imports values from .PSD1 file.uncommon
BH12377Imports watermark from file.anomalous
BH12378Includes a file with the compiled script.anomalous
BH12379Includes and installs a file with the compiled script.uncommon anomalous
BH12387Installs packages via apt. uncommon
BH12388Installs packages via dpkg.uncommon
BH12389Installs packages via pip.uncommon
BH12390Installs packages via yum.uncommon
BH12420Modifies an object identifier (OID).anomalous
BH12422Modifies file/directory attributes. uncommon
BH12423Modifies file/directory ownership.uncommon
BH12427Modifies the timestamp of a file.
BH12449Might tamper with volume shadow copies.anomalous important uncommon
BH12454Mounts a volume inside a backup so that the files on the volume can be browsed.uncommon anomalous
BH12455Mounts ISO or VHD disk images.uncommon
BH12456Mounts WIM or VHD disk image files.uncommon
BH12490Removes shadow copies using WMI.anomalous important uncommon
BH12498Replaces locked operating system files.anomalous
BH12562Sets the 'system file' attribute to files/directories.uncommon anomalous
BH12591Tampers with access control lists (DACLs) on files or directories.uncommon anomalous
BH12599Tampers with Authenticode signatures.uncommon
BH12613Tampers with command line execution history.uncommon
BH12624Tampers with discretionary access control lists (DACL) on specified files.anomalous uncommon
BH12625Tampers with disk quotas on NTFS volumes.anomalous
BH12666Tampers with iSCSI storage.uncommon
BH12700Tampers with NTFS volume behavior.anomalous
BH12701Tampers with object identifiers (OIDs).anomalous
BH12736Tampers with storage tiers.anomalous
BH12763Tampers with volume labels of a disk.uncommon anomalous
BH12765Tampers with WIM or VHD disk image files.uncommon
BH12768Tampers with Windows Catalog files.uncommon anomalous
BH12820Writes to files in Windows system directories.uncommon
BH12852Erases backup catalog stored on the local computer.anomalous important
BH12853Erases system state backups.anomalous
BH12854Erases Volume Shadow copies.anomalous important
BH12855Copies the permission bits of a file.uncommon
BH12856Copies the permission bits, last access time, last modification time, and flags of a file.uncommon
BH12860Accesses a shell configuration file. uncommon
BH12861Accesses an Xorg configuration file.uncommon
BH12862Accesses an SSH configuration file.uncommon
BH12863Accesses the Openbox autostart configuration file.uncommon anomalous
BH12864Accesses the Fluxbox configuration directory.uncommon anomalous
BH12865Accesses the .gnupg/gpg-agent.conf file.uncommon anomalous
BH12866Accesses the Herbsluftwm configuration directory.anomalous
BH12867Accesses the Xfce4 configuration directory.uncommon anomalous
BH12868Accesses a block device pseudo-file.uncommon
BH12869Accesses data from the proc filesystem. uncommon
BH12870Installs packages via pacman.uncommon
BH12871Installs packages via emerge.uncommon
BH12880Accesses a systemd service file.uncommon
BH12881Accesses the /efi partition.uncommon anomalous
BH12882Accesses the /boot directory.uncommon
BH12884Accesses a systemd timer file.uncommon anomalous
BH12885Unmounts a filesystem.uncommon
BH12887Accesses the /etc/polkit-1/rules.d directory.uncommon anomalous
BH12902Accesses a PAM configuration file.uncommon anomalous
BH12904Accesses an external mountpoint.uncommon
BH12926Accesses the /etc/ssl directory.uncommon
BH12927Accesses the Cinnamon configuration directory.uncommon anomalous
BH12928Mounts a filesystem.uncommon
BH12940Accesses a systemd socket file.uncommon anomalous
BH12941Accesses a systemd device file.anomalous
BH12942Accesses a systemd mount file.uncommon anomalous
BH12943Accesses a systemd target file.uncommon anomalous
BH12944Accesses a systemd path file.uncommon anomalous
BH12950Accesses the /proc/sys directory.uncommon
BH12961Access the /etc/security directory.uncommon
BH12965Copies files/folders between a Docker container and the local filesystem.uncommon
BH12979Accesses the /etc/dbus-1 directory.uncommon anomalous
BH12980Accesses the /etc/grub.d directory.uncommon anomalous
BH12981Accesses the /etc/firewalld directory.uncommon anomalous
BH12982Accesses the /etc/modprobe.d directory.uncommon anomalous
BH12983Accesses the /etc/modules-load.d directory.uncommon anomalous
