| BH12101 | Accesses a list of logged on users. | |
| BH12119 | Accesses the Event Log. | |
| BH12120 | Accesses webcam/microphone peripherals. | |
| BH12148 | Captures video streams from the web camera. | |
| BH12191 | Contains one or more tracking pixels. | |
| BH12213 | Creates Windows Update log files. | |
| BH12252 | Disables monitoring of system-wide notifications for application related events. | |
| BH12355 | Extracts the content of a Personal Information Exchange (PFX) file into a structure without importing it to certificate store. | |
| BH12394 | Issues system-wide notifications for events performed by the application. | |
| BH12428 | Monitors browser processes. | |
| BH12431 | Monitors installation, enabling or disabling of an app or extension. | |
| BH12432 | Monitors keyboard strokes. | |
| BH12433 | Monitors mouse movement. | |
| BH12436 | Monitors performance counters. | |
| BH12437 | Monitors system I/O devices. | |
| BH12438 | Monitors system-wide notifications for application related events. | |
| BH12439 | Monitors user input. | |
| BH12445 | Might enumerate HID devices. | |
| BH12450 | Might monitor USB devices. | |
| BH12451 | Might monitor media devices. | |
| BH12473 | Receives messages from a host environment. | |
| BH12474 | Records audio streams in WAV format from the microphone or other input devices. | |
| BH12475 | Records audio. | |
| BH12529 | Returns a list of all software packages that were installed with PackageManagement. | |
| BH12534 | Returns all registered certificate notification tasks. | |
| BH12558 | Sends messages to a host environment. | |
| BH12590 | Takes screenshots. | |
| BH12638 | Tampers with Event Trace Sessions and Performance logs. | |
| BH12670 | Tampers with keyboard/mouse status. | |
| BH12707 | Tampers with PowerShell logging and diagnostics. | |
| BH12728 | Tampers with Software Inventory Logging. | |
| BH12748 | Tampers with the Event Tracing for Windows. | |
| BH12789 | Tampers with, generate or subscribe to events. | |
| BH12849 | Possibly does API hooking. | |
| BH12921 | Monitors messages exchanged via sd-bus. | |
| BH12922 | Captures messages exchanged via sd-bus. | |
| BH12956 | Captures an X11 display. | |
| BH13035 | Records the system audio or microphone. | |
| BH13110 | Accesses a /dev/video pseudo-file. | |
| BH19101 | Detects/enumerates running processes on local or remote computer. | |
| BH19102 | Detects/enumerates running processes. | |
| BH19103 | Enumerates access control lists for the local queue manager. | |
| BH19104 | Enumerates active and past malware threats that Windows Defender detected. | |
| BH19108 | Enumerates all currently loaded DLLs and APIs that are available to macros. | |
| BH19118 | Enumerates background task information. | |
| BH19124 | Enumerates browser processes. | |
| BH19142 | Enumerates current light level. | |
| BH19165 | Enumerates event subscribers in the current session. | |
| BH19169 | Enumerates events in the event queue. | |
| BH19195 | Enumerates known threats from the definitions catalog. | |
| BH19205 | Enumerates message queues. | |
| BH19208 | Enumerates name or version of the current browser. | |
| BH19225 | Enumerates open pages. | |
| BH19228 | Enumerates or changes current locale. | |
| BH19230 | Enumerates outgoing message queues. | |
| BH19232 | Enumerates peripherals. | |
| BH19243 | Enumerates processes on a Remote Desktop Session Host server. | |
| BH19255 | Enumerates results of BPA scans. | |
| BH19309 | Enumerates Updating Run reports for all known Updating Runs, or all Updating Runs that match the specified dates or other specified parameters. | |
| BH19311 | Enumerates User Access Logging (UAL) records for a DNS server. | |
| BH19312 | Enumerates User Access Logging (UAL) records for client requests per user for each day. | |
| BH19313 | Enumerates User Access Logging (UAL) records of client request per device. | |
| BH19314 | Enumerates User Access Logging (UAL) records of client requests for each day. | |
| BH19315 | Enumerates User Access Logging (UAL) records of client requests per device for each day. | |
| BH19342 | Gets a queue manager. | |
| BH19351 | Gets connection pooling Performance Monitor counters. | |
| BH19368 | Gets notified when removable storage device is attached or detached. | |
| BH19374 | Gets port information for a network switch. | |
| BH19376 | Gets queue access control lists. | |
| BH19380 | Gets System Event Log entries from a PCSV device. | |
| BH19391 | Gets the details of events generated in a Server Manager event log. | |
| BH19394 | Gets the history of threats detected on the computer. | |
| BH19399 | Gets the job triggers of scheduled jobs. | |
| BH19400 | Gets the key bindings for the PSReadLine module. | |
| BH19408 | Gets the provider address for a server. | |
| BH19414 | Gets the state of the performance data collector set. | |
| BH19416 | Gets the status of Win32 services on a managed node. | |
| BH19440 | Retrieves per-volume performance metrics on a volume that is monitored by Storage QoS. | |
| BH19441 | Retrieves performance metrics on an I/O flow that is monitored by Storage QoS. | |
| BH19454 | Retrieves the properties of a Windows event log. | |
| BH19509 | Enumerates the total amount of system memory. | |
| BH19514 | Enumerates file descriptors belonging to the current process. | |
| BH19515 | Enumerates file descriptors of a process. | |
| BH19516 | Enumerates the computer's active TCP sockets. | |
| BH19517 | Enumerates the computer's active UDP sockets. | |
| BH20196 | Uses PowerSploit/Empire command to enumerate running processes on local or remote computer. | |
| BH20224 | Uses PowerSploit/Empire command to find logon events on the current or a remote domain for the specified users. | |
| BH20229 | Uses PowerSploit/Empire command to get useful information from a computer, like a credential logons, AppLocker events, PowerShell logs, etc. | |
| BH20233 | Uses PowerSploit/Empire command to list available logon tokens. | |
| BH20237 | Uses PowerSploit/Empire command to log keystrokes from USB keyboards using Event Tracing for Windows. | |
| BH20238 | Uses PowerSploit/Empire command to log pressed key, the time and the active window when it was pressed. | |
| BH20251 | Uses PowerSploit/Empire command to record audio from system microphone and save it to disk. | |
| BH20267 | Uses PowerSploit/Empire command to return a list of processes and their owners on the local or a remote machine. | |
| BH20310 | Uses PowerSploit/Empire command to search for processes on the domain using WMI. | |
| BH20314 | Uses PowerSploit/Empire command to take a single screenshot. | |
| BH20315 | Uses PowerSploit/Empire command to take screenshots at a regular interval and save them to a folder. | |
