View detections on phish.report 🐟
Indicator of Kit is an open source detection language for phishing site techniques, kits, and threat actors 🕵️
- Simple: based on Sigma, a simple detection rules language 🚀
- Rich metadata: rules have descriptions, tags, and links to blog posts or related rules.
Use cases:
- Identify fingerprints of known threat actors
- Discover anti-analysis techniques
- Classify which specific phishing kit is in use on a page
- Identify deceptive websites dropping malicious software
- Discover APT infrastructure
- Detect malware C&C panels
IOK indicators are written using Sigma
| Field name | Type | Description |
|---|---|---|
| title | []string | The title of the site as shown in a browser. If multiple titles are set (e.g. by JavaScript), this contains each one. |
| hostname | string | The hostname of the site |
| html | string | The contents of the page HTML (as returned by the server) |
| dom | string | The contents of the page HTML after loading (e.g. after javascript has executed) |
| js | []string | Contents of JavaScript from the page (includes inline scripts as well as scripts loaded externally) |
| css | []string | Contents of CSS from the page (includes inline stylesheets as well as externally loaded stylesheets) |
| cookies | []string | Cookies from the page. Each is in the form cookieName=value |
| headers | []string | Headers sent by the server. Each is in the form Header-Name: value |
| requests | []string | URLs of requests made by the page (and assets loaded by the page) |
We are always looking for contributions: there's far more phishing kits and techniques than a single team can analyse!
To contribute a new rule:
- Try to make sure it doesn't already exist
- Open a pull request, adding your new file in the
indicators/folder - We'll review it and merge your PR
- It'll go live on phish.report/IOK!
| IOK | PhishingKit-Yara-Rules | Wappalyzer | |
|---|---|---|---|
| Open Source | ✅ | ✅ | ✅ |
| Ruleset size | > 215 Rules 🦐 | 500 rules 🐠 | 1000s of rules 🐳 |
| Can scan | Live websites 🕸 | Phishing kit zips 📦 | Live websites 🕸 |
| Phishing focused | ✅ | ✅ | ❌ |
| Supports complex conditions | ✅ | ✅ | ❌ |
| Sends out stickers to contributors 🎁 | ✅ | ❌ | ❌ |
There's a reference on how to write IOK rules in the Phish Report documentation.
This project is ODbL licensed. You're free to use the rules in your own projects (including commercial ones!) as long as you credit phish.report/IOK as the source.
For more details, read OpenStreetMap's guidance (who also use the ODbL license).