| BH12103 | Accesses audit policy information. | |
| BH12105 | Accesses DNS configuration. | |
| BH12110 | Accesses list of all installed applications. | |
| BH12175 | Checks if the current user has full administrator privileges. | |
| BH12176 | Checks if user has opted in for data collection as part of Customer Experience Improvement Program. | |
| BH12177 | Checks login names and enumerates number of logged on users. | |
| BH12179 | Checks user account information. | |
| BH12180 | Accesses a common web root directory | |
| BH12401 | Lists configuration files. | |
| BH12402 | Lists devices available to the system that can be managed by the MSDSM for MPIO. | |
| BH12403 | Lists hardware IDs in the MSDSM supported hardware list. | |
| BH12404 | Lists information about network adapters. | |
| BH12472 | Reads process information. | |
| BH12530 | Returns a list of available shared secret templates. | |
| BH12531 | Returns a list of package providers that are connected to Package Management. | |
| BH12536 | Returns information about PnP devices. | |
| BH12537 | Returns the configuration for the App-V client. | |
| BH12553 | Scans for drivers on the system. | |
| BH12694 | Tampers with network share configuration. | |
| BH12695 | Tampers with network shares or mounted drives. | |
| BH12705 | Tampers with Plug and Play (PnP) devices. | |
| BH12729 | Tampers with start menu. | |
| BH12750 | Tampers with the program that is hosting Windows PowerShell. | |
| BH12757 | Tampers with user identity information. | |
| BH12783 | Tampers with Windows Services. | |
| BH12858 | Queries the value of an environment variable. | |
| BH12917 | Gets a gsettings value. | |
| BH12925 | Accesses the kernel parameters. | |
| BH12967 | Inspects changes made on a Docker container. | |
| BH13036 | Accesses a user sv service directory. | |
| BH13046 | Lists the cached Kerberos tickets. | |
| BH13048 | Lists all Firejail sandboxes. | |
| BH13223 | Reads data from the Name Service Switch (NSS) configuration file. | |
| BH13225 | Reads data from an SSH configuration file. | |
| BH13233 | Accesses the system's ARP table. | |
| BH13234 | Reads data from the /etc/host.conf file, which contains configuration information specific to the resolver library. | |
| BH13236 | Reads data from the hosts file. | |
| BH13237 | Reads data from the /etc/config/hosts file. | |
| BH13239 | Reads data from the /etc/config/resolv.conf file. | |
| BH13270 | Queries the login name of the user. | |
| BH13271 | Queries the current working directory. | |
| BH13273 | Executes a WMI (Windows Management Instrumentation) query. | |
| BH13282 | Queries information about a display monitor. | |
| BH13284 | Queries the supplemental group IDs of a process. | |
| BH16133 | Connects to a repository of user information, including public key certificates. | |
| BH16162 | Checks connections information. | |
| BH18245 | Queries SELinux policies. | |
| BH19107 | Enumerates all active NAT sessions. | |
| BH19109 | Enumerates all devices with synced browsing sessions. | |
| BH19111 | Enumerates applied updates on local or remote computer. | |
| BH19112 | Enumerates applied updates using WMI. | |
| BH19115 | Enumerates available network shares. | |
| BH19116 | Enumerates available plug-ins. | |
| BH19117 | Enumerates available Remote Desktop Session Host servers within a domain. | |
| BH19119 | Enumerates backup storage locations specified as part of a backup policy. | |
| BH19120 | Enumerates backups for a server from a specified location. | |
| BH19121 | Enumerates BIOS information using WMI. | |
| BH19122 | Enumerates boot configuration using WMI. | |
| BH19125 | Enumerates CA (Customer Address) routes. | |
| BH19128 | Enumerates capabilities of a specific user on a constrained session configuration. | |
| BH19129 | Enumerates CD-ROM information using WMI. | |
| BH19130 | Enumerates certificates associated with RDS roles. | |
| BH19132 | Enumerates certificates registered in Active Directory Domain Services. | |
| BH19133 | Enumerates certificates. | |
| BH19136 | Enumerates connected disk drives. | |
| BH19138 | Enumerates control panel items. | |
| BH19139 | Enumerates CPU information of the system. | |
| BH19140 | Enumerates CPU information using WMI. | |
| BH19143 | Enumerates current password and logon restrictions. | |
| BH19144 | Enumerates current platform information. | |
