| BH12102 | Accesses ARP records. | |
| BH12106 | Accesses firewall settings. | |
| BH12109 | Accesses the IP routing table. | |
| BH12114 | Accesses OData services. | |
| BH12118 | Accesses system network services registry keys. | |
| BH12125 | Adds a new remote desktop connection permission using WMI. | |
| BH12130 | Adds attachments to e-mails. | |
| BH12136 | Allows a remote desktop connection using WMI. | |
| BH12149 | Changes a remote desktop connection permission using WMI. | |
| BH12195 | Contains references to anonymous e-mail providers. | |
| BH12202 | Creates a new VPN configuration. | |
| BH12205 | Creates a UDP socket bound to an incoming connection. | |
| BH12243 | Disables a network interface. | |
| BH12319 | Enables the promiscuous mode. | |
| BH12351 | Executes SOAP request (Remote Procedure Call). | |
| BH12356 | Flushes and resets the contents of the DNS client resolver cache. | |
| BH12384 | Inserts ARP table entries. | |
| BH12396 | Launches a URL in a browser window. | |
| BH12400 | Listens on incoming network connections. | |
| BH12409 | Locates network services using DNS-SD. | |
| BH12434 | Monitors network requests. | |
| BH12435 | Monitors network traffic. | |
| BH12453 | Monitors VPN session for new packets. | |
| BH12465 | Performs network scanning with nmap. | |
| BH12483 | Removes a system from a domain or a workgroup WMI. | |
| BH12486 | Removes ARP table entries. | |
| BH12489 | Removes network shares. | |
| BH12563 | Sets the broadcast address for an interface. | |
| BH12565 | Sets the proxy settings for the specified job. | |
| BH12589 | Submits form to an URL. | |
| BH12622 | Tampers with DirectAccess connection settings. | |
| BH12628 | Tampers with DNS client settings. | |
| BH12629 | Tampers with DNS configuration. | |
| BH12630 | Tampers with DNS server or zone configuration. | |
| BH12631 | Tampers with DNS server settings. | |
| BH12632 | Tampers with DNS. | |
| BH12633 | Tampers with domain's DNS server search ordering. | |
| BH12647 | Tampers with files on a remote server using WebDAV. | |
| BH12664 | Tampers with the IP routing table. | |
| BH12665 | Tampers with IP4-to-IPv6 settings. | |
| BH12667 | Tampers with Kerberos and Key Distribution Center (KDC) setup. | |
| BH12672 | Tampers with local or remote Web Services for Management (WS-Management) configuration information. | |
| BH12680 | Tampers with network access using .NET implementation of Windows Sockets API. | |
| BH12684 | Tampers with network connection profile settings. | |
| BH12688 | Tampers with network interfaces. | |
| BH12716 | Tampers with Remote Desktop settings. | |
| BH12717 | Tampers with remote devices using Intelligent Platform Management Interface (IPMI) or WS-Management (WSMAN) protocol. | |
| BH12725 | Tampers with Server Message Block (SMB) Shares. | |
| BH12727 | Tampers with service account proxy settings. | |
| BH12741 | Tampers with system network settings. | |
| BH12746 | Tampers with temporary or persistent mapped network drives. | |
| BH12747 | Tampers with Terminal Services. | |
| BH12762 | Tampers with VNC registry keys. | |
| BH12808 | Uses bitsadmin command line tool. | |
| BH12823 | Maps a network drive. | |
| BH12888 | Adds a network link. | |
| BH12889 | Deletes a network link. | |
| BH12890 | Changes network link attributes. | |
| BH12891 | Adds a network address. | |
| BH12892 | Changes a network address. | |
| BH12893 | Replaces a network address. | |
| BH12894 | Deletes a network address. | |
| BH12895 | Adds a network neighbour. | |
| BH12896 | Changes a network neighbour. | |
| BH12897 | Replaces a network neighbour. | |
| BH12898 | Deletes a network neighbour. | |
| BH12899 | Blocks a wireless device. | |
| BH12900 | Unblocks a wireless device. | |
| BH12951 | Adds a new network namespace. | |
| BH12952 | Deletes a network namespace. | |
| BH12953 | Attaches a network namespace to a process. | |
| BH12955 | Assigns an id to a peer network namespace. | |
| BH13007 | Copies file from/to a remote host, using SCP. | |
| BH13014 | Adds a network route. | |
| BH13015 | Deletes a network route. | |
| BH13016 | Sets a network route. | |
| BH13017 | Changes a network route. | |
| BH13085 | Manages and attaches LXD instances to networks. | |
| BH13112 | Makes changes to a wireless network interface. | |
| BH13154 | Retrieves a JAR archive based on its URL. | |
| BH13155 | Retrieves a JAR archive based on its URL using reflection. | |
| BH13156 | Retrieves a file from a JAR archive based on its URL. | |
| BH13157 | Retrieves a file from a JAR archive based on its URL using reflection. | |
| BH13160 | Connects to a database. | |
| BH13161 | Connects to a database using reflection. | |
| BH13164 | Adds attachments to e-mails using reflection. | |
| BH13224 | Writes data to the Name Service Switch (NSS) configuration file. | |
| BH13235 | Writes data to the /etc/host.conf file, which contains configuration information specific to the resolver library. | |
| BH13240 | Writes data to the /etc/config/resolv.conf file. | |
| BH15153 | Encrypts or encodes network communications. | |
| BH16102 | Contains URLs related to credit card companies. | |
| BH16103 | Contains URLs related to online payment services. | |
| BH16104 | Contains URLs that contain basic authentication credentials. | |
| BH16105 | Contains URLs that link to blacklisted domains. | |
| BH16106 | Contains URLs that link to deceptive file formats. | |
| BH16107 | Contains URLs that link to interesting file formats. | |
| BH16108 | Contains URLs that match known malware resource paths. | |
| BH16109 | Contains URLs that redirect to malicious domains. | |
| BH16110 | Contains URLs that use homoglyph spoofed variations of trusted domains. | |
| BH16111 | Contains URLs that use non-standard ports. | |
| BH16112 | Contains URLs that use punycode spoofed variations of trusted domains. | |
| BH16113 | Contains URLs that use sign-in paths specific for some whitelisted domains. | |
| BH16114 | Contains URLs that use suspicious top-level domains. | |
| BH16115 | Contains URLs that use trusted domains as subdomains. | |
| BH16116 | Contains URLs that use typosquatted variations of trusted domains. | |
| BH16117 | Contains URLs with suspicious path components. | |
| BH16118 | Contains URLs with suspicious query parameters. | |
| BH16119 | Contains URLs related to Bitcoin exchange services. | |
| BH16120 | Contains URLs related to Bitcoin laundering services. | |
| BH16121 | Contains URLs related to Bitcoin mining pools. | |
| BH16122 | Contains URLs related to paste-and-share services. | |
| BH16123 | Contains URLs related to URL shortener services. | |
| BH16124 | Contains URLs that reference the host by IP address. | |
| BH16125 | Contains URLs that link to dynamic DNS services. | |
| BH16126 | Contains URLs related to cloud storage services. | |
| BH16127 | Contains references to TOR/hidden services URLs. | |
| BH16128 | Connects a Remote Desktop Services session to an existing session. | |
| BH16129 | Connects to a Remote Desktop license server. | |
| BH16130 | Connects to a Remote Desktop Session Host server. | |
| BH16131 | Connects to a remote server via openssl. | |
| BH16132 | Connects to a remote system using WMI. | |
| BH16134 | Connects to an Egress-Assess server and transfers information. | |
| BH16135 | Connects to a SOAP service. | |
| BH16136 | Connects to web services. | |
| BH16137 | Contains a reference to an SMB resource that leaks NetNTLM hashes. | |
| BH16140 | Downloads a file in an unusual way. | |
| BH16141 | Downloads a file using bitsadmin. | |
| BH16144 | Downloads a file using certutil. | |
| BH16145 | Downloads a file. | |
| BH16146 | Downloads and executes data or a payload from a remote location. | |
| BH16147 | Downloads and runs a script. | |
| BH16148 | Downloads data or a payload from a remote location. | |
| BH16149 | Downloads files in background via FTP. | |
| BH16150 | Downloads files in background via HTTP. | |
| BH16151 | Downloads files through DDE. | |
| BH16152 | Downloads files through FTP. | |
| BH16153 | Downloads files through the command line. | |
| BH16154 | Downloads files via HTTP. | |
| BH16155 | Downloads files via proxy. | |
| BH16156 | Uploads a file. | |
| BH16157 | Uploads files through FTP. | |
| BH16158 | Uploads one or more files using bitsadmin. | |
| BH16160 | Uses FTP communication protocol. | |
| BH16161 | Checks for network connectivity. | |
| BH16163 | Uses IRC communication protocol. | |
| BH16164 | Receives data from a connected TCP socket. | |
| BH16165 | Receives data from an open UDP socket. | |
| BH16166 | Receives data over the network. | |
| BH16167 | Makes HTTP GET requests. | |
| BH16168 | Connects through HTTP. | |
| BH16169 | Connects through FTP using external applications. | |
| BH16170 | Connects through Telnet using external applications. | |
| BH16171 | Asynchronously transfers a small amount of data over HTTP. | |
| BH16172 | Transfers files using Background Intelligent Transfer Service (BITS). | |
| BH16173 | Sends an IP packet through the VPN tunnel. | |
| BH16174 | Sends data on a connected TCP socket. | |
| BH16175 | Sends data on an open UDP socket. | |
| BH16177 | Sends e-mails. | |
| BH16178 | Opens a TCP socket listening for an incoming connection. | |
| BH16179 | Opens a TCP connection to a remote server. | |
| BH16180 | Opens a UDP connection to a remote server. | |
| BH16181 | Permits an incoming connection on a TCP socket. | |
| BH16182 | Sets the internet proxy to use for FTP access. | |
| BH16183 | Sets which internet proxy is used for HTTP access. | |
| BH16184 | Sends or exfiltrates data over the network. | |
| BH16185 | Sends out an e-mail message with or without user interaction. | |
| BH16186 | Sends ping packets. | |
| BH16188 | Sends commands through FTP. | |
| BH16189 | Connects through Telnet. | |
| BH16190 | Reads data through Telnet. | |
| BH16191 | Sends data through Telnet. | |
| BH16192 | Deletes files over FTP connection. | |
| BH16193 | Deletes directories through FTP. | |
| BH16194 | Renames files or directories over FTP connection. | |
| BH16195 | Downloads files in silent mode via HTTP. | |
| BH16196 | Enables a network interface. | |
| BH16197 | Connects to a remote host via a Bash-specific /dev/tcp/ file descriptor. | |
| BH16198 | Connects to a remote host via a Bash-specific /dev/udp/ file descriptor. | |
| BH16199 | Connects to a remote server via netcat. | |
| BH16200 | Opens an SSH tunnel. | |
| BH16201 | Forwards an X11 session via SSH. | |
| BH16202 | Connects to a remote host via SSH. | |
| BH16203 | Opens a socat openssl listening socket. | |
| BH16204 | Connects to a remote openssl server via socat. | |
| BH16205 | Sends ARP requests to a neighbour host. | |
| BH16206 | Looks up NetBIOS names. | |
| BH16207 | Browses mDNS/DNS-SD services. | |
| BH16208 | Registers an mDNS/DNS-SD service. | |
| BH16209 | Connects to an SMB/CIFS host. | |
| BH16210 | Lists the services or shares of an SMB/CIFS host. | |
| BH16211 | Opens a TCP socket listening for an incoming connection using reflection. | |
| BH16212 | Opens a TCP socket to a remote server using reflection. | |
| BH16213 | Opens a UDP socket to a remote server using reflection. | |
| BH16214 | Permits an incoming connection on a TCP socket using reflection. | |
| BH16215 | Receives data from a connected TCP socket using reflection. | |
| BH16216 | Receives data from an open UDP socket using reflection. | |
| BH16217 | Sends data on a connected TCP socket using reflection. | |
| BH16218 | Sends data on an open UDP socket using reflection. | |
| BH16219 | Creates a UDP socket bound to an incoming connection using reflection. | |
| BH16220 | Opens a URL. | |
| BH16221 | Opens a URL using reflection. | |
| BH16222 | Connects through HTTP using reflection. | |
| BH16223 | Creates an HTTP server. | |
| BH16224 | Creates an HTTP server using reflection. | |
| BH16225 | Handles HTTP requests. | |
| BH16226 | Handles HTTP requests using reflection. | |
| BH16227 | Listens for incoming remote procedure calls. | |
| BH16228 | Connects through HTTPS. | |
| BH16229 | Connects through HTTPS using reflection. | |
| BH16230 | Creates a socket. | |
| BH16231 | Creates a socket using reflection. | |
| BH16232 | Creates an HTTPS server. | |
| BH16233 | Creates an HTTPS server using reflection. | |
| BH16234 | Handles HTTPS requests. | |
| BH16235 | Handles HTTPS requests using reflection. | |
| BH16236 | Sends emails using reflection. | |
| BH16237 | Adds cookies to an HTTP response. | |
| BH16238 | Adds cookies to an HTTP response using reflection. | |
| BH16239 | Modifies data of an HTTP session. | |
| BH16240 | Modifies data of an HTTP session using reflection. | |
| BH16241 | Contains domains related to coinmining services. | |
| BH16242 | Contains URIs that reference coinminer-related files. | |
| BH16243 | Contains domains used for intercepting and inspecting HTTP requests. | |
| BH16244 | Connects to a remote server through the WebSocket protocol. | |
| BH16245 | Connects to a remote server through the WebSocket protocol using reflection. | |
| BH16246 | Receives data through the WebSocket protocol. | |
| BH16247 | Receives data through the WebSocket protocol using reflection. | |
| BH16248 | Sends data through the WebSocket protocol. | |
| BH16249 | Sends data through the WebSocket protocol using reflection. | |
| BH16250 | Adds a message body to an HTTP request. | |
| BH16251 | Adds a message body to an HTTP request using reflection. | |
| BH16252 | Adds cookies to an HTTP request. | |
| BH16253 | Adds cookies to an HTTP request using reflection. | |
| BH16254 | Adds a message body to an HTTP response. | |
| BH16255 | Adds a message body to an HTTP response using reflection. | |
| BH16256 | Extracts the message body from an HTTP response. | |
| BH16257 | Extracts the message body from an HTTP response using reflection. | |
| BH16258 | Starts the HTTP or HTTPS server listening for incoming connections. | |
| BH16259 | Creates a custom Agent object for managing HTTP or HTTPS connection persistence. | |
| BH16260 | Configures HTTP Alternative Services. | |
| BH16261 | Configures HTTP/2 ORIGIN frame. | |
| BH16262 | Starts an HTTP/2 session. | |
| BH16263 | Sends a file as an HTTP response. | |
| BH16264 | Updates HTTP/2 server settings. | |
| BH16265 | Creates a TCP or IPC server. | |
| BH16266 | Enables/Disables keep-alive functionality. | |
| BH16267 | Starts a TCP or IPC server listening for incoming connections. | |
| BH16268 | Sets custom DNS resolution servers. | |
| BH16269 | Adds a rule to block IP addresses. | |
| BH16270 | Creates a new TLS socket from an existing TCP socket. | |
| BH16271 | Initiates TLS renegotiation process. | |
| BH16272 | Enables TLS packet trace. | |
| BH16273 | Gets information on the negotiated TLS cipher suite. | |
| BH16274 | Gets the local TLS certificate. | |
| BH16275 | Creates a TLS server. | |
| BH16276 | Starts a TLS server listening for incoming connections. | |
| BH16277 | Gets TLS session ticket keys. | |
| BH16278 | Changes TLS ticket keys for future server connections. | |
| BH16279 | Sets or clears UDP broadcast option. | |
| BH16280 | Issues DNS queries. | |
| BH16281 | Uses Linux kernel APIs for creating and controlling socket buffers. | |
| BH16282 | Uses Linux kernel APIs for network device management. | |
| BH16283 | Uses Linux kernel APIs for physical layer network device (PHY device) management. | |
| BH16284 | Uses Linux kernel APIs for access to the Sun RPC (remote procedure call) subsystem. | |
| BH16285 | Sends HTTP requests to a known exploitable endpoint of some Huawei routers. | |
| BH16286 | Sends HTTP requests to a known exploitable endpoint of some Dasan GPON routers. | |
| BH16287 | Sends HTTP requests to a known exploitable endpoint of some D-Link routers. | |
| BH16288 | Sends HTTP requests to a known exploitable endpoint of some devices using Realtek SDK. | |
| BH16289 | Sends HTTP requests to a known exploitable endpoint of some Netgear routers. | |
| BH16290 | Sends HTTP requests to a known exploitable endpoint of some Eir routers. | |
| BH16291 | Sends HTTP requests to a known exploitable endpoint of some Hongdian devices. | |
| BH16292 | Sends HTTP requests to a known exploitable endpoint of some websites created with Liferay Portal. | |
| BH16293 | Sends HTTP requests to a known exploitable endpoint of some Crestron devices. | |
| BH16294 | Sends HTTP requests to a known exploitable endpoint of some HooToo routers. | |
| BH16295 | Sends HTTP requests to a known exploitable endpoint of some Citrix application delivery controllers. | |
| BH16296 | Sends HTTP requests to a known exploitable endpoint of some Vacron network video recorders. | |
| BH16297 | Sends HTTP requests to a known exploitable endpoint of some CCTV devices. | |
| BH16298 | Sends HTTP requests to a known exploitable endpoint of some Zyxel routers. | |
| BH16299 | Sends HTTP requests to a known exploitable endpoint of some Linksys routers. | |
| BH16300 | Sends HTTP requests to a known exploitable endpoint of some ZTE routers. | |
| BH16301 | Sends HTTP requests to a known exploitable endpoint of some Pulse Connect Secure SSL VPNs. | |
| BH16302 | Sends HTTP requests to a known exploitable endpoint of some Cloudflare CAPTCHA protection mechanisms. | |
| BH16303 | Makes HTTP POST requests. | |
| BH16304 | Contains domains related to OAST (out-of-band application security testing) tools. | |
| BH16305 | Contains URLs related to anonymous file-sharing services. | |
| BH16306 | Contains URLs related to IP querying services. | |
| BH16307 | Contains URLs related to release pages of projects hosted on GitHub. | |
| BH16308 | Contains URLs related to release pages of projects hosted on GitLab. | |
| BH16309 | Contains URLs that link to raw files on GitHub. | |
| BH16310 | Contains URLs that link to raw files on GitLab. | |
| BH16311 | Contains URLs that link to Discord attachments. | |
| BH16312 | Contains URLs that link to Dropbox download pages. | |
| BH16313 | Opens a TLS socket listening for an incoming connection. | |
| BH16314 | Permits an incoming connection on a TLS socket. | |
| BH16315 | Makes HTTP HEAD requests. | |
| BH16316 | Opens a socket listening for an incoming connection. | |
| BH16317 | Contains URLs related to the Telegram API. | |
| BH16318 | Contains URLs related to Discord webhooks. | |
| BH16320 | Contains URLs that reside in regions sanctioned by the United States. | |
| BH16321 | Contains URLs that reside in regions sanctioned by the European Union. | |
| BH16322 | Contains URLs related to Heroku, a platform-as-a-service (PaaS) cloud provider. | |
| BH17149 | Reads data from a Remote Desktop virtual channel. | |
| BH17236 | Writes data to a Remote Desktop virtual channel. | |
| BH17301 | Accesses PuTTY registry keys. | |
| BH17316 | Extracts cookies from a HTTP response. | |
| BH17408 | Extracts cookies from an HTTP request. | |
| BH17409 | Extracts cookies from an HTTP request using reflection. | |
| BH17410 | Extracts data from an HTTP session. | |
| BH17411 | Extracts data from an HTTP session using reflection. | |
| BH17412 | Extracts cookies from an HTTP response using reflection. | |
| BH17413 | Extracts data from a TLS session. | |
| BH19105 | Enumerates active network connections using WMI. | |
| BH19110 | Enumerates all network compartments in the protocol stack. | |
| BH19113 | Enumerates asynchronous transfer mode (atM) adapter calls. | |
| BH19135 | Enumerates computers in the current domain. | |
| BH19137 | Enumerates constrained delegation authorizations for an SMB client. | |
| BH19146 | Enumerates DCOM interfaces using WMI. | |
| BH19178 | Enumerates global TCP/IP offload settings. | |
| BH19191 | Enumerates IPv4 protocol configurations. | |
| BH19192 | Enumerates IPv6 protocol configurations. | |
| BH19201 | Enumerates media access control (MAC) addresses for all network cards. | |
| BH19202 | Enumerates media URL. | |
| BH19211 | Enumerates neighbor cache entries. | |
| BH19212 | Enumerates network adapters that are members of a NIC team. | |
| BH19217 | Enumerates network login information using WMI. | |
| BH19218 | Enumerates network settings using WMI. | |
| BH19247 | Enumerates RADIUS clients. | |
| BH19249 | Enumerates remote desktop connection permissions using WMI. | |
| BH19279 | Enumerates SMB bandwidth caps for each traffic category. | |
| BH19297 | Enumerates TCP/IP network configuration values. | |
| BH19341 | Gets a netgroup. | |
| BH19345 | Gets an IP interface. | |
| BH19367 | Gets IP network configuration. | |
| BH19389 | Gets the current network adapter members of a switch team. | |
| BH19392 | Gets the extensible switch team. | |
| BH19397 | Gets the IP address configuration. | |
| BH19429 | Retrieves a policy file from URL. | |
| BH19434 | Retrieves data from a web service on the Internet. | |
| BH19444 | Retrieves the 6to4 configuration of a computer or a GPO. | |
| BH19445 | Retrieves the connections established from the SMB client to the SMB servers. | |
| BH19448 | Retrieves the DNS64 configuration of a computer. | |
| BH19453 | Retrieves the network interfaces used by the SMB client. | |
| BH19455 | Retrieves the SMB client configuration. | |
| BH19459 | Gets the network link list. | |
| BH19460 | Gets the network address list. | |
| BH19461 | Gets a network neighbour. | |
| BH19462 | Gets the network neighbour list. | |
| BH19468 | Lists the firewall settings. | |
| BH19501 | Queries the computer's network name and IP address. | |
| BH20106 | Uses a Nishang command to capture user credentials in plaintext or SMB hashes. | |
| BH20137 | Uses a Nishang command to exfiltrate information like user credentials, using WLAN SSID. | |
| BH20147 | Uses a Nishang command to intercept HTTPS requests by setting up a proxy server and log them to a file. | |
| BH20153 | Uses a Nishang command to perform a Brute-Force Attack against SQL Server, Active Directory, Local Accounts, Web and FTP servers. | |
| BH20154 | Uses a Nishang command to query a URL for instructions, and then download and execute a PowerShell script. | |
| BH20155 | Uses a Nishang command to receive commands and PowerShell scripts from DNS TXT queries. | |
| BH20157 | Uses a Nishang command to run netsh port forwarding/relaying commands on remote computers. | |
| BH20158 | Uses a Nishang command to scan IP addresses, ports and host names. | |
| BH20162 | Uses a Nishang command to start an egress test on the target machine. | |
| BH20187 | Uses PowerSploit/Empire command to do a simple port scan using regular sockets. | |
| BH20213 | Uses PowerSploit/Empire command to exfiltrate data and files to a GitHub account. | |
| BH20232 | Uses PowerSploit/Empire command to invoke Inveigh, a spoofer and man-in-the-middle tool. | |
| BH20250 | Uses PowerSploit/Empire command to pseudo-mount a connection to a remote path using the specified credential object. | |
| BH20256 | Uses PowerSploit/Empire command to request service tickets for vulnerable Kerberos accounts and return extracted ticket hashes. | |
| BH20258 | Uses PowerSploit/Empire command to resolve a given hostname to its associated IPv4 address. | |
| BH20284 | Uses PowerSploit/Empire command to return information about RDP connections outgoing from the local or a remote machine. | |
| BH20285 | Uses PowerSploit/Empire command to return information about saved network mounted drives for the local or a remote machine. | |
| BH20293 | Uses PowerSploit/Empire command to return the HTTP Status Codes and full URL for specified paths. | |
| BH20303 | Uses PowerSploit/Empire command to scan an IP address range for DNS PTR records. | |
| BH20316 | Uses PowerSploit/Empire command to terminate a connection created by PowerSploit/Empire command New-RemoteConnection. | |
| BH20326 | Uses PowerSploit/Empire to get an IP address for a given server. | |
