Malicious behavior types
This page explains the names we use for malicious behavior detected on computers or servers.
Restriction
This page doesn’t apply to the legacy "Detect malicious behavior (HIPS)" feature in Sophos Central
Our behavior classifications are in line with the MITRE ATT&CK framework. We report each detection using a naming standard that gives you information about the attack.
You might see two types of detection, with the naming structure shown below.
Detection name examples
| Detection type | Naming structure |
|---|---|
| Malicious behavior | Tactic_1a (T1234.123) |
| Malicious behavior in memory | Tactic_1a (T1234.123 mem/family-a) |
The detection name consists of the following:
- MITRE tactic type (“
Tactic_1a” in the table above). - MITRE technique number ("
T1234.123" in the table above). - Malware family, for threats found in memory (“
mem/family-a” in the table above).
MITRE tactic type
The first part of a detection name indicates the MITRE tactic used. For full details, see MITRE Enterprise Tactics.
| Prefix | MITRE tactic |
|---|---|
Access_ | TA0001 Initial Access |
Exec_ | TA0002 Execution |
Persist_ | TA0003 Persistence |
Priv_ | TA0004 Privilege Escalation |
Evade_ | TA0005 Defense Evasion |
Cred_ | TA0006 Credential Access |
Discovery_ | TA0007 Discovery |
Lateral_ | TA0008 Lateral Movement |
Collect_ | TA0009 Collection |
Exfil_ | TA0010 Exfiltration |
C2_ | TA0011 Command and Control |
Impact_ | TA0040 Impact |
In addition to the above, some contextual rules use the following prefixes:
| Prefix | Description |
|---|---|
Disrupt_ | Block malicious behavior associated with active adversary attacks. |
Cleanup_ | Remove malicious artifacts associated with another blocking detection. |
You can suppress behavior detection events in the same way as you stop detecting ransomware. You can also revert remediation actions, such as restoring deleted files or registry keys, in the same way as you stop detecting an application. See How to deal with threats.
MITRE technique number
This number indicates the MITRE technique (and sub-technique) most closely associated with the detection event.
For example, a detection associated with malicious PowerShell activity includes “T1059.001” in its name. You can look this up at https://attack.mitre.org/techniques/T1059/001/
For details of techniques, see MITRE Enterprise Techniques.
Malware family
If detections include a recognized threat found in memory, the final part of the name indicates the malware family it belongs to.
Detection name examples
Here are some examples of detection names and what they mean.
| Detection name | MITRE technique | Comment |
|---|---|---|
Exec_6a (T1059.001) | Command and Scripting Interpreter: PowerShell | Malicious PowerShell activity. |
C2_4a (T1059.001 mem/meter-a) | Command and Scripting Interpreter: PowerShell | Meterpreter threads found in memory during malicious PowerShell activity. |
C2_10a (T1071.001) | Application Layer Protocol: Web Protocols | Malicious network activity over HTTP(S). Most likely malicious download or Command & Control connection. |
C2_1a (T1071.001 mem/fareit-a) | Application Layer Protocol: Web Protocols | Fareit malware found in memory, making Command & Control connection over HTTP(S). |
Impact_4a (T1486 mem/xtbl-a) | Data Encrypted for Impact | Xtbl ransomware found in memory encrypting files. |
Exec_13a (T1055.002 mem/qakbot-a) | Process Injection: Portable Executable Injection | Qakbot malware found in memory when malware runs. |
Exec_14a (T1055.012 mem/androm-a) | Process Injection: Process Hollowing | Andromeda malware found in memory when malware is running (as it uses process hollowing). |
Priv_1a (T1068) | Exploitation for Privilege Escalation | Malicious activity where the process attempts to escalate its privilege level. |