BH12984Accesses the /etc/resolv.conf file.uncommon
BH12985Accesses the /etc/named.conf file.uncommon anomalous
BH12986Accesses the /etc/ld.so.conf file.uncommon
BH12987Accesses the /etc/ld.so.conf.d directory.uncommon
BH12988Accesses the /etc/nftables.conf file.anomalous
BH12989Accesses the /etc/pacman.conf file.uncommon
BH12990Accesses the /etc/mkinitcpio.conf file.uncommon anomalous
BH12991Accesses the /etc/apt directory.uncommon
BH12992Accesses the /etc/sudoers file.uncommon
BH12993Accesses the /etc/sudoers.d directory.uncommon
BH12994Accesses the /etc/sudo.conf file.uncommon anomalous
BH12995Accesses the /etc/doas.conf file.uncommon anomalous
BH12996Accesses the /etc/default directory.uncommon
BH12997Accesses the /dev/random pseudo-file.uncommon
BH12998Accesses the /dev/urandom pseudo-file.uncommon
BH12999Accesses the /dev/zero pseudo-file.uncommon
BH13000Accesses the /dev/null pseudo-file. uncommon
BH13001Accesses the /proc/net directory.uncommon anomalous
BH13002Accesses the /proc/self directory.uncommon
BH13003Accesses the /etc/audit directory.uncommon anomalous
BH13004Accesses the /run/systemd directory.uncommon
BH13005Accesses the Wayland weston.ini file.uncommon anomalous
BH13006Accesses the systemd-boot loader.conf file.uncommon anomalous
BH13009Truncates a file.uncommon
BH13019Installs a Ruby gem package.uncommon
BH13020Installs a NodeJS package via npm. uncommon
BH13021Installs a NodeJS package via yarn.uncommon anomalous
BH13022Accesses the /etc/conf.d directory.uncommon anomalous
BH13023Adds an OpenRC service.uncommon anomalous
BH13024Deletes an OpenRC service.anomalous uncommon
BH13029Accesses the OpenRC service directory.uncommon anomalous
BH13030Accesses the /var/service directory.uncommon anomalous
BH13041Accesses an OpenLDAP server configuration.anomalous
BH13042Accesses an OpenLDAP client configuration.uncommon anomalous
BH13043Accesses the /etc/krb5.conf file.uncommon anomalous
BH13050Accesses the /sys/firmware directory.uncommon anomalous
BH13051Accesses the Kafka server configuration.anomalous uncommon
BH13053Accesses the /etc/supervisor/conf.d directory.uncommon anomalous
BH13054Accesses the /etc/supervisor/supervisord.conf file.uncommon anomalous
BH13055Accesses the /etc/skel directory.uncommon
BH13056Accesses the /etc/incron.d directory.uncommon anomalous important
BH13057Accesses the /etc/incron.conf file.uncommon anomalous
BH13058Accesses a .git directory. uncommon
BH13059Accesses a .svn directory.uncommon
BH13066Accesses the /etc/environment.d directory.anomalous
BH13067Accesses /etc/exports.uncommon anomalous
BH13068Accesses the /etc/lxc/default.conf file.uncommon anomalous
BH13069Accesses the /etc/lxc/lxc-usernet file.uncommon anomalous
BH13119Accesses OfflineIMAP configuration file.uncommon anomalous
BH13120Accesses the KDE daemon configuration file.anomalous
BH13121Accesses the KDE desktop session configuration file.anomalous
BH13123Accesses the i3wm configuration.uncommon anomalous
BH13124Accesses the Sway configuration.anomalous
BH13125Accesses the bspwm configuration.anomalous
BH13128Deletes a file/directory using reflection.uncommon
BH13129Modifies file/directory permissions using reflection.uncommon
BH13149Modifies file/directory attributes using reflection.uncommon
BH13150Changes file ownership using reflection.anomalous
BH13151Changes group ownership of a file or directory using reflection.anomalous
BH13153Sets the 'system file' attribute to files/directories using reflection.anomalous
BH13173Creates a virtual sysfs attribute file for a device.uncommon
BH13174Removes a virtual sysfs attribute file from a device.uncommon
BH13179Creates a virtual sysfs attribute file for a device driver.uncommon
BH13180Removes a virtual sysfs attribute file from a device driver.uncommon
BH13194Modifies a shell configuration file.uncommon
BH13219Uses Linux kernel APIs for access to the virtual filesystem.uncommon
BH13220Uses Linux kernel APIs for access to the debugfs filesystem.uncommon
BH13221Uses Linux kernel APIs for access to the sysfs filesystem.uncommon
BH13222Uses Linux kernel APIs for access to the procfs filesystem.uncommon
BH13247Serializes data into the standard URL-encoded notation.uncommon
BH13248Serializes data into the JSON format.
