| BH12137 | Asks user to accept a potentially dangerous download. | |
| BH12141 | Attempts to authorize against a security handler. | |
| BH12162 | Changes settings that control whether websites can use features such as cookies, JavaScript, and plugins. | |
| BH12358 | Grants full permission to everyone on files or directories. | |
| BH12359 | Grants privileges to users on the local computer. | |
| BH12418 | Marks a function as trusted. | |
| BH12424 | Modifies file/directory permissions. | |
| BH12458 | Obtains a reference to a security handler. | |
| BH12470 | Raises the execution privilege of the current stack frame. | |
| BH12484 | Removes all entries for the given user in the global object access auditing list. | |
| BH12485 | Removes all entries from the global object access auditing list. | |
| BH12500 | Requests permission required for a domain controller to use LDAP directory synchronization services. | |
| BH12501 | Requests permission required to access Credential Manager as a trusted caller. | |
| BH12502 | Requests permission required to allocate more memory for applications that run in the context of users. | |
| BH12503 | Requests permission required to create a computer account. | |
| BH12504 | Requests permission required to create a paging file. | |
| BH12505 | Requests permission required to create a permanent object. | |
| BH12506 | Requests permission required to create a symbolic link. | |
| BH12507 | Requests permission required to enable volume management privileges. | |
| BH12508 | Requests permission required to enumerate system information. | |
| BH12509 | Requests permission required to generate audit-log entries. | |
| BH12510 | Requests permission required to identify itself as a part of the trusted computer base. | |
| BH12511 | Requests permission required to impersonate a client after authentication. | |
| BH12512 | Requests permission required to increase the base priority of a process. | |
| BH12513 | Requests permission required to increase the quota assigned to a process. | |
| BH12514 | Requests permission required to load or unload a device driver. | |
| BH12515 | Requests permission required to lock physical pages in memory. | |
| BH12516 | Requests permission required to mark user and computer accounts as trusted for delegation. | |
| BH12517 | Requests permission required to perform a number of security-related functions, such as controlling and viewing audit messages. | |
| BH12518 | Requests permission required to perform backup operations. | |
| BH12519 | Requests permission required to perform restore operations. | |
| BH12520 | Requests permission required to read unsolicited input from a terminal device. | |
| BH12521 | Requests permission required to receive notifications of changes to files or directories. | |
| BH12522 | Requests permission required to shut down a system using a network request. | |
| BH12523 | Requests permission required to shut down a system. | |
| BH12524 | Requests permission required to take ownership of an object without being granted discretionary access. | |
| BH12525 | Requests permission required to undock a laptop. | |
| BH12526 | Requests permission to open other processes. | |
| BH12539 | Returns the list of security policies currently available. | |
| BH12541 | Revokes privileges from users on the local computer. | |
| BH12671 | Tampers with local accounts or groups. | |
| BH12706 | Tampers with PowerShell execution policy. | |
| BH12722 | Tampers with security descriptor of a resource. | |
| BH12759 | Tampers with user permissions. | |
| BH12760 | Tampers with user/account privileges. | |
| BH12822 | Logs out of a security handler. | |
| BH13111 | Changes group ownership of a file or directory. | |
| BH19131 | Enumerates certificates in digital signature. | |
| BH19155 | Enumerates different directory handlers inside security handler. | |
| BH19263 | Enumerates security handlers. | |
| BH19278 | Enumerates signature properties. | |
| BH19330 | Enumerates user/account privilege information. | |
| BH20103 | Uses a Nishang command to add constrained delegation backdoor service accounts. | |
| BH20149 | Uses a Nishang command to modify access-control lists to provide permissions required for the DCShadow technique. | |
| BH20164 | Uses PowerSploit/Empire command to add a discretionary access-control (DACL) field to a service object returned by Get-Service. | |
| BH20165 | Uses PowerSploit/Empire command to add a domain user or group to an existing domain group, assuming appropriate permissions to do so. | |
| BH20166 | Uses PowerSploit/Empire command to add an ACL for a specific Active Directory object. | |
| BH20180 | Uses PowerSploit/Empire command to create a new domain group (assuming appropriate permissions) and return the group object. | |
| BH20188 | Uses PowerSploit/Empire command to enable a specific privilege for the current process. | |
| BH20192 | Uses PowerSploit/Empire command to enumerate all services and return services for which the current user can modify the binPath. | |
| BH20225 | Uses PowerSploit/Empire command to find machines on the local domain where the current user has local administrator access. | |
| BH20278 | Uses PowerSploit/Empire command to return all privileges for the current or specified process ID. | |
| BH20302 | Uses PowerSploit/Empire command to run commands as another user. | |
| BH20317 | Uses PowerSploit/Empire command to test if the current user has administrative access to the local or a remote machine. | |
| BH20318 | Uses PowerSploit/Empire command to test one or more passed services or service names against a given permission set. | |
