| BH12104 | Accesses common software account info. | |
| BH12111 | Accesses mailbox files. | |
| BH12112 | Accesses map location history. | |
| BH12121 | Accesses Windows Mail preferences. | |
| BH12146 | Captures the visible area of the active tab. | |
| BH12147 | Captures content of a tab as an image. | |
| BH12417 | Manipulates user input. | |
| BH12419 | May capture screen content or media. | |
| BH12429 | Monitors devices associated with current account. | |
| BH12430 | Monitors for bookmark changes. | |
| BH12440 | Monitors browsing history. | |
| BH12441 | Monitors recently closed tabs or windows. | |
| BH12442 | Monitors user input when activated with keyword in address bar. | |
| BH12443 | Might access browsing history. | |
| BH12444 | Might access credential storage. | |
| BH12446 | Might monitor browsing activity. | |
| BH12447 | Might monitor keystrokes. | |
| BH12448 | Might monitor tabs. | |
| BH12476 | Records all of or part of a Windows PowerShell session to a text file. | |
| BH12811 | Uses DCSync from Mimikatz to collect NTLM hashes from the domain. | |
| BH12857 | Exports a registry key, and all of its subkeys to a file. | |
| BH12886 | Accesses the /srv directory. | |
| BH12929 | Access the /etc/wpa_supplicant directory. | |
| BH13008 | Accesses a common Linux log directory. | |
| BH13012 | Opens a mailbox. | |
| BH13013 | Accesses email messages from a mailbox. | |
| BH13094 | Accesses user clipboard. | |
| BH13115 | Accesses Firefox extensions. | |
| BH13116 | Accesses Chrome extensions. | |
| BH13117 | Accesses Chromium extensions. | |
| BH13118 | Accesses Brave extensions. | |
| BH13162 | Opens a mailbox using reflection. | |
| BH13163 | Accesses email messages from a mailbox using reflection. | |
| BH13272 | Retrieves text from the clipboard. | |
| BH13290 | Creates network shares. | |
| BH13333 | Accesses EventLog. | |
| BH13350 | Accesses clipboard. | |
| BH13359 | Contains Visa credit card numbers. | |
| BH13360 | Contains MasterCard credit card numbers. | |
| BH13361 | Contains Discover Card credit card numbers. | |
| BH13362 | Contains Japan Credit Bureau credit card numbers. | |
| BH13363 | Contains American Express credit card numbers. | |
| BH13364 | Contains China UnionPay credit card numbers. | |
| BH13365 | Contains Maestro credit card numbers. | |
| BH13366 | Contains Diners Club International credit card numbers. | |
| BH13367 | Contains Korean Local credit card numbers. | |
| BH13547 | Might access clipboard. | |
| BH13552 | Might read a virtual file. | |
| BH13567 | Might access outer window. | |
| BH15335 | Might use the Credential Management API. | |
| BH16354 | Might use Geolocation services. | |
| BH17111 | Accesses /etc/shadow file. | |
| BH17144 | Might obtain payment information from user. | |
| BH17148 | Reads cookies. | |
| BH17150 | Reads data from Adium chat logs. | |
| BH17151 | Reads data from AIM user account settings. | |
| BH17152 | Reads data from Chrome certificate databases. | |
| BH17153 | Reads data from Chrome cookie databases. | |
| BH17154 | Reads data from Chrome navigation history databases. | |
| BH17155 | Reads data from Chrome preferences databases. | |
| BH17156 | Reads data from Chrome session databases. | |
| BH17157 | Reads data from Chrome stored credentials databases. | |
| BH17158 | Reads data from Chromium certificate databases. | |
| BH17159 | Reads data from Chromium cookie databases. | |
| BH17160 | Reads data from Chromium navigation history databases. | |
| BH17161 | Reads data from Chromium preferences databases. | |
| BH17162 | Reads data from Chromium session databases. | |
| BH17163 | Reads data from Chromium stored credentials databases. | |
| BH17164 | Reads data from Firefox add-on databases. | |
| BH17165 | Reads data from Firefox anti-phishing databases. | |
| BH17166 | Reads data from Firefox certificate databases. | |
| BH17167 | Reads data from Firefox cookie databases. | |
| BH17168 | Reads data from Firefox MIME plugin/configuration databases. | |
| BH17169 | Reads data from Firefox navigation history databases. | |
| BH17170 | Reads data from Firefox preferences databases. | |
| BH17171 | Reads data from Firefox saved form data databases. | |
| BH17172 | Reads data from Firefox security module database. | |
| BH17173 | Reads data from Firefox session databases. | |
| BH17174 | Reads data from Firefox stored credentials databases. | |
| BH17175 | Reads data from iChat user account settings. | |