BH13292Serializes data into the XML format.uncommon
BH13312Uses methods for manipulating other Pickle files in Pickle-serialized data.malicious uncommon anomalous
BH13313Deletes temporary files.anomalous
BH13327Creates/Opens a file.
BH13328Reads from files.
BH13329Writes to files.
BH13335Creates/opens files in Windows system directories.
BH13336Reads from files in Windows system directories.
BH13337Creates/opens files in common user, data or temporary directories.
BH13338Reads from files in common user, data, or temporary directories.
BH13339Writes to files in common user, data, or temporary directories.
BH13352Creates a directory.
BH13353Removes a directory.
BH13354Writes data to Outlook contact/address book.
BH13369Creates symbolic\hard links to files or directories.
BH13370Mounts filesystems or other media.
BH13371Unmounts filesystems or other media.
BH13372Lists directory contents.
BH13373Accesses command line execution history.
BH13379Renames files.
BH13382Empties the Recycle Bin.
BH13385Copies, moves, renames, or deletes a file system object.
BH13389Creates temporary files.
BH13391Copies a file.
BH13392Copies files to common user, data, or temporary directories.
BH13401Opens a file for reading or writing.
BH13405Sets or updates the file pointer position within an open file.
BH13407Flushes the file's buffer to disk.
BH13410Queries the size of a file.
BH13416Queries file attributes.
BH13423Changes the current directory.
BH13425Queries the timestamp of a file/directory.
BH13426Queries version information of a file.
BH13433Checks if a file or a directory exists.
BH13434Closes a previously open file.
BH13441Queries the file type of a file.
BH13442Changes the size of a file.
BH13444Queries file information.
BH13445Changes file information.
BH13453Reads a value from a standard format .ini file.
BH13454Writes a value to a standard format .ini file.
BH13465Changes the current working directory.
BH13466Opens a file.
BH13467Queries the text encoding used in a file.
BH13468Moves a file.
BH13481Copies a file/directory.
BH13497Creates a symbolic link to a file or directory.
BH13521Imports the java.nio.file.Files class, which contains methods for file manipulation.
BH13538Exports data to file.
BH13546Might cache requests.
BH13555Might store data using IndexedDB.
BH13578Uses json-related functions.
BH13581Renames a file or directory.
BH13800Accesses a previously opened file in VS Code.
BH13801Saves a file.
BH13820Accesses the file system.
BH13826Makes changes to files in the workspace.
BH13828Accesses the VS Code extension secrets storage.
BH15146Encrypts a file.anomalous
BH15148Encrypts files using cipher tool.anomalous
BH15151Encrypts or encodes data in memory using the Windows Cryptography API.uncommon
BH15152Encrypts or encodes files and other data using the Windows Cryptography API.uncommon
BH15187Encodes data using the Base32 algorithm. uncommon
BH15189Encodes data using the Base16 algorithm.
