Skip to content

IOK (Indicator Of Kit) is an open source language and ruleset for detecting phishing threat actor tools and tactics

License

Notifications You must be signed in to change notification settings

phish-report/IOK

Repository files navigation

IOK logo

View detections on phish.report 🐟


Screenshot of one of the IOK indicator rules

Indicator of Kit is an open source detection language for phishing site techniques, kits, and threat actors 🕵️

  • Simple: based on Sigma, a simple detection rules language 🚀
  • Rich metadata: rules have descriptions, tags, and links to blog posts or related rules.

Use cases:

📝 Creating indicators

IOK indicators are written using Sigma

Field name Type Description
title []string The title of the site as shown in a browser. If multiple titles are set (e.g. by JavaScript), this contains each one.
hostname string The hostname of the site
html string The contents of the page HTML (as returned by the server)
dom string The contents of the page HTML after loading (e.g. after javascript has executed)
js []string Contents of JavaScript from the page (includes inline scripts as well as scripts loaded externally)
css []string Contents of CSS from the page (includes inline stylesheets as well as externally loaded stylesheets)
cookies []string Cookies from the page. Each is in the form cookieName=value
headers []string Headers sent by the server. Each is in the form Header-Name: value
requests []string URLs of requests made by the page (and assets loaded by the page)

We are always looking for contributions: there's far more phishing kits and techniques than a single team can analyse!

To contribute a new rule:

  1. Try to make sure it doesn't already exist
  2. Open a pull request, adding your new file in the indicators/ folder
  3. We'll review it and merge your PR
  4. It'll go live on phish.report/IOK!

💭 Comparison to similar projects

IOK PhishingKit-Yara-Rules Wappalyzer
Open Source
Ruleset size > 215 Rules 🦐 500 rules 🐠 1000s of rules 🐳
Can scan Live websites 🕸 Phishing kit zips 📦 Live websites 🕸
Phishing focused
Supports complex conditions
Sends out stickers to contributors 🎁

🤝 Contributing

There's a reference on how to write IOK rules in the Phish Report documentation.

📝 License

This project is ODbL licensed. You're free to use the rules