| BH19145 | Enumerates currently available disk drives. | |
| BH19150 | Enumerates desktop monitors using WMI. | |
| BH19151 | Enumerates detailed properties for a PnP device. | |
| BH19152 | Enumerates device memory addresses using WMI. | |
| BH19156 | Enumerates disk partitions using WMI. | |
| BH19157 | Enumerates DNS server IP addresses from the TCP/IP properties on an interface. | |
| BH19158 | Enumerates downloads. | |
| BH19159 | Enumerates drives and network shares. | |
| BH19162 | Enumerates environment variables. | |
| BH19163 | Enumerates ETW (Event Tracing for Windows) sessions on the system. | |
| BH19164 | Enumerates event log settings using WMI. | |
| BH19167 | Enumerates events and event properties from one or more event logs. | |
| BH19168 | Enumerates events from event logs using WMI. | |
| BH19170 | Enumerates execution policies for the current session. | |
| BH19171 | Enumerates existing AutoLogger session configurations. | |
| BH19174 | Enumerates files and directories using WMI. | |
| BH19175 | Enumerates files in a given directory. | |
| BH19176 | Enumerates files that belong to a specified user. | |
| BH19177 | Enumerates files using WMI. | |
| BH19179 | Enumerates groups in a repository of user information. | |
| BH19180 | Enumerates hardware information (printers). | |
| BH19181 | Enumerates IDs that identify a Windows installation. | |
| BH19184 | Enumerates information for local Remote Desktop Session Host sessions. | |
| BH19185 | Enumerates installed applications using WMI. | |
| BH19186 | Enumerates installed device drivers. | |
| BH19187 | Enumerates installed devices. | |
| BH19188 | Enumerates installed ODBC drivers. | |
| BH19189 | Enumerates installed Windows Store apps. | |
| BH19193 | Enumerates kernel modules. | |
| BH19194 | Enumerates key certificates in the Key Protection Service. | |
| BH19196 | Enumerates links (such as Excel or DDE/OLE links) in a workbook. | |
| BH19197 | Enumerates local security groups. | |
| BH19198 | Enumerates local user accounts. | |
| BH19199 | Enumerates logical disk drives using WMI. | |
| BH19200 | Enumerates logon sessions using WMI. | |
| BH19203 | Enumerates members from a local group. | |
| BH19204 | Enumerates memory chip information using WMI. | |
| BH19206 | Enumerates motherboard information using WMI. | |
| BH19209 | Enumerates names of open workbooks. | |
| BH19210 | Enumerates NAT objects. | |
| BH19219 | Enumerates network share/resource information. | |
| BH19220 | Enumerates network shares or mounted drives. | |
| BH19221 | Enumerates network shares. | |
| BH19223 | Enumerates ODBC DSNs. | |
| BH19226 | Enumerates operating system information using WMI. | |
| BH19227 | Enumerates operating system recovery settings using WMI. | |
| BH19229 | Enumerates or sets printer name. | |
| BH19231 | Enumerates package sources that are registered for a package provider. | |
| BH19234 | Enumerates physical connection ports using WMI. | |
| BH19235 | Enumerates physical disk drives using WMI. | |
| BH19236 | Enumerates physical network routes for a virtualized network. | |
| BH19237 | Enumerates plugins. | |
| BH19238 | Enumerates policy entries for virtual machines in a virtual network. | |
| BH19239 | Enumerates PowerShell sessions on local and remote computers. | |
| BH19240 | Enumerates printer jobs using WMI. | |
| BH19241 | Enumerates printer names using WMI. | |
| BH19242 | Enumerates printer settings using WMI. | |
| BH19244 | Enumerates processes using WMI. | |
| BH19246 | Enumerates Provider Addresses. | |
| BH19250 | Enumerates replication groups. | |
| BH19251 | Enumerates replication network constraints for Storage Replica partnerships. | |
| BH19252 | Enumerates replication partnerships. | |
| BH19253 | Enumerates restore points on the local computer. | |
| BH19254 | Enumerates Resultant Set of Policy (RSoP) information for a remote user and computer. | |
| BH19256 | Enumerates rules in a Code Integrity policy. | |
| BH19258 | Enumerates running processes. | |
| BH19259 | Enumerates running threads within one or more processes. | |
| BH19260 | Enumerates scheduled jobs on the local computer. | |
| BH19264 | Enumerates server features on a managed node. | |
| BH19265 | Enumerates service account credentials for an Active Directory Rights Management Services (AD RMS) cluster. | |
| BH19266 | Enumerates services on the computer. | |
