View detections on phish.report π
Indicator of Kit is an open source detection language for phishing site techniques, kits, and threat actors π΅οΈ
- Simple: based on Sigma, a simple detection rules language π
- Rich metadata: rules have descriptions, tags, and links to blog posts or related rules.
Use cases:
- Identify fingerprints of known threat actors
- Discover anti-analysis techniques
- Classify which specific phishing kit is in use on a page
- Identify deceptive websites dropping malicious software
- Discover APT infrastructure
- Detect malware C&C panels
π Creating indicators
IOK indicators are written using Sigma
Field name | Type | Description |
---|---|---|
title | string | The title of the site as shown in a browser |
hostname | string | The hostname of the site |
html | string | The contents of the page HTML (as returned by the server) |
dom | string | The contents of the page HTML after loading (e.g. after javascript has executed) |
js | []string | Contents of JavaScript from the page (includes inline scripts as well as scripts loaded externally) |
css | []string | Contents of CSS from the page (includes inline stylesheets as well as externally loaded stylesheets) |
cookies | []string | Cookies from the page. Each is in the form cookieName=value |
headers | []string | Headers sent by the server. Each is in the form Header-Name: value |
requests | []string | URLs of requests made by the page (and assets loaded by the page) |
We are always looking for contributions: there's far more phishing kits and techniques than a single team can analyse!
To contribute a new rule:
- Try to make sure it doesn't already exist
- Open a pull request, adding your new file in the
indicators/
folder - We'll review it and merge your PR
- It'll go live on phish.report/IOK!
π Comparison to similar projects
IOK | PhishingKit-Yara-Rules | Wappalyzer | |
---|---|---|---|
Open Source | β | β | β |
Ruleset size | > 215 Rules π¦ | 500 rules π | 1000s of rules π³ |
Can scan | Live websites πΈ | Phishing kit zips π¦ | Live websites πΈ |
Phishing focused | β | β | β |
Supports complex conditions | β | β | β |
Sends out stickers to contributors π | β | β | β |
π€ Contributing
There's a reference on how to write IOK rules in the Phish Report documentation.
π License
This project is ODbL licensed. You're free to use the rules in your own projects (including commercial ones!) as long as you credit phish.report/IOK as the source.
For more details, read OpenStreetMap's guidance (who also use the ODbL license).