Skip to content

Malicious behavior types

This page explains the names we use for malicious behavior detected on computers or servers.


This page doesn’t apply to the legacy "Detect malicious behavior (HIPS)" feature in Sophos Central

Our behavior classifications are in line with the MITRE ATT&CK framework. We report each detection using a naming standard that gives you information about the attack.

You might see two types of detection, with the naming structure shown below.

Detection name examples

Detection type Naming structure
Malicious behavior Tactic_1a (T1234.123)
Malicious behavior in memory Tactic_1a (T1234.123 mem/family-a)

The detection name consists of the following:

  • MITRE tactic type (“Tactic_1a” in the table above).
  • MITRE technique number ("T1234.123" in the table above).
  • Malware family, for threats found in memory (“mem/family-a” in the table above).

MITRE tactic type

The first part of a detection name indicates the MITRE tactic used. For full details, see MITRE Enterprise Tactics.

Prefix MITRE tactic
Access_ TA0001 Initial Access
Exec_ TA0002 Execution
Persist_ TA0003 Persistence
Priv_ TA0004 Privilege Escalation
Evade_ TA0005 Defense Evasion
Cred_ TA0006 Credential Access
Discovery_ TA0007 Discovery
Lateral_ TA0008 Lateral Movement
Collect_ TA0009 Collection
Exfil_ TA0010 Exfiltration
C2_ TA0011 Command and Control
Impact_ TA0040 Impact

In addition to the above, some contextual rules use the following prefixes:

Prefix Description
Disrupt_ Block malicious behaviors associated with active adversary attacks.
Cleanup_ Remove malicious artifacts associated with another blocking detection.

Block malicious behaviors that can lead to defense impairment. See the following pages:

You can suppress behavior detection events in the same way as you stop detecting ransomware. You can also revert remediation actions, such as restoring deleted files or registry keys, in the same way as you stop detecting an application. See How to deal with threats.

MITRE technique number

This number indicates the MITRE technique (and sub-technique) most closely associated with the detection event.

For example, a detection associated with malicious PowerShell activity includes “T1059.001” in its name. You can look this up at

For details of techniques, see MITRE Enterprise Techniques.

Malware family

If detections include a recognized threat found in memory, the final part of the name indicates the malware family it belongs to.

Detection name examples

Here are some examples of detection names and what they mean.

Detection name MITRE technique Comment
Exec_6a (T1059.001) Command and Scripting Interpreter: PowerShell Malicious PowerShell activity.
C2_4a (T1059.001 mem/meter-a) Command and Scripting Interpreter: PowerShell Meterpreter threads found in memory during malicious PowerShell activity.
C2_10a (T1071.001) Application Layer Protocol: Web Protocols Malicious network activity over HTTP(S). Most likely malicious download or Command & Control connection.
C2_1a (T1071.001 mem/fareit-a) Application Layer Protocol: Web Protocols Fareit malware found in memory, making Command & Control connection over HTTP(S).
Impact_4a (T1486 mem/xtbl-a) Data Encrypted for Impact Xtbl ransomware found in memory encrypting files.
Exec_13a (T1055.002 mem/qakbot-a) Process Injection: Portable Executable Injection Qakbot malware found in memory when malware runs.
Exec_14a (T1055.012 mem/androm-a) Process Injection: Process Hollowing Andromeda malware found in memory when malware is running (as it uses process hollowing).
Priv_1a (T1068) Exploitation for Privilege Escalation Malicious activity where the process attempts to escalate its privilege level.

For more information, see Comparison of Sophos malicious file detection technologies.