| BH12101 | Accesses a list of logged on users. | uncommon |
| BH12119 | Accesses the Event Log. | uncommon |
| BH12120 | Accesses webcam/microphone peripherals. | uncommon |
| BH12148 | Captures video streams from the web camera. | uncommon |
| BH12191 | Contains one or more tracking pixels. | uncommon |
| BH12213 | Creates Windows Update log files. | uncommon anomalous |
| BH12252 | Disables monitoring of system-wide notifications for application related events. | uncommon anomalous |
| BH12355 | Extracts the content of a Personal Information Exchange (PFX) file into a structure without importing it to certificate store. | uncommon |
| BH12394 | Issues system-wide notifications for events performed by the application. | uncommon |
| BH12428 | Monitors browser processes. | uncommon anomalous |
| BH12431 | Monitors installation, enabling or disabling of an app or extension. | uncommon |
| BH12432 | Monitors keyboard strokes. | uncommon |
| BH12433 | Monitors mouse movement. | uncommon anomalous |
| BH12436 | Monitors performance counters. | uncommon |
| BH12437 | Monitors system I/O devices. | uncommon |
| BH12438 | Monitors system-wide notifications for application related events. | uncommon |
| BH12439 | Monitors user input. | uncommon anomalous |
| BH12445 | Might enumerate HID devices. | uncommon anomalous |
| BH12450 | Might monitor USB devices. | anomalous |
| BH12451 | Might monitor media devices. | uncommon |
| BH12473 | Receives messages from a host environment. | anomalous |
| BH12474 | Records audio streams in WAV format from the microphone or other input devices. | uncommon |
| BH12475 | Records audio. | anomalous |
| BH12529 | Returns a list of all software packages that were installed with PackageManagement. | uncommon |
| BH12534 | Returns all registered certificate notification tasks. | uncommon |
| BH12558 | Sends messages to a host environment. | anomalous |
| BH12590 | Takes screenshots. | uncommon |
| BH12638 | Tampers with Event Trace Sessions and Performance logs. | anomalous uncommon |
| BH12670 | Tampers with keyboard/mouse status. | uncommon |
| BH12707 | Tampers with PowerShell logging and diagnostics. | uncommon |
| BH12728 | Tampers with Software Inventory Logging. | uncommon |
| BH12748 | Tampers with the Event Tracing for Windows. | uncommon |
| BH12789 | Tampers with, generate or subscribe to events. | uncommon |
| BH12849 | Possibly does API hooking. | uncommon |
| BH12921 | Monitors messages exchanged via sd-bus. | anomalous |
| BH12922 | Captures messages exchanged via sd-bus. | anomalous |
| BH12956 | Captures an X11 display. | uncommon anomalous |
| BH13035 | Records the system audio or microphone. | uncommon anomalous |
| BH13110 | Accesses a /dev/video pseudo-file. | uncommon anomalous |
| BH13355 | Monitors mouse activity. | |
| BH13377 | Emits keyboard strokes. | |
| BH13403 | Logs timestamped data to file. | |
| BH13471 | Queries if a specified process exists. | |
| BH13487 | Reads information about one or more running processes. | |
| BH13542 | Monitors battery status. | |
| BH13557 | Checks if the browser is Java-enabled. | |
| BH13558 | Checks if the browser is working online. | |
| BH13560 | Might check the value of the user's Do-Not-Track preference. | |
| BH13562 | Checks whether the browser is running in standalone mode. | |
| BH13563 | Gets the vendor name of the current browser. | |
| BH13568 | Gets the dimensions of the browser window. | |
| BH16356 | Might check if the cookies are enabled. | |
| BH19101 | Detects/enumerates running processes on local or remote computer. | uncommon |
| BH19102 | Detects/enumerates running processes. | uncommon |
| BH19103 | Enumerates access control lists for the local queue manager. | uncommon anomalous |
| BH19104 | Enumerates active and past malware threats that Windows Defender detected. | uncommon |
| BH19108 | Enumerates all currently loaded DLLs and APIs that are available to macros. | anomalous |
| BH19118 | Enumerates background task information. | uncommon |
| BH19124 | Enumerates browser processes. | anomalous |
| BH19142 | Enumerates current light level. | uncommon anomalous |
| BH19165 | Enumerates event subscribers in the current session. | uncommon |
| BH19169 | Enumerates events in the event queue. | uncommon |
| BH19195 | Enumerates known threats from the definitions catalog. | uncommon |
| BH19205 | Enumerates message queues. | uncommon anomalous |
| BH19208 | Enumerates name or version of the current browser. | |
| BH19225 | Enumerates open pages. | uncommon |
| BH19228 | Enumerates or changes current locale. | uncommon |
| BH19230 | Enumerates outgoing message queues. | uncommon anomalous |