| BH19267 | Enumerates services using WMI. | |
| BH19268 | Enumerates sessions on a Remote Desktop Session Host server. | |
| BH19269 | Enumerates sessions on the local Remote Desktop Session Host server. | |
| BH19275 | Enumerates settings of the server service. | |
| BH19276 | Enumerates shadow copy settings using WMI. | |
| BH19277 | Enumerates shared resources using WMI. | |
| BH19280 | Enumerates sound device information using WMI. | |
| BH19281 | Enumerates startup programs using WMI. | |
| BH19282 | Enumerates static mappings configured on NAT instances. | |
| BH19283 | Enumerates static mappings on Windows Container networking adapters. | |
| BH19285 | Enumerates supported media formats. | |
| BH19286 | Enumerates system account information using WMI. | |
| BH19287 | Enumerates system domain information using WMI. | |
| BH19288 | Enumerates system drivers using WMI. | |
| BH19289 | Enumerates system drivers. | |
| BH19290 | Enumerates system environment variables using WMI. | |
| BH19291 | Enumerates system firmware environment variables and information. | |
| BH19292 | Enumerates system firmware tables. | |
| BH19293 | Enumerates system information from SMBIOS using WMI. | |
| BH19294 | Enumerates system information using WMI. | |
| BH19295 | Enumerates system information. | |
| BH19296 | Enumerates system services load order using WMI. | |
| BH19299 | Enumerates the addresses associated with the adapters on the local computer. | |
| BH19300 | Enumerates the credentials from the user's credential set. | |
| BH19301 | Enumerates the information of a mapped drive. | |
| BH19302 | Enumerates the key packs installed on a Remote Desktop license server. | |
| BH19303 | Enumerates the licenses installed on a Remote Desktop license server. | |
| BH19304 | Enumerates the names of open Excel windows. | |
| BH19306 | Enumerates the WHEA memory policies for a computer. | |
| BH19307 | Enumerates trusted execution enclave information. | |
| BH19308 | Enumerates UEFI variable values related to Secure Boot. | |
| BH19310 | Enumerates USB printer info. | |
| BH19316 | Enumerates user accounts using WMI. | |
| BH19317 | Enumerates user accounts. | |
| BH19318 | Enumerates user desktop information using WMI. | |
| BH19319 | Enumerates user groups using WMI. | |
| BH19320 | Enumerates user groups. | |
| BH19321 | Enumerates user information (current language). | |
| BH19322 | Enumerates user information (login name). | |
| BH19323 | Enumerates user information (monitors). | |
| BH19324 | Enumerates user information (platform). | |
| BH19325 | Enumerates user information (plugins). | |
| BH19326 | Enumerates user information (printer color spaces). | |
| BH19327 | Enumerates user information (user profile path). | |
| BH19328 | Enumerates user information (viewer info). | |
| BH19329 | Enumerates user information using 'finger' command. | |
| BH19331 | Enumerates users in a repository of user information. | |
| BH19333 | Enumerates video capture device driver information. | |
| BH19334 | Enumerates virtual network routes. | |
| BH19335 | Enumerates Windows Container networking adapters. | |
| BH19337 | Enumerates WMI aliases. | |
| BH19338 | Enumerates WMI service settings. | |
| BH19339 | Enumerates workstation information. | |
| BH19340 | Gets a list of publishable applications from a collection. | |
| BH19346 | Gets an NFS mapped identity. | |
| BH19350 | Gets clustered scheduled tasks for a failover cluster. | |
| BH19358 | Gets information about a node object or the NLB cluster object that is queried by the caller. | |
| BH19359 | Gets information about a remote hardware device. | |
| BH19361 | Gets information about products registered with User Access Logging (UAL). | |
| BH19364 | Gets information about the Network Load Balancing (NLB) driver on the local machine. | |
| BH19365 | Gets information about the NLB cluster object that is queried by the caller. | |
| BH19373 | Gets per-host global information for a Network Virtualization module. | |
| BH19378 | Gets security access between failover clusters. | |
| BH19379 | Gets security delegation on a Storage Replica server. | |
| BH19384 | Gets the basic inventory information of a server. | |
| BH19386 | Enumerates printer settings. | |
| BH19388 | Gets the Credential Security Support Provider-related configuration for the client. | |
