IOK
IOK (Indicator Of Kit) is an open source language and ruleset for detecting phishing threat actor tools and tactics
**[Indicator of Kit](https://phish.report) is an open source detection language for phishing site techniques, kits, and threat actors ๐ต๏ธ** The project is written primarily in Go, distributed under the Open Data Commons Open Database License v1.0 license, first published in 2022. Key topics include: phishing, phishing-detection, phishing-kit, sigma-rules.
Indicator of Kit is an open source detection language for phishing site techniques, kits, and threat actors ๐ต๏ธ
- Simple: based on Sigma, a simple detection rules language ๐
- Rich metadata: rules have descriptions, tags, and links to blog posts or related rules.
Use cases:
- Identify fingerprints of known threat actors
- Discover anti-analysis techniques
- Classify which specific phishing kit is in use on a page
- Identify deceptive websites dropping malicious software
- Discover APT infrastructure
- Detect malware C&C panels
๐ Creating indicators
IOK indicators are written using Sigma
| Field name | Type | Description |
|---|---|---|
| title | []string | The title of the site as shown in a browser. If multiple titles are set (e.g. by JavaScript), this contains each one. |
| hostname | string | The hostname of the site |
| html | string | The contents of the page HTML (as returned by the server) |
| dom | string | The contents of the page HTML after loading (e.g. after javascript has executed) |
| js | []string | Contents of JavaScript from the page (includes inline scripts as well as scripts loaded externally) |
| css | []string | Contents of CSS from the page (includes inline stylesheets as well as externally loaded stylesheets) |
| cookies | []string | Cookies from the page. Each is in the form cookieName=value |
| headers | []string | Headers sent by the server. Each is in the form Header-Name: value |
| requests | []string | URLs of requests made by the page (and assets loaded by the page) |
We are always looking for contributions: there's far more phishing kits and techniques than a single team can analyse!
To contribute a new rule:
- Try to make sure it doesn't already exist
- Open a pull request, adding your new file in the
indicators/folder - We'll review it and merge your PR
- It'll go live on phish.report/IOK!
๐ญ Comparison to similar projects
| IOK | PhishingKit-Yara-Rules | Wappalyzer | |
|---|---|---|---|
| Open Source | โ | โ | โ |
| Ruleset size | > 215 Rules ๐ฆ | 500 rules ๐ | 1000s of rules ๐ณ |
| Can scan | Live websites ๐ธ | Phishing kit zips ๐ฆ | Live websites ๐ธ |
| Phishing focused | โ | โ | โ |
| Supports complex conditions | โ | โ | โ |
| Sends out stickers to contributors ๐ | โ | โ | โ |
๐ค Contributing
There's a reference on how to write IOK rules in the Phish Report documentation.
๐ License
This project is ODbL licensed.
You're free to use the rules in your own projects (including commercial ones!)
as long as you credit phish.report/IOK as the source.
For more details, read OpenStreetMap's guidance (who also use
the ODbL license).
Contributors
Showing top 12 contributors by commit count.
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)
Related Repositories
hagezi/dns-blocklists
DNS-Blocklists: For a better internet - keep the internet clean!
htr-tech/zphisher
An automated phishing tool with 30+ templates. This Tool is made for educational purpose only ! Author will not be responsible for any misuse of this toolkit !
wifiphisher/wifiphisher
The Rogue Access Point Framework
gophish/gophish
Open-Source Phishing Toolkit
yeyintminthuhtut/Awesome-Red-Teaming
List of Awesome Red Teaming Resources
elceef/dnstwist
Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation