Malicious behavior types

This page explains the names we use for malicious behavior detected on computers or servers.

Note This page doesn’t apply to the legacy "Detect malicious behavior (HIPS)" feature in Sophos Central

Our behavior classifications are in line with the MITRE ATT&CK framework. We report each detection using a naming standard that gives you information about the attack.

You might see two types of detection, with the naming structure shown below.

Detection type

Naming structure

Malicious behavior

Tactic_1a (T1234.123)

Malicious behavior in memory

Tactic_1a (T1234.123 mem/family-a)

The detection name consists of the following:

  • MITRE tactic type (“Tactic_1a” in the table above).
  • MITRE technique number ("T1234.123" in the table above).
  • Malware family, for threats found in memory (“mem/family-a” in the table above).

MITRE tactic type

The first part of a detection name indicates the MITRE tactic used. For full details, see MITRE Enterprise Tactics.


MITRE tactic


TA0001 Initial Access


TA0002 Execution


TA0003 Persistence


TA0004 Privilege Escalation


TA0005 Defense Evasion


TA0006 Credential Access


TA0007 Discovery


TA0008 Lateral Movement


TA0009 Collection


TA0010 Exfiltration


TA0011 Command and Control


TA0040 Impact

MITRE technique number

This number indicates the MITRE technique (and sub-technique) most closely associated with the detection event.

For example, a detection associated with malicious PowerShell activity includes “T1059.001” in its name. You can look this up at

For details of techniques, see MITRE Enterprise Techniques.

Malware family

If detections include a recognized threat found in memory, the final part of the name indicates the malware family it belongs to.

Detection name examples

Here are some examples of detection names and what they mean.

Detection name

MITRE technique


Exec_6a (T1059.001)

Command and Scripting Interpreter: PowerShell

Malicious PowerShell activity.

C2_4a (T1059.001 mem/meter-a)

Command and Scripting Interpreter: PowerShell

Meterpreter threads found in memory during malicious PowerShell activity.

C2_10a (T1071.001)

Application Layer Protocol: Web Protocols

Malicious network activity over HTTP(S). Most likely malicious download or Command & Control connection.

C2_1a (T1071.001 mem/fareit-a)

Application Layer Protocol: Web Protocols

Fareit malware found in memory, making Command & Control connection over HTTP(S).

Impact_4a (T1486 mem/xtbl-a)

Data Encrypted for Impact

Xtbl ransomware found in memory encrypting files.

Exec_13a (T1055.002 mem/qakbot-a)

Process Injection: Portable Executable Injection

Qakbot malware found in memory when malware runs.

Exec_14a (T1055.012 mem/androm-a)

Process Injection: Process Hollowing

Andromeda malware found in memory when malware is running (as it uses process hollowing).

Priv_1a (T1068)

Exploitation for Privilege Escalation

Malicious activity where the process attempts to escalate its privilege level.