BH15190Decodes data using the Base16 algorithm. uncommon
BH15191Encodes data using the Ascii85 algorithm.uncommon anomalous
BH15192Decodes data using the Ascii85 algorithm.uncommon anomalous
BH15193Encodes data using the Base85 algorithm.uncommon anomalous
BH15194Decodes data using the Base85 algorithm.uncommon anomalous
BH15199Encodes data using the BinHex4 algorithm.uncommon
BH15200Decodes data using the BinHex4 algorithm.uncommon
BH15210Decrypts encrypted data with openssl.anomalous
BH15211Encrypts data with openssl.uncommon anomalous
BH15212Encrypts data with gpg.uncommon anomalous
BH15213Decrypts data with gpg.uncommon
BH15214Decompresses a Zip archive.uncommon
BH15215Decompresses a Rar archive.uncommon
BH15216Decompresses a Tar archive. uncommon
BH15229Encodes data using the Base64 algorithm using reflection.uncommon
BH15230Decodes data using the Base64 algorithm using reflection.uncommon
BH15231Creates/Opens a Zip archive for writing.uncommon
BH15232Adds files to a Zip archive.uncommon
BH15233Writes compressed data to a Zip archive.uncommon
BH15237Calculates the MD5 hash of data.
BH15238Calculates the SHA-1 hash of data.
BH15239Calculates the SHA-256 hash of data.
BH15240Calculates the MD4 hash of data. uncommon
BH15241Calculates the RIPEMD160 hash of data.uncommon
BH15242Calculates the SHA-224 hash of data. uncommon
BH15243Calculates the SHA-3 hash of data. uncommon
BH15244Calculates the SHA-384 hash of data. uncommon
BH15245Calculates the SHA-512 hash of data. uncommon
BH15246Calculates the SM3 hash of data.uncommon anomalous
BH15247Calculates the BLAKE-2 hash of data.uncommon anomalous
BH15248Calculates the SHAKE-128 hash of data.uncommon
BH15249Calculates the SHAKE-256 hash of data. uncommon
BH15250Calculates the WHIRLPOOL hash of data. uncommon
BH15287Calculates the MD5 hash of data and encodes it using the Base64 algorithm.uncommon anomalous
BH15288Calculates the RIPEMD160 hash of data and encodes it using the Base64 algorithm.uncommon anomalous
BH15289Calculates the SHA-1 hash of data and encodes it using the Base64 algorithm.uncommon anomalous
BH15290Calculates the SHA-256 hash of data and encodes it using the Base64 algorithm.uncommon anomalous
BH15291Calculates the SHA-384 hash of data and encodes it using the Base64 algorithm.uncommon anomalous
BH15292Calculates the SHA-512 hash of data and encodes it using the Base64 algorithm.uncommon anomalous
BH15293Encodes data using the Bubble Babble algorithm.uncommon anomalous
BH15298Calculates a cryptographic hash of data and encodes it using the Base64 algorithm.uncommon anomalous
BH15299Creates a cryptographic hash of file contents.uncommon
BH15301Calculates the SHA-512/224 hash of data. uncommon
BH15302Calculates the SHA-512/256 hash of data. uncommon
BH15313Encodes data using the ASN.1 DER encoding. uncommon
BH15314Decodes data using the ASN.1 DER encoding. uncommon
BH15315Encodes data using the PEM encoding.uncommon
BH15316Decodes data using the PEM encoding. uncommon
BH15326The file is encrypted or contains an encrypted file.
BH16355Might use Web Storage API.