| BH17177 | Reads data from Internet Explorer cookie databases. | |
| BH17178 | Reads data from Internet Explorer navigation history databases. | |
| BH17179 | Reads data from Internet Explorer preferences databases. | |
| BH17180 | Reads data from Netscape add-on databases. | |
| BH17181 | Reads data from Netscape certificate databases. | |
| BH17182 | Reads data from Netscape contact/address book. | |
| BH17183 | Reads data from Netscape cookie databases. | |
| BH17184 | Reads data from Netscape integrated instant messaging databases. | |
| BH17185 | Reads data from Netscape mailbox files. | |
| BH17186 | Reads data from Netscape MIME plugin/configuration databases. | |
| BH17187 | Reads data from Netscape navigation history databases. | |
| BH17188 | Reads data from Netscape preferences databases. | |
| BH17189 | Reads data from Netscape saved form data databases. | |
| BH17190 | Reads data from Netscape security module database. | |
| BH17191 | Reads data from Netscape stored credentials databases. | |
| BH17192 | Reads data from Opera cookie databases. | |
| BH17193 | Reads data from Opera navigation history databases. | |
| BH17194 | Reads data from Opera preferences databases. | |
| BH17195 | Reads data from Opera stored credentials databases. | |
| BH17196 | Reads data from Outlook contact/address book. | |
| BH17197 | Reads data from Outlook email/contact backups. | |
| BH17198 | Reads data from Outlook mailbox files. | |
| BH17199 | Reads data from Outlook offline/cached items. | |
| BH17200 | Reads data from Pidgin stored credentials. | |
| BH17201 | Reads data from Safari cookie databases. | |
| BH17202 | Reads data from Safari navigation history databases. | |
| BH17203 | Reads data from Safari session databases. | |
| BH17204 | Reads data from Skype chat history database. | |
| BH17205 | Reads data from Skype stored credentials. | |
| BH17206 | Reads data from Thunderbird certificate database. | |
| BH17207 | Reads data from Thunderbird contact/address book. | |
| BH17208 | Reads data from Thunderbird cookie files. | |
| BH17209 | Reads data from Thunderbird download history database. | |
| BH17210 | Reads data from Thunderbird extension database. | |
| BH17211 | Reads data from Thunderbird mailbox files. | |
| BH17212 | Reads data from Thunderbird stored credentials. | |
| BH17213 | Reads data from Windows Mail stored credentials. | |
| BH17214 | Reads files from Firefox preferences databases. | |
| BH17215 | Accesses Chrome cookie databases. | |
| BH17216 | Accesses Chrome credit card storage databases. | |
| BH17217 | Accesses Chrome navigation history databases. | |
| BH17218 | Accesses Chrome stored credentials databases. | |
| BH17219 | Accesses Chromium cookie databases. | |
| BH17220 | Accesses Chromium credit card storage databases. | |
| BH17221 | Accesses Chromium navigation history databases. | |
| BH17222 | Accesses Chromium stored credentials databases. | |
| BH17223 | Accesses Firefox cookie databases. | |
| BH17224 | Accesses Firefox navigation history databases. | |
| BH17225 | Accesses Firefox stored credentials databases. | |
| BH17226 | Accesses Firefox saved form data databases. | |
| BH17227 | Accesses Internet Explorer add-on databases. | |
| BH17228 | Accesses Internet Explorer navigation history databases. | |
| BH17229 | Accesses Internet Explorer preferences databases. | |
| BH17230 | Accesses Internet Explorer stored credentials databases. | |
| BH17231 | Accesses Netscape cookie databases. | |
| BH17232 | Accesses Outlook account information. | |
| BH17233 | Accesses Outlook preferences. | |
| BH17234 | Accesses Safari navigation history databases. | |
| BH17235 | Accesses Skype related files. | |
| BH17300 | Accesses a list of top visited sites. | |
| BH17302 | Accesses system passwords. | |
| BH17304 | Accesses user account information. | |
| BH17305 | Accesses users call history. | |
| BH17306 | Accesses users SMS history. | |
| BH17308 | Accesses VNC passwords. | |
| BH17309 | Accesses website cookie databases. | |
| BH17310 | Steals FTP client configuration data. | |
| BH17311 | Queries the passwd database entry for a given user ID. | |
| BH17312 | Queries the passwd database entry for a given user name. | |
| BH17313 | Enumerates all available passwd database entries. | |
| BH17314 | Queries the shadow password database entry for a given user name. | |
| BH17315 | Enumerates all available shadow password database entries. | |
| BH17317 | Saves cookies to a file. | |
