Registry

ID	Description	Significance / Prevalence
BH12107	Accesses FTP related registry keys.
BH12116	Accesses PowerShell registry entries.
BH12168	Changes the value of a registry key.
BH12209	Creates autorun registry keys.
BH12216	Creates registry keys.
BH12225	Deletes a registry key and its values.
BH12233	Deletes autorun registry keys.
BH12560	Sets browser homepage.
BH12648	Tampers with filetype risk registry settings.
BH12708	Tampers with PowerShell Module Logging registry key.
BH12709	Tampers with PowerShell Script Block Logging registry key.
BH12711	Tampers with PowerShell Transcription registry key.
BH12777	Tampers with Windows registry settings.
BH12782	Tampers with Windows services registry keys.
BH13286	Reads the content of a registry key value.
BH13287	Deletes the value of a registry key.
BH13288	Opens registry keys.
BH13293	Contains references to registry paths that hold credentials.
BH16187	Establishes a connection to a registry on a remote computer.
BH17303	Accesses Telnet related registry keys.
BH17416	Writes data to Outlook Express stored credentials.
BH17418	Writes data to Outlook 2002-2019 stored credentials.
BH17420	Writes data to Yahoo! Mail stored credentials.
BH17422	Writes data to MSN Messenger stored credentials.
BH17426	Writes data to IncrediMail stored credentials.
BH17432	Writes data to Google Talk stored credentials.
BH17434	Writes data to Google Desktop stored credentials.
BH19305	Enumerates the subkeys of a registry key.
BH19456	Enumerates the values of a registry key.
BH19534	Enumerates registry key value names.
BH19536	Enumerates registry keys.
BH20159	Uses a Nishang command to set the 'Debugger' registry key for a screensaver to allow remote code execution.
BH20160	Uses a Nishang command to set the 'Debugger' registry key for Sticky Keys and Utilman to allow remote code execution.
BH20299	Uses PowerSploit/Empire command to return who is logged onto the local or a remote machine through enumeration of remote registry keys.