BH17101Accesses /etc/environment file.uncommon
BH17102Accesses /etc/group file.uncommon
BH17103Accesses /etc/gshadow file.uncommon anomalous
BH17104Accesses /etc/init.d directory.uncommon
BH17105Accesses /etc/login.defs file.uncommon
BH17106Accesses /etc/network/interfaces file.uncommon
BH17107Accesses /etc/networks file.uncommon anomalous
BH17108Accesses /etc/pam.d/chpasswd file.anomalous
BH17109Accesses /etc/passwd file.uncommon
BH17110Accesses /etc/rc.d directory.uncommon
BH17112Accesses /etc/shells file.uncommon
BH17113Accesses /etc/subgid file.uncommon
BH17114Accesses /etc/subuid file.uncommon
BH17115Accesses /etc/usertty file.anomalous
BH17116Accesses rc.local file.uncommon
BH17146Modifies Bitcoin wallet files.anomalous
BH17147Accesses Bitcoin wallet files.anomalous important
BH17237Writes data to AIM user account settings.anomalous
BH17238Writes data to Chrome certificate databases.uncommon anomalous
BH17239Writes data to Chrome cookie databases.uncommon anomalous
BH17240Writes data to Chrome navigation history databases.uncommon anomalous
BH17241Writes data to Chrome session databases.uncommon important
BH17242Writes data to Chrome stored credentials databases.uncommon important
BH17243Writes data to Chromium certificate databases.uncommon anomalous
BH17244Writes data to Chromium cookie databases.uncommon anomalous
BH17245Writes data to Chromium navigation history databases.uncommon anomalous
BH17246Writes data to Chromium preferences databases.uncommon anomalous
BH17247Writes data to Chromium session databases.uncommon anomalous
BH17248Writes data to Chromium stored credentials databases.important uncommon anomalous
BH17249Writes data to Firefox add-on databases.anomalous
BH17250Writes data to Firefox anti-phishing databases.anomalous
BH17251Writes data to Firefox certificate databases.uncommon anomalous
BH17252Writes data to Firefox cookie databases.uncommon anomalous
BH17253Writes data to Firefox MIME plugin/configuration databases.anomalous
BH17254Writes data to Firefox navigation history databases.uncommon anomalous
BH17255Writes data to Firefox preferences databases.uncommon anomalous
BH17256Writes data to Firefox saved form data databases.uncommon anomalous
BH17257Writes data to Firefox security module database.anomalous
BH17258Writes data to Firefox session databases.anomalous uncommon
BH17259Writes data to Firefox stored credentials databases.uncommon
BH17260Writes data to iChat user account settings.anomalous
BH17261Writes data to Internet Explorer cookie databases.uncommon anomalous
BH17262Writes data to Internet Explorer navigation history databases.uncommon anomalous
BH17263Writes data to Internet Explorer preferences databases.anomalous
BH17264Writes data to Netscape add-on databases.anomalous
BH17265Writes data to Netscape certificate databases.anomalous
BH17266Writes data to Netscape contact/address book.anomalous
BH17267Writes data to Netscape cookie databases.anomalous
BH17268Writes data to Netscape integrated instant messaging databases.anomalous
BH17269Writes data to Netscape mailbox files.anomalous
BH17270Writes data to Netscape MIME plugin/configuration databases.anomalous
BH17271Writes data to Netscape navigation history databases.important uncommon anomalous
BH17272Writes data to Netscape preferences databases.uncommon anomalous
BH17273Writes data to Netscape saved form data databases.anomalous
BH17274Writes data to Netscape security module database.anomalous
BH17275Writes data to Netscape stored credentials databases.important uncommon anomalous
BH17276Writes data to Opera cookie databases.uncommon anomalous
BH17277Writes data to Opera navigation history databases.uncommon anomalous
BH17278Writes data to Opera preferences databases.uncommon anomalous
BH17279Writes data to Opera stored credentials databases.important uncommon anomalous
BH17280Writes data to Outlook email/contact backups.uncommon anomalous
BH17281Writes data to Outlook mailbox files.uncommon anomalous
BH17282Writes data to Outlook offline/cached items.uncommon anomalous
BH17283Writes data to Pidgin stored credentials.anomalous
BH17284Writes data to Safari cookie databases.uncommon anomalous
BH17285Writes data to Safari navigation history databases.uncommon anomalous
BH17286Writes data to Safari session databases.uncommon anomalous
BH17287Writes data to Skype chat history database.anomalous
BH17288Writes data to Skype stored credentials.anomalous
BH17289Writes data to Thunderbird certificate database.anomalous
BH17290Writes data to Thunderbird cookie files.anomalous
BH17291Writes data to Thunderbird download history database.anomalous
BH17292Writes data to Thunderbird extension database.anomalous
BH17293Writes data to Thunderbird mailbox files.uncommon anomalous
