Threat Categories
The RST Cloud engine categorises various types of malicious and unwanted activities to give you more control over exactly what you’d like to detect and block in your environment.
The table below outlines various categories related to malicious activities as tracked by the RST Threat Feed. Our focus is mainly on significant attacks or incidents, but we also cover useful categories such as proxies, VPNs, and cryptomining, as detection engineering professionals can use them to define more complex detection logic.
| Category | Description |
|---|---|
| generic | General category for items that don't fit into any other specific category |
| malware | Hosts associated with distributing or hosting malware, malvertising, malspam, and malicious documents. Used when no other specific category is assigned but the indicator is stated as malicious by a TI source |
| backdoor | Hosts providing unauthorised remote access to a system, often used by attackers after initial compromise |
| badbot | Bots engaged in malicious activities such as scraping, spamming, or attacking websites |
| banker | Hosts distributing banker malware targeting online banking credentials, including clipbanker |
| bootkit | Hosts distributing bootkit malware that affects the system's boot process |
| botnet | Nodes in a botnet, including those comprised of IoT devices |
| c2 | Command and control servers used to manage and communicate with compromised systems |
| clicker | Hosts distributing clicker malware, which generates fraudulent clicks on ads or web elements |
| cryptomining | Hosts engaged in cryptomining or coin mining, which may or may not be malicious |
| ddos | Hosts involved in distributed denial-of-service (DDoS) attacks or offering DDoS-as-a-service |
| dns | Hosts abusing DNS, such as for malicious redirects or tunneling |
| downloader | Hosts distributing downloader malware that installs additional malicious software onto infected systems |
| drainer | Hosts involved in draining, the act of transferring funds or assets fraudulently |
| dropper | Hosts distributing droppers, programs designed to install malware onto a system, sometimes offered as a service |
| fraud | Hosts involved in fraudulent activities including e-skimmers, carding, and other financial fraud |
| keylogger | Hosts distributing keyloggers, including remote and PowerShell-based keyloggers that capture keystrokes |
| phishing | Indicators related to phishing (fraudulent attempts to obtain sensitive information), vishing, smishing, whaling, and smishing-as-a-service |
| proxy | Free and paid proxy services used to perform attacks or conceal attackers' activities |
| raas | Hosts involved in ransomware-as-a-service (RaaS), offering ransomware as a service to other attackers |
| ransomware | Hosts distributing ransomware that encrypts files and demands ransom for decryption, including cryptolockers |
| rat | Hosts distributing remote access trojans (RATs) that allow attackers to control infected systems remotely |
| rootkit | Hosts distributing rootkits, malicious software designed to hide other malware and gain root access |
| scam | Hosts involved in scamming activities including scams-as-a-service, where scammers offer their services to others |
| scan | Hosts involved in scanning activities, including network scanning and probing |
| screenshotter | Hosts distributing screenshotter malware that captures screenshots of infected systems |
| shellprobe | Hosts probing for SSH, RDP, and VNC access, indicating attempts to find open access points |
| spam | Hosts known for sending unsolicited and unwanted emails or messages |
| spyware | Hosts distributing spyware, software that secretly monitors and collects user information |
| stealer | Hosts distributing stealers designed to steal information, including cryptocurrencies |
| tor_exit | Nodes in the TOR network that serve as exit points, often used to anonymize malicious activity |
| tor_node | General nodes within the TOR network, including both entry and relay nodes |
| torrent | Hosts involved in distributing or facilitating torrent-based file sharing, often used for illegal content |
| trojan | Hosts distributing trojans, malicious programs disguised as legitimate software |
| vpn | Free and paid VPN services used to perform attacks or conceal attackers' activities |
| vulndriver | Hosts distributing vulndrivers that exploit vulnerabilities in system drivers |
| webattack | Hosts involved in attacks against websites, such as SQL injection, cross-site scripting, or other web-based attacks |
| wiper | Hosts distributing wiper malware that destroys data on infected systems, including polymorphic variants |
While categories like spam or DDoS are included, our feed does not cover all possible values for these categories, as indicators for such activities are often ineffective. Instead, we concentrate on instances linked to noteworthy malicious events. This approach helps in targeting impactful threats more effectively.