High

Category: generic_detection · Aliases: HighRisk, Risk.High, Generic.High · Sample count (EMBER 2018): 8,417 · Enrichment: insufficient_information · Updated: 2026-07-01T16:03:45Z

Overview

Executive Summary

The "High" classification is a generic risk severity indicator utilized by heuristic antivirus engines and threat intelligence platforms. It is not a specific malware family, but rather a definitive flag indicating that an analyzed file or process exhibits behaviors fundamentally dangerous to the security and integrity of a system.

Behavioral Context and Detection Mechanisms

Security tools assign a "High" risk label when a file engages in activities that strongly correlate with destructive malware or advanced persistent threats (APTs), even if the file's static signature does not match a known database entry. Behaviors that trigger a "High" severity alert include:

Risk Assessment and Incident Triage

An alert classified as "High" requires immediate, critical incident response. Unlike generic adware labels, a "High" detection indicates an active attempt to compromise the network, steal data, or cause significant operational disruption.

Response and Eradication Strategy

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1204

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_HIGH {
    meta:
        description = "Detects High (generic_detection)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "high" ascii wide nocase
        $s2 = "highrisk" ascii wide nocase
        $s3 = "risk.high" ascii wide nocase
        $s4 = "generic.high" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious High Activity
id: 8d966b2253a917086c8604959e152243
status: experimental
description: Detects generic indicators of the high malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*high*"
            - "*highrisk*"
            - "*risk.high*"
            - "*generic.high*"
    condition: selection
level: medium

References & External Analysis

Related Families (Category: generic_detection)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/high.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.