| BH19232 | Enumerates peripherals. | uncommon |
| BH19243 | Enumerates processes on a Remote Desktop Session Host server. | uncommon important |
| BH19255 | Enumerates results of BPA scans. | uncommon |
| BH19309 | Enumerates Updating Run reports for all known Updating Runs, or all Updating Runs that match the specified dates or other specified parameters. | uncommon anomalous |
| BH19311 | Enumerates User Access Logging (UAL) records for a DNS server. | uncommon anomalous |
| BH19312 | Enumerates User Access Logging (UAL) records for client requests per user for each day. | uncommon anomalous |
| BH19313 | Enumerates User Access Logging (UAL) records of client request per device. | uncommon |
| BH19314 | Enumerates User Access Logging (UAL) records of client requests for each day. | uncommon |
| BH19315 | Enumerates User Access Logging (UAL) records of client requests per device for each day. | uncommon anomalous |
| BH19342 | Gets a queue manager. | uncommon anomalous |
| BH19351 | Gets connection pooling Performance Monitor counters. | uncommon |
| BH19368 | Gets notified when removable storage device is attached or detached. | uncommon anomalous |
| BH19374 | Gets port information for a network switch. | uncommon |
| BH19376 | Gets queue access control lists. | uncommon anomalous |
| BH19380 | Gets System Event Log entries from a PCSV device. | uncommon |
| BH19391 | Gets the details of events generated in a Server Manager event log. | uncommon anomalous |
| BH19394 | Gets the history of threats detected on the computer. | uncommon |
| BH19399 | Gets the job triggers of scheduled jobs. | uncommon |
| BH19400 | Gets the key bindings for the PSReadLine module. | uncommon |
| BH19408 | Gets the provider address for a server. | uncommon anomalous |
| BH19414 | Gets the state of the performance data collector set. | uncommon anomalous |
| BH19416 | Gets the status of Win32 services on a managed node. | uncommon anomalous |
| BH19440 | Retrieves per-volume performance metrics on a volume that is monitored by Storage QoS. | uncommon anomalous |
| BH19441 | Retrieves performance metrics on an I/O flow that is monitored by Storage QoS. | uncommon anomalous |
| BH19454 | Retrieves the properties of a Windows event log. | uncommon |
| BH19509 | Enumerates the total amount of system memory. | uncommon |
| BH19514 | Enumerates file descriptors belonging to the current process. | uncommon |
| BH19515 | Enumerates file descriptors of a process. | uncommon |
| BH19516 | Enumerates the computer's active TCP sockets. | uncommon |
| BH19517 | Enumerates the computer's active UDP sockets. | uncommon |
| BH19545 | Detects/enumerates process modules. | |
| BH19558 | Enumerates the number of logical processor cores. | |
| BH19560 | Enumerates MIME types supported by the browser. | |
| BH19561 | Enumerates the current platform of the browser. | |
| BH19562 | Enumerates plugins installed in the browser. | |
| BH19563 | Enumerates product information. | |
| BH19564 | Might enumerate user agent of the current browser. | |
| BH19568 | Enumerates display information. | |
| BH19569 | Might enumerate information about screen. | |
| BH20196 | Uses PowerSploit/Empire command to enumerate running processes on local or remote computer. | anomalous malicious uncommon |
| BH20224 | Uses PowerSploit/Empire command to find logon events on the current or a remote domain for the specified users. | anomalous malicious uncommon |
| BH20229 | Uses PowerSploit/Empire command to get useful information from a computer, like a credential logons, AppLocker events, PowerShell logs, etc. | anomalous important uncommon |
| BH20233 | Uses PowerSploit/Empire command to list available logon tokens. | anomalous malicious uncommon |
| BH20237 | Uses PowerSploit/Empire command to log keystrokes from USB keyboards using Event Tracing for Windows. | anomalous malicious |
| BH20238 | Uses PowerSploit/Empire command to log pressed key, the time and the active window when it was pressed. | anomalous malicious uncommon |
| BH20251 | Uses PowerSploit/Empire command to record audio from system microphone and save it to disk. | anomalous malicious uncommon |
| BH20267 | Uses PowerSploit/Empire command to return a list of processes and their owners on the local or a remote machine. | anomalous important uncommon |
| BH20310 | Uses PowerSploit/Empire command to search for processes on the domain using WMI. | anomalous malicious uncommon |
| BH20314 | Uses PowerSploit/Empire command to take a single screenshot. | anomalous malicious uncommon |
| BH20315 | Uses PowerSploit/Empire command to take screenshots at a regular interval and save them to a folder. | anomalous malicious uncommon |