| BH19390 | Gets the dedicated IP address that is queried by the caller. | |
| BH19403 | Gets the name of the failover cluster of which a server is a member. | |
| BH19409 | Gets the publisher GUID and the policy version of the Secure Boot configuration policy. | |
| BH19413 | Gets the startup status for User Access Logging (UAL). | |
| BH19419 | Gets the VFP/VSwitch port ID. | |
| BH19424 | Gets User Access Logging (UAL) information about virtual machines. | |
| BH19428 | Retrieves a list of root key values stored by the Microsoft Group KdsSvc. | |
| BH19431 | Retrieves and displays the list of BPA models installed on the system. | |
| BH19432 | Retrieves and displays the results of the most recent Best Practices Analyzer (BPA) scan for a specific model. | |
| BH19435 | Retrieves global settings for all NAT instances on a computer. | |
| BH19438 | Retrieves information about the SMB clients connected to the SMB witness servers in a cluster. | |
| BH19439 | Retrieves network Quality of Service (QoS) policies. | |
| BH19442 | Retrieves printer properties for the specified printer. | |
| BH19443 | Retrieves process information. | |
| BH19446 | Retrieves the contents of the DNS client cache. | |
| BH19449 | Retrieves the list of entry points that have been configured for DirectAccess. | |
| BH19450 | Enumerates printer drivers installed on the specified computer. | |
| BH19451 | Retrieves the local computer name. | |
| BH19452 | Retrieves the name of the user associated with the process. | |
| BH19457 | Enumerates files through FTP. | |
| BH19458 | Enumerates CRLs. | |
| BH19465 | Enumerates connected USB devices. | |
| BH19466 | Enumerates block devices. | |
| BH19467 | Enumerates PCI devices. | |
| BH19469 | Lists registered sd-bus services. | |
| BH19470 | Gets the status of an sd-bus service. | |
| BH19471 | Queries the system and user paths. | |
| BH19472 | Gets the list of network namespaces. | |
| BH19476 | Queries the computer's network name. | |
| BH19477 | Gets the network route list. | |
| BH19478 | Lists all OpenRC services. | |
| BH19479 | Gets the status of all OpenRC services. | |
| BH19480 | Gets the status of an OpenRC service. | |
| BH19481 | Resolves an OpenRC service. | |
| BH19482 | Looks up user's information. | |
| BH19483 | Searches for a stored password. | |
| BH19484 | Lists systemd units loaded into memory. | |
| BH19485 | Lists systemd sockets loaded into memory. | |
| BH19486 | Lists systemd timers loaded into memory. | |
| BH19487 | Examines file capabilities. | |
| BH19488 | Accesses an auditctl log file. | |
| BH19489 | Searches for setuid/setgid binaries. | |
| BH19490 | Queries information about a Linux Container. | |
| BH19491 | Queries Linux Container system information. | |
| BH19492 | Lists the Linux Containers existing on the system. | |
| BH19493 | Shows LXD instance or server information. | |
| BH19494 | Lists LXD instances. | |
| BH19495 | Gets detailed wireless information from a wireless interface. | |
| BH19496 | Lists all imported OpenPGP keys. | |
| BH19497 | Lists all secret OpenPGP keys. | |
| BH19498 | Enumerates files in a given directory using reflection. | |
| BH19499 | Enumerates environment variables using reflection. | |
| BH19500 | Retrieves process information using reflection. | |
| BH19502 | Queries the computer's network name and IP address using reflection. | |
| BH19503 | Enumerates the computer's network interfaces. | |
| BH19504 | Enumerates the computer's network interfaces using reflection. | |
| BH19505 | Enumerates physical memory information. | |
| BH19506 | Enumerates current user's home directory. | |
| BH19507 | Enumerates the operating system platform. | |
| BH19508 | Enumerates operating system version. | |
| BH19510 | Enumerates user information. | |
| BH19511 | Enumerates tracked git repositories. | |
| BH19512 | Enumerates tracked git repository URLs. | |
| BH19513 | Enumerates git repository branches. | |
| BH19518 | Enumerates the computer's IPv6 interfaces. | |
| BH19521 | Queries the effective group ID of a process. | |
| BH19522 | Queries the effective user ID of a process. | |
| BH19523 | Queries the real group ID of a process. | |
| BH19524 | Queries the real user ID of a process. | |
| BH19525 | Queries the real, effective and saved user IDs of a process. | |
| BH19526 | Queries the real, effective and saved group IDs of a process. | |
