| BH12331 | Executes code directly from the Internet. | anomalous malicious uncommon |
| BH12381 | Injects a DLL to a DNS server. | anomalous malicious uncommon |
| BH12382 | Injects CSS into a page. | uncommon anomalous |
| BH12383 | Injects JavaScript code into a page. | uncommon |
| BH12386 | Installs or removes Windows Store apps. | uncommon |
| BH12407 | Loads additional snap-ins or modules to the current session. | uncommon |
| BH12408 | Loads additional snippets in Integrated Scripting Environment (ISE). | uncommon |
| BH13294 | Contains SigLoader tool functionality, which is used for decrypting and loading shellcode. | anomalous malicious |
| BH13544 | Might compile and link WebGL programs. | |
| BH13597 | Reads document properties. | |
| BH15217 | Contains Base64-encoded data. | uncommon |
| BH20113 | Uses a Nishang command to create a Compiled HTML Help file (.CHM) that could be used to run PowerShell commands and scripts. | anomalous malicious |
| BH20114 | Uses a Nishang command to create a JavaScript file, that could be used to run PowerShell commands and scripts. | anomalous malicious |
| BH20115 | Uses a Nishang command to create a shortcut capable of launching PowerShell commands and scripts. | anomalous malicious uncommon |
| BH20116 | Uses a Nishang command to create a Web Query (.iqy) file that can be used for phishing attacks. | anomalous malicious |
| BH20117 | Uses a Nishang command to create malicious SCT files that could be used to run PowerShell commands and scripts. | anomalous malicious |
| BH20118 | Uses a Nishang command to create SCF files that could be used to capture NTLM hashes. | anomalous malicious |
| BH20141 | Uses a Nishang command to generate a malicious HTML Application. | anomalous malicious |
| BH20142 | Uses a Nishang command to generate and modify existing Excel files with an auto-executable macro or DDE. | anomalous malicious |
| BH20143 | Uses a Nishang command to generate and modify existing Word files with an auto-executable macro or DDE. | anomalous malicious uncommon |
| BH20144 | Uses a Nishang command to generate DNS TXT records that could be used with other scripts. | anomalous malicious |
| BH20145 | Uses a Nishang command to generate JAR files to be used for Java Applet attacks. | anomalous malicious |
| BH20146 | Uses a Nishang command to generate rundll32.exe one-line commands that run PowerShell commands. | anomalous malicious |
| BH20231 | Uses PowerSploit/Empire command to install a security support provider (SSP) DLL. | anomalous malicious uncommon |
| BH20235 | Uses PowerSploit/Empire command to load Mimikatz tool in memory. | malicious uncommon anomalous |
| BH20245 | Uses PowerSploit/Empire command to patch in the path to a specified .bat (containing the specified command) into a pre-compiled hijackable C++ DLL and write the DLL out to the specified ServicePath location. | anomalous malicious uncommon |
| BH20255 | Uses PowerSploit/Empire command to replace the service binary for the specified service with one that executes a specified command as SYSTEM. | anomalous malicious uncommon |
| BH20319 | Uses PowerSploit/Empire command to write out a precompiled MSI installer that prompts for a user/group addition. | anomalous malicious uncommon |
