Skip to content

Malicious behavior types

This page explains the names we use for malicious behavior detected on computers or servers.


This page doesn’t apply to the legacy "Detect malicious behavior (HIPS)" feature in Sophos Central

Our behavior classifications are in line with the MITRE ATT&CK framework. We report each detection using a naming standard that gives you information about the attack.

You might see two types of detection, with the naming structure shown below.

Detection name examples

Detection type Naming structure
Malicious behavior Tactic\_1a (T1234.123)
Malicious behavior in memory Tactic\_1a (T1234.123 mem/family-a)

The detection name consists of the following:

  • MITRE tactic type (“Tactic\_1a” in the table above).
  • MITRE technique number ("T1234.123" in the table above).
  • Malware family, for threats found in memory (“mem/family-a” in the table above).

MITRE tactic type

The first part of a detection name indicates the MITRE tactic used. For full details, see MITRE Enterprise Tactics.

Prefix MITRE tactic
Access\_ TA0001 Initial Access
Exec\_ TA0002 Execution
Persist\_ TA0003 Persistence
Priv\_ TA0004 Privilege Escalation
Evade\_ TA0005 Defense Evasion
Cred\_ TA0006 Credential Access
Discovery\_ TA0007 Discovery
Lateral\_ TA0008 Lateral Movement
Collect\_ TA0009 Collection
Exfil\_ TA0010 Exfiltration
C2\_ TA0011 Command and Control
Impact\_ TA0040 Impact

MITRE technique number

This number indicates the MITRE technique (and sub-technique) most closely associated with the detection event.

For example, a detection associated with malicious PowerShell activity includes “T1059.001” in its name. You can look this up at

For details of techniques, see MITRE Enterprise Techniques.

Malware family

If detections include a recognized threat found in memory, the final part of the name indicates the malware family it belongs to.

Detection name examples

Here are some examples of detection names and what they mean.

Detection name MITRE technique Comment
Exec\_6a (T1059.001) Command and Scripting Interpreter: PowerShell Malicious PowerShell activity.
C2\_4a (T1059.001 mem/meter-a) Command and Scripting Interpreter: PowerShell Meterpreter threads found in memory during malicious PowerShell activity.
C2\_10a (T1071.001) Application Layer Protocol: Web Protocols Malicious network activity over HTTP(S). Most likely malicious download or Command & Control connection.
C2\_1a (T1071.001 mem/fareit-a) Application Layer Protocol: Web Protocols Fareit malware found in memory, making Command & Control connection over HTTP(S).
Impact\_4a (T1486 mem/xtbl-a) Data Encrypted for Impact Xtbl ransomware found in memory encrypting files.
Exec\_13a (T1055.002 mem/qakbot-a) Process Injection: Portable Executable Injection Qakbot malware found in memory when malware runs.
Exec\_14a (T1055.012 mem/androm-a) Process Injection: Process Hollowing Andromeda malware found in memory when malware is running (as it uses process hollowing).
Priv\_1a (T1068) Exploitation for Privilege Escalation Malicious activity where the process attempts to escalate its privilege level.
Back to top