| BH19527 | Enumerates active network connections. | |
| BH19528 | Enumerates users that are connected on the system. | |
| BH19529 | Retrieves a list of printers installed on a computer. | |
| BH19530 | Enumerates print jobs for the specified printer. | |
| BH19531 | Enumerates printer ports available on the specified computer. | |
| BH19532 | Queries the ID of a group by its name. | |
| BH19533 | Queries the ID of a user by its name. | |
| BH19535 | Enumerates the installed system languages. | |
| BH19537 | Enumerates environment variables related to Amazon Web Services (AWS). | |
| BH19538 | Enumerates an environment variable that holds an Amazon Web Services (AWS) access key. | |
| BH19539 | Enumerates an environment variable that holds an Amazon Web Services (AWS) configuration location. | |
| BH19540 | Enumerates an environment variable that holds an Amazon Web Services (AWS) secret access key. | |
| BH19541 | Enumerates an environment variable that holds an Amazon Web Services (AWS) session token. | |
| BH19542 | Enumerates an environment variable that holds an Amazon Web Services (AWS) access key location. | |
| BH19543 | Enumerates an environment variable that holds an Amazon Web Services (AWS) web identity token location. | |
| BH20185 | Uses PowerSploit/Empire command to determine what users or groups are in the specified local group for the machine through Group Policy Object correlation. | |
| BH20190 | Uses PowerSploit/Empire command to enumerate account logon events and logon with explicit credential events from the specified host. | |
| BH20191 | Uses PowerSploit/Empire command to enumerate all loaded security support provider packages. | |
| BH20193 | Uses PowerSploit/Empire command to enumerate all users. | |
| BH20194 | Uses PowerSploit/Empire command to enumerate groups with users outside of the group's domain and return each foreign member. | |
| BH20195 | Uses PowerSploit/Empire command to enumerate members of a specific local group on the local or a remote machine. | |
| BH20197 | Uses PowerSploit/Empire command to enumerate the ACL for a given file path. | |
| BH20198 | Uses PowerSploit/Empire command to enumerate the Active Directory DNS records for a given zone. | |
| BH20199 | Uses PowerSploit/Empire command to enumerate the Active Directory DNS zones for a given domain. | |
| BH20200 | Uses PowerSploit/Empire command to enumerate the local groups on the local or a remote machine. | |
| BH20201 | Uses PowerSploit/Empire command to enumerate the machines where a specific domain user or group is a member of a specific local group, all through Group Policy Object correlation. | |
| BH20202 | Uses PowerSploit/Empire command to enumerate the members of specified local group for all the targeted machines on the domain. | |
| BH20203 | Uses PowerSploit/Empire command to enumerate the proxy server and WPAD specification for the current user on the local or a remote machine. | |
| BH20204 | Uses PowerSploit/Empire command to enumerate trusted documents and trusted locations for Microsoft Office. | |
| BH20205 | Uses PowerSploit/Empire command to enumerate users in a specified domain group. | |
| BH20206 | Uses PowerSploit/Empire command to enumerate users who are in groups outside of the user's domain. | |
| BH20207 | Uses PowerSploit/Empire command to enumerate users who are in groups outside of their principal domain. | |
| BH20209 | Uses PowerSploit/Empire command to execute all functions that check for various Windows privilege escalation opportunities. | |
| BH20221 | Uses PowerSploit/Empire command to find all directories in the system %PATH% that are modifiable by the current user. | |
| BH20222 | Uses PowerSploit/Empire command to find all DLL hijack locations for currently running processes. | |
| BH20223 | Uses PowerSploit/Empire command to find domain machines where specific users are logged into. | |
| BH20226 | Uses PowerSploit/Empire command to find object ACLs in the current or specified domain. | |
| BH20227 | Uses PowerSploit/Empire command to find user/group/computer objects in Active Directory that have 'outlier' properties set. | |
| BH20230 | Uses PowerSploit/Empire command to hunt for processes with a specific name or owned by a specific user on domain machines. | |
| BH20234 | Uses PowerSploit/Empire command to list the device paths of all local volume shadow copies. | |
