- Notifications
You must be signed in to change notification settings - Fork36
IOK (Indicator Of Kit) is an open source language and ruleset for detecting phishing threat actor tools and tactics
License
phish-report/IOK
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
View detections on phish.report 🐟
Indicator of Kit is an open source detection language for phishing site techniques, kits, and threat actors 🕵️
- Simple: based onSigma, a simple detection rules language 🚀
- Rich metadata: rules have descriptions, tags, and links to blog posts or related rules.
Use cases:
- Identify fingerprints of known threat actors
- Discover anti-analysis techniques
- Classify which specific phishing kit is in use on a page
- Identify deceptive websites dropping malicious software
- Discover APT infrastructure
- Detect malware C&C panels
IOK indicators are written usingSigma
| Field name | Type | Description |
|---|---|---|
| title | []string | The title of the site as shown in a browser. If multiple titles are set (e.g. by JavaScript), this contains each one. |
| hostname | string | The hostname of the site |
| html | string | The contents of the page HTML (as returned by the server) |
| dom | string | The contents of the page HTML after loading (e.g. after javascript has executed) |
| js | []string | Contents of JavaScript from the page (includes inline scripts as well as scripts loaded externally) |
| css | []string | Contents of CSS from the page (includes inline stylesheets as well as externally loaded stylesheets) |
| cookies | []string | Cookies from the page. Each is in the formcookieName=value |
| headers | []string | Headers sent by the server. Each is in the formHeader-Name: value |
| requests | []string | URLs of requests made by the page (and assets loaded by the page) |
We are always looking for contributions: there's far more phishing kits and techniques than a single team can analyse!
To contribute a new rule:
- Try to make sure it doesn't already exist
- Open a pull request, adding your new file in the
indicators/folder - We'll review it and merge your PR
- It'll go live onphish.report/IOK!
| IOK | PhishingKit-Yara-Rules | Wappalyzer | |
|---|---|---|---|
| Open Source | ✅ | ✅ | ✅ |
| Ruleset size | > 215 Rules 🦐 | 500 rules 🐠 | 1000s of rules 🐳 |
| Can scan | Live websites 🕸 | Phishing kit zips 📦 | Live websites 🕸 |
| Phishing focused | ✅ | ✅ | ❌ |
| Supports complex conditions | ✅ | ✅ | ❌ |
| Sends out stickers to contributors 🎁 | ✅ | ❌ | ❌ |
There's areference on how to write IOK rules in the Phish Report documentation.
This project isODbL licensed.You're free to use the rules in your own projects (including commercial ones!)as long as you creditphish.report/IOK as the source.
For more details, readOpenStreetMap's guidance (who also usethe ODbL license).
About
IOK (Indicator Of Kit) is an open source language and ruleset for detecting phishing threat actor tools and tactics