Open source detection rules for phishing site techniques, kits, and threat actors 🕵️
- Simple: based on Sigma, a simple detection rules language 🚀
- Rich metadata: rules have descriptions, tags, and links to blog posts or related rules.
Use cases:
- Identify fingerprints of known threat actors
- Discover anti-analysis techniques
- Classify which specific phishing kit is in use on a page
- Identify deceptive websites dropping malicious software
- Discover APT infrastructure
IOK indicators are written using Sigma
| Field name | Type | Description |
|---|---|---|
| html | string | The contents of the page HTML (as returned by the server) |
| js | []string | Contents of JavaScript from the page (includes inline scripts as well as scripts loaded externally) |
| css | []string | Contents of CSS from the page (includes inline stylesheets as well as externally loaded stylesheets) |
| cookies | []string | Cookies from the page. Each is in the form cookieName=value |
| headers | []string | Headers sent by the server. Each is in the form Header-Name: value |
| requests | []string | URLs of requests made by the page (and assets loaded by the page) |
We are always looking for contributions—there's far more phishing kits and techniques than a single team can analyse!
To contribute a new rule:
- Try to make sure it doesn't already exist
- Open a pull request, adding your new file in the
indicators/folder - We'll review it and merge your PR
- It'll go live on phish.report/IOK!
| IOK | PhishingKit-Yara-Rules | Wappalyzer | |
|---|---|---|---|
| Open Source | ✅ | ✅ | ✅ |
| Ruleset size | > 190 Rules 🦐 | > 450 rules 🐠 | 1000s of rules 🐳 |
| Can scan | Live websites 🕸 | Phishing kit zips 📦 | Live websites 🕸 |
| Phishing focused | ✅ | ✅ | ❌ |
| Supports complex conditions | ✅ | ✅ | ❌ |
| Sends out stickers to contributors 🎁 | ✅ | ❌ | ❌ |
Documentation on how to write a rule is coming soon...
This project is ODbL licensed. You're free to use the rules in your own projects (including commercial ones!) as long as you credit phish.report/IOK as the source.
For more details, read OpenStreetMap's guidance (who also use the ODbL license).