BH17294Writes data to Thunderbird stored credentials.anomalous
BH17295Writes data to Windows Mail stored credentials.anomalous
BH17296Modifies log files.uncommon
BH17297Modifies SSH key files.uncommon
BH17298Modifies user login log files.uncommon
BH17307Accesses user login log files.uncommon
BH17362Writes data to the Chrome local state file which contains the encryption key for local databases.uncommon important
BH17364Writes data to the Chromium local state file which contains the encryption key for local databases.uncommon anomalous
BH17366Writes data to the Opera local state file which contains the encryption key for local databases.uncommon anomalous
BH17368Writes data to the Vivaldi browser's local state file which contains the encryption key for local databases.uncommon anomalous
BH17370Writes data to the Yandex browser's local state file which contains the encryption key for local databases.uncommon anomalous
BH17373Writes data to Vivaldi browser's stored credentials databases.important uncommon anomalous
BH17376Writes data to Yandex browser's stored credentials databases.important uncommon anomalous
BH17379Writes data to the Firefox profiles.ini file which contains information about profiles and the path to the directory with local databases.uncommon
BH17381Writes data to the Microsoft Edge local state file which contains the encryption key for local databases.uncommon anomalous
BH17383Writes data to Microsoft Edge stored credentials databases.uncommon anomalous
BH17386Writes data to Safari stored credentials databases.important uncommon anomalous
BH17388Writes data to the SeaMonkey browser's profiles.ini file which contains information about profiles and the path to the directory with local databases.important uncommon anomalous
BH17390Writes data to SeaMonkey browser's stored credentials databases.important uncommon anomalous
BH17393Writes data to the Waterfox browser's profiles.ini file which contains information about profiles and the path to the directory with local databases.anomalous uncommon
BH17395Writes data to Waterfox browser's stored credentials databases.anomalous
BH17398Writes data to the Brave browser's local state file which contains the encryption key for local databases.uncommon anomalous
BH17400Writes data to Brave browser's stored credentials databases.uncommon anomalous
BH17405Writes data to files containing encrypted Windows Data Protection API master keys.important uncommon anomalous
BH17407Writes data to files containing encrypted credentials from the Windows Credential Manager.uncommon anomalous
BH17415Writes data to files containing SSL certificates installed on the system.uncommon
BH17428Writes data to Eudora stored credentials.anomalous
BH17430Writes data to GroupMail stored credentials.anomalous
BH17437Accesses system logs.uncommon
BH18244Accesses the /etc/selinux/config file.uncommon anomalous
BH18246Accesses the /etc/apparmor directory.uncommon anomalous
BH19148Enumerates default folder locations.anomalous
BH19173Enumerates file systems.anomalous
BH19182Enumerates index path.anomalous
BH19357Gets information about .pfx certificate files on the computer.uncommon
BH19360Gets information about document file.uncommon
BH19362Gets information about the Authenticode signature for a file.uncommon
BH19366Gets information about volumes that BitLocker can protect.uncommon
BH19473Accesses the /etc/lsb-release file.uncommon
BH19474Accesses the /proc/cpuinfo pseudo-file.uncommon
BH19475Accesses the /proc/kmsg pseudo-file.uncommon
BH19567Might enumerate available storage.
BH20178Uses PowerSploit/Empire command to convert objects into a series of comma-separated (CSV) strings and save the strings in a CSV file.anomalous malicious uncommon
BH20179Uses PowerSploit/Empire command to copy a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.anomalous malicious uncommon
BH20183Uses PowerSploit/Empire command to create a new volume shadow copy.anomalous malicious uncommon
BH20189Uses PowerSploit/Empire command to encrypt text file or script.anomalous malicious uncommon
BH20242Uses PowerSploit/Empire command to mount a volume shadow copy.anomalous malicious uncommon
BH20246Uses PowerSploit/Empire command to patch in the specified command to a pre-compiled C# service executable and write the binary out.anomalous malicious uncommon
BH20254Uses PowerSploit/Empire command to remove a volume shadow copy.anomalous malicious uncommon
BH20259Uses PowerSploit/Empire command to restore a service binary backed up by Install-ServiceBinary.anomalous malicious uncommon
BH20311Uses PowerSploit/Empire command to set the binary path for a service to a specified value.anomalous malicious uncommon