| BH17318 | Accesses private files in SSH directory. | |
| BH17319 | Accesses the .gnupg/private-keys-v1.d directory. | |
| BH17320 | Accesses the .gitcredentials file. | |
| BH17321 | Accesses shell history. | |
| BH17322 | Accesses the .password-store directory. | |
| BH17323 | Accesses the /var/log/nginx directory. | |
| BH17324 | Accesses the /var/log/httpd directory. | |
| BH17325 | Accesses the /var/log/mysql directory. | |
| BH17326 | Accesses the /var/log/mysql.log file. | |
| BH17327 | Accesses the /var/log/mongodb directory. | |
| BH17328 | Accesses the /var/log/logkeys.log file. | |
| BH17329 | Dumps the MySQL database. | |
| BH17330 | Dumps the MariaDB database. | |
| BH17331 | Dumps the Postgresql database. | |
| BH17332 | Accesses the mail directory. | |
| BH17333 | Accesses the .ssh/authorized_keys file. | |
| BH17334 | Accesses the .ssh/known_hosts file. | |
| BH17335 | Accesses the .gnupg/pubring.kbx file. | |
| BH17336 | Accesses the .gnupg/trustdb.gpg file. | |
| BH17337 | Accesses the user keyring. | |
| BH17338 | Accesses the /etc/NetworkManager/system-connections directory. | |
| BH17339 | Accesses a .htpasswd file. | |
| BH17340 | Accesses a .mysql_history file. | |
| BH17343 | Accesses private SSH host key files. | |
| BH17344 | Accesses public SSH host key files. | |
| BH17345 | Accesses Firefox login database. | |
| BH17346 | Accesses Firefox cookies database. | |
| BH17347 | Accesses Firefox key database. | |
| BH17348 | Accesses Firefox forms data. | |
| BH17349 | Accesses Firefox history. | |
| BH17350 | Accesses a Chrome web data file. | |
| BH17351 | Accesses a Chrome bookmarks file. | |
| BH17352 | Accesses a Chromium web data file. | |
| BH17353 | Accesses a Chromium bookmarks file. | |
| BH17354 | Accesses a Brave cookies file. | |
| BH17355 | Accesses a Brave web data file. | |
| BH17356 | Accesses a Brave bookmarks file. | |
| BH17357 | Accesses a Brave history file. | |
| BH17358 | Dumps a dconf subpath. | |
| BH17359 | Shows a fake sudo prompt, used for user password phishing. | |
| BH17360 | Accesses a Brave login data file. | |
| BH17361 | Reads data from the Chrome local state file which contains the encryption key for local databases. | |
| BH17363 | Reads data from the Chromium local state file which contains the encryption key for local databases. | |
| BH17365 | Reads data from the Opera local state file which contains the encryption key for local databases. | |
| BH17367 | Reads data from the Vivaldi browser's local state file which contains the encryption key for local databases. | |
| BH17369 | Reads data from the Yandex browser's local state file which contains the encryption key for local databases. | |
| BH17371 | Accesses Opera stored credentials databases. | |
| BH17372 | Reads data from Vivaldi browser's stored credentials databases. | |
| BH17374 | Accesses Vivaldi browser's stored credentials databases. | |
| BH17375 | Reads data from Yandex browser's stored credentials databases. | |
| BH17377 | Accesses Yandex browser's stored credentials databases. | |
| BH17378 | Reads data from the Firefox profiles.ini file which contains information about profiles and the path to the directory with local databases. | |
| BH17380 | Reads data from the Microsoft Edge local state file which contains the encryption key for local databases. | |
| BH17382 | Reads data from Microsoft Edge stored credentials databases. | |
| BH17384 | Accesses Microsoft Edge stored credentials databases. | |
| BH17385 | Reads data from Safari stored credentials databases. | |
| BH17387 | Reads data from the SeaMonkey browser's profiles.ini file which contains information about profiles and the path to the directory with local databases. | |
| BH17389 | Reads data from SeaMonkey browser's stored credentials databases. | |
| BH17391 | Accesses SeaMonkey browser's stored credentials databases. | |
| BH17392 | Reads data from the Waterfox browser's profiles.ini file which contains information about profiles and the path to the directory with local databases. | |
| BH17394 | Reads data from Waterfox browser's stored credentials databases. | |
| BH17396 | Accesses Waterfox browser's stored credentials databases. | |
| BH17397 | Reads data from the Brave browser's local state file which contains the encryption key for local databases. | |
| BH17399 | Reads data from Brave browser's stored credentials databases. | |
| BH17401 | Accesses Brave browser's stored credentials databases. | |
| BH17402 | Accesses credentials from the Windows Credential Manager. | |
| BH17403 | Decrypts privileged data using process injection into the Windows Local Security Authority Subsystem Service executable. | |
| BH17404 | Reads data from files containing encrypted Windows Data Protection API master keys. | |
| BH17406 | Reads data from files containing encrypted credentials from the Windows Credential Manager. | |
| BH17414 | Reads data from files containing SSL certificates installed on the system. | |
| BH17417 | Reads data from Outlook Express stored credentials. | |
| BH17419 | Reads data from Outlook 2002-2019 stored credentials. | |
| BH17421 | Reads data from Yahoo! Mail stored credentials. | |
| BH17423 | Reads data from MSN Messenger stored credentials. | |
| BH17424 | Reads data from a credentials file that holds passwords for MSN Messenger. | |
| BH17427 | Reads data from IncrediMail stored credentials. | |
| BH17429 | Reads data from Eudora stored credentials. | |
| BH17431 | Reads data from GroupMail stored credentials. | |
| BH17433 | Reads data from Google Talk stored credentials. | |
| BH17435 | Reads data from Google Desktop stored credentials. | |
| BH17441 | Reads data from a browser's User Data folder. | |
| BH19126 | Enumerates cached credentials using cmdkey. | |
| BH19141 | Enumerates credentials stored in the Windows Credential Manager. | |
| BH19153 | Enumerates devices associated with current account. | |
| BH19224 | Enumerates open browser windows. | |
| BH19248 | Enumerates recently closed tabs or windows. | |
| BH19354 | Gets email address and ID of the signed in user. | |
| BH19437 | Retrieves information about embedded frames. | |
| BH19555 | Might enumerate referrer. | |
| BH19556 | Might enumerate files on file system. | |
| BH19557 | Might enumerate current locale. | |
| BH19559 | Enumerates preferred languages of the user. | |
| BH20101 | Uses a Nishang command for streaming for streaming a target's desktop using MJPEG. | |
| BH20112 | Uses a Nishang command to copy SAM and SYSTEM hives. | |
| BH20125 | Uses a Nishang command to dump keys for WLAN profiles. | |
| BH20126 | Uses a Nishang command to dump password hashes using the modified Powerdump script from the Metasploit Framework. | |
| BH20127 | Uses a Nishang command to dump Windows passwords in plain text. | |
| BH20136 | Uses a Nishang command to exfiltrate data to several different remote services. | |
| BH20139 | Uses a Nishang command to extract password hints in clear text. | |
| BH20140 | Uses a Nishang command to extract sensitive information from the target process. | |
| BH20152 | Uses a Nishang command to open a phishing prompt that steals user credentials. | |
| BH20156 | Uses a Nishang command to retrieve web credentials from Windows vault. | |
| BH20186 | Uses PowerSploit/Empire command to display Windows vault credential objects, including clear text web credentials. | |
| BH20219 | Uses PowerSploit/Empire command to extract and decrypt saved session information for software typically used to access Unix systems. | |
| BH20220 | Uses PowerSploit/Empire command to extract hashes from the local system. | |
| BH20241 | Uses PowerSploit/Empire command to monitor the clipboard on a specified interval for changes to copied text. | |
| BH20252 | Uses PowerSploit/Empire command to recover cleartext and encrypted connection strings from all web.config files on the system. | |
| BH20253 | Uses PowerSploit/Empire command to recover encrypted application pool and virtual directory passwords from the applicationHost.config on the system. | |
| BH20260 | Uses PowerSploit/Empire command to retrieve any saved passwords in Google Chrome and then write them out to a file. | |
| BH20261 | Uses PowerSploit/Empire command to retrieve any saved passwords in Mozilla Firefox and then write them out to a file. | |
| BH20262 | Uses PowerSploit/Empire command to retrieve autologon username and password from registry.xml if pushed through Group Policy Preferences. | |
| BH20263 | Uses PowerSploit/Empire command to retrieve browser history or bookmarks. | |
| BH20264 | Uses PowerSploit/Empire command to retrieve the plaintext password and other information for accounts pushed through Group Policy Preferences. | |
| BH20265 | Uses PowerSploit/Empire command to retrieve the plaintext passwords for found McAfee's SiteList.xml files. | |
| BH20327 | Uses PowerSploit/Empire to monitor TCP connections to a specified domain name or IPv4 address. | |