| BH20244 | Uses PowerSploit/Empire command to parse a passed string containing multiple possible file/folder paths and return the file paths where the current user has modification rights. | |
| BH20266 | Uses PowerSploit/Empire command to return a list of all fault-tolerant distributed file systems for the current or specified domain. | |
| BH20268 | Uses PowerSploit/Empire command to return a list of servers likely functioning as file servers. | |
| BH20269 | Uses PowerSploit/Empire command to return a System.DirectoryServices.ActiveDirectory.Forest object for the current forest or the forest specified with -Forest X. | |
| BH20270 | Uses PowerSploit/Empire command to return all computers or specific computer objects in Active Directory. | |
| BH20271 | Uses PowerSploit/Empire command to return all domains for the current (or specified) forest. | |
| BH20272 | Uses PowerSploit/Empire command to return all forest trusts for the current or a specified forest. | |
| BH20273 | Uses PowerSploit/Empire command to return all global catalogs for the current (or specified) forest. | |
| BH20274 | Uses PowerSploit/Empire command to return all Group Policy Objects (GPOs) in a domain that modify local group memberships through 'Restricted Groups' or Group Policy preferences. | |
| BH20275 | Uses PowerSploit/Empire command to return all Group Policy Objects (GPOs) or specific GPO objects in Active Directory. | |
| BH20276 | Uses PowerSploit/Empire command to return all groups or specific group objects in Active Directory. | |
| BH20277 | Uses PowerSploit/Empire command to return all or specified domain objects in Active Directory. | |
| BH20279 | Uses PowerSploit/Empire command to return all security groups in the current (or target) domain that have a manager set. | |
| BH20280 | Uses PowerSploit/Empire command to return all SIDs that the current token context is a part of. | |
| BH20281 | Uses PowerSploit/Empire command to return all trusts for the current user's domain. | |
| BH20282 | Uses PowerSploit/Empire command to return all users or specific user objects in Active Directory. | |
| BH20283 | Uses PowerSploit/Empire command to return detailed information about a specified service by querying the WMI. | |
| BH20286 | Uses PowerSploit/Empire command to return remote desktop/session information for the local or a remote machine. | |
| BH20287 | Uses PowerSploit/Empire command to return session information for the local or a remote machine. | |
| BH20289 | Uses PowerSploit/Empire command to return the AD site where the local or a remote machine resides. | |
| BH20290 | Uses PowerSploit/Empire command to return the default domain policy or the domain controller policy for a specified domain or domain controller. | |
| BH20291 | Uses PowerSploit/Empire command to return the domain controllers for the current (or specified) domain. | |
| BH20292 | Uses PowerSploit/Empire command to return the domain object for the current (or specified) domain. | |
| BH20294 | Uses PowerSploit/Empire command to return the last user who logged onto the local or a remote machine. | |
| BH20295 | Uses PowerSploit/Empire command to return the members of a specific domain group. | |
| BH20296 | Uses PowerSploit/Empire command to return the name and binary path for services with unquoted paths that also have a space in the name. | |
| BH20297 | Uses PowerSploit/Empire command to return the SID for the current domain or the specified domain. | |
| BH20298 | Uses PowerSploit/Empire command to return users logged on the local or a remote machine. | |
| BH20300 | Uses PowerSploit/Empire command to returns open shares on the local or a remote machine. | |
| BH20304 | Uses PowerSploit/Empire command to search for all organization units (OUs) or specific OU objects in Active Directory. | |
| BH20305 | Uses PowerSploit/Empire command to search for all sites or specific site objects in Active Directory. | |
| BH20306 | Uses PowerSploit/Empire command to search for all subnets or specific subnets objects in Active Directory. | |
| BH20307 | Uses PowerSploit/Empire command to search for computer shares on the domain. | |
| BH20308 | Uses PowerSploit/Empire command to search for files matching specific criteria on readable shares in the domain. | |
| BH20309 | Uses PowerSploit/Empire command to search for files on the given path that match a series of specified criteria. | |
