Open source detection rules for phishing site techniques, kits, and threat actors π΅οΈ
- Simple: based on Sigma, a simple detection rules language π
- Rich metadata: rules have descriptions, tags, and links to blog posts or related rules.
Use cases:
- Identify fingerprints of known threat actors
- Discover anti-analysis techniques
- Classify which specific phishing kit is in use on a page
- Identify deceptive websites dropping malicious software
- Discover APT infrastructure
IOK indicators are written using Sigma
| Field name | Type | Description |
|---|---|---|
| html | string | The contents of the page HTML (as returned by the server) |
| js | []string | Contents of JavaScript from the page (includes inline scripts as well as scripts loaded externally) |
| css | []string | Contents of CSS from the page (includes inline stylesheets as well as externally loaded stylesheets) |
| cookies | []string | Cookies from the page. Each is in the form cookieName=value |
| headers | []string | Headers sent by the server. Each is in the form Header-Name: value |
| requests | []string | URLs of requests made by the page (and assets loaded by the page) |
We are always looking for contributionsβthere's far more phishing kits and techniques than a single team can analyse!
To contribute a new rule:
- Try to make sure it doesn't already exist
- Open a pull request, adding your new file in the
indicators/folder - We'll review it and merge your PR
- It'll go live on phish.report/IOK!
| IOK | PhishingKit-Yara-Rules | Wappalyzer | |
|---|---|---|---|
| Open Source | β | β | β |
| Ruleset size | > 190 Rules π¦ | > 450 rules π | 1000s of rules π³ |
| Can scan | Live websites πΈ | Phishing kit zips π¦ | Live websites πΈ |
| Phishing focused | β | β | β |
| Supports complex conditions | β | β | β |
| Sends out stickers to contributors π | β | β | β |
Documentation on how to write a rule is coming soon...
This project is ODbL licensed. You're free to use the rules in your own projects (including commercial ones!) as long as you credit phish.report/IOK as the source.
For more details, read OpenStreetMap's guidance (who also use the ODbL license).