Malicious behavior types

This page explains the names we use for malicious behavior detected on computers or servers.

Note This page doesn’t apply to the legacy "Detect malicious behavior (HIPS)" feature in Sophos Central

Our behavior classifications are in line with the MITRE ATT&CK framework. We report each detection using a naming standard that gives you information about the attack.

You might see two types of detection, with the naming structure shown below.

Detection type

Naming structure

Malicious behavior

Tactic_1a (T1234.123)

Malicious behavior in memory

Tactic_1a (T1234.123 mem/family-a)

The detection name consists of the following:

  • MITRE tactic type (“Tactic_1a” in the table above).
  • MITRE technique number ("T1234.123" in the table above).
  • Malware family, for threats found in memory (“mem/family-a” in the table above).

MITRE tactic type

The first part of a detection name indicates the MITRE tactic used. For full details, see MITRE Enterprise Tactics.

Prefix

MITRE tactic

Access_

TA0001 Initial Access

Exec_

TA0002 Execution

Persist_

TA0003 Persistence

Priv_

TA0004 Privilege Escalation

Evade_

TA0005 Defense Evasion

Cred_

TA0006 Credential Access

Discovery_

TA0007 Discovery

Lateral_

TA0008 Lateral Movement

Collect_

TA0009 Collection

Exfil_

TA0010 Exfiltration

C2_

TA0011 Command and Control

Impact_

TA0040 Impact

MITRE technique number

This number indicates the MITRE technique (and sub-technique) most closely associated with the detection event.

For example, a detection associated with malicious PowerShell activity includes “T1059.001” in its name. You can look this up at https://attack.mitre.org/techniques/T1059/001/

For details of techniques, see MITRE Enterprise Techniques.

Malware family

If detections include a recognized threat found in memory, the final part of the name indicates the malware family it belongs to.

Detection name examples

Here are some examples of detection names and what they mean.

Detection name

MITRE technique

Comment

Exec_6a (T1059.001)

Command and Scripting Interpreter: PowerShell

Malicious PowerShell activity.

C2_4a (T1059.001 mem/meter-a)

Command and Scripting Interpreter: PowerShell

Meterpreter threads found in memory during malicious PowerShell activity.

C2_10a (T1071.001)

Application Layer Protocol: Web Protocols

Malicious network activity over HTTP(S). Most likely malicious download or Command & Control connection.

C2_1a (T1071.001 mem/fareit-a)

Application Layer Protocol: Web Protocols

Fareit malware found in memory, making Command & Control connection over HTTP(S).

Impact_4a (T1486 mem/xtbl-a)

Data Encrypted for Impact

Xtbl ransomware found in memory encrypting files.

Exec_13a (T1055.002 mem/qakbot-a)

Process Injection: Portable Executable Injection

Qakbot malware found in memory when malware runs.

Exec_14a (T1055.012 mem/androm-a)

Process Injection: Process Hollowing

Andromeda malware found in memory when malware is running (as it uses process hollowing).

Priv_1a (T1068)

Exploitation for Privilege Escalation

Malicious activity where the process attempts to escalate its privilege level.