| BH12150 | Changes background/foreground colors to make macros invisible. | anomalous important |
| BH12157 | Changes preference variables to silent mode. | uncommon |
| BH12183 | Clears event logs from local or remote computer. | uncommon |
| BH12184 | Clears event logs using WMI. | anomalous |
| BH12249 | Disables control panel or specific items within it. | uncommon anomalous |
| BH12255 | Disables showing file extensions. | uncommon anomalous |
| BH12256 | Disables showing hidden files. | important uncommon |
| BH12335 | Executes commands as PowerShell background jobs. | uncommon |
| BH12360 | Hides a window during execution of the code. | uncommon important anomalous |
| BH12361 | Hides active windows. | anomalous |
| BH12362 | Hides all signs of execution by using different PowerShell command line flags. | uncommon malicious anomalous |
| BH12460 | Opens an off-screen tab and starts content capture. | uncommon anomalous |
| BH12467 | Prevents creating an interactive prompt for the user during execution. | uncommon |
| BH12468 | Prevents loading profile scripts during execution of some commands. | uncommon |
| BH12528 | Restricts add/remove programs policy using registry keys. | anomalous |
| BH12561 | Sets the 'hidden file' attribute to files/directories. | uncommon anomalous |
| BH12570 | Starts a hidden PowerShell session. | uncommon anomalous important |
| BH12575 | Starts a PowerShell session without presenting an interactive prompt to the user. | uncommon important |
| BH12577 | Starts an application with a minimized Command Prompt window. | uncommon anomalous |
| BH12578 | Starts an application without opening a new Command Prompt window. | uncommon |
| BH12612 | Tampers with command aliases. | uncommon |
| BH12649 | Tampers with firewall. | important uncommon anomalous |
| BH12655 | Writes data to the hosts file. | uncommon |
| BH12656 | Tampers with hosts registry keys. | anomalous |
| BH12669 | Tampers with keyboard bindings. | uncommon |
| BH12710 | Tampers with PowerShell sessions on local or remote computer. | uncommon |
| BH12766 | Tampers with window transparency settings. | uncommon |
| BH12767 | Tampers with Windows bootup process. | important uncommon anomalous |
| BH12771 | Tampers with Windows Error Reporting. | uncommon |
| BH13065 | Overwrites a file to hide its contents, and deletes it. | uncommon |
| BH13152 | Sets the 'hidden file' attribute to files/directories using reflection. | anomalous |
| BH13238 | Writes data to the /etc/config/hosts file. | anomalous uncommon |
| BH13250 | Runs in the background as a system daemon. | uncommon |
| BH13269 | Contains code outside of a common screen width. | uncommon |
| BH13347 | Loads/unloads drivers. | |
| BH13374 | Loads/unloads kernel modules. | |
| BH13475 | Hides the AutoIt tray icon. | |
| BH13484 | Turns off the command echoing feature. | |
| BH13554 | Might change current history stack. | |
| BH13596 | Suppresses warnings. | |
| BH18112 | Detects common malware analysis tools. | anomalous |
| BH18141 | Detects sandboxes or virtual environments. | anomalous |
| BH18186 | Impersonates services related to Ad-Aware security products. | anomalous uncommon |
| BH18187 | Impersonates services related to Agnitum security products. | anomalous uncommon |
| BH18188 | Impersonates services related to AhnLab security products. | anomalous uncommon |
| BH18189 | Impersonates services related to Avast security products. | uncommon anomalous |
| BH18190 | Impersonates services related to AVG security products. | uncommon anomalous |
| BH18191 | Impersonates services related to Avira security products. | uncommon anomalous |
| BH18192 | Impersonates services related to BitDefender security products. | uncommon anomalous |
| BH18193 | Impersonates services related to CA security products. | anomalous uncommon |
| BH18194 | Impersonates services related to ClamAV security products. | anomalous uncommon |
| BH18195 | Impersonates services related to common security products, firewalls or anti-virus solutions. | uncommon |
| BH18196 | Impersonates services related to DrWeb security products. | anomalous important uncommon |
| BH18197 | Impersonates services related to ESET security products. | uncommon anomalous |
| BH18198 | Impersonates services related to F-Secure security products. | uncommon |
| BH18199 | Impersonates services related to G Data security products. | anomalous uncommon |
| BH18200 | Impersonates services related to Ikarus security products. | anomalous |
| BH18201 | Impersonates services related to K7 Computing security products. | anomalous uncommon |
| BH18202 | Impersonates services related to Kaspersky security products. | uncommon |
| BH18203 | Impersonates services related to Kingsoft security products. | uncommon anomalous |
| BH18204 | Impersonates services related to McAfee security products. | uncommon anomalous |
| BH18205 | Impersonates services related to Microsoft security products. | uncommon anomalous |
| BH18206 | Impersonates services related to Norman security products. | uncommon anomalous |
| BH18207 | Impersonates services related to Panda security products. | uncommon anomalous |
| BH18208 | Impersonates services related to QuickHeal security products. | anomalous |
| BH18209 | Impersonates services related to Rising security products. | uncommon anomalous |
| BH18210 | Impersonates services related to Sophos security products. | uncommon anomalous |
| BH18211 | Impersonates services related to Symantec security products. | uncommon anomalous |
| BH18212 | Impersonates services related to TrendMicro security products. | uncommon |
| BH18213 | Impersonates services related to ZoneLabs security products. | uncommon anomalous |
| BH19566 | Might enumerate number of redirects or type of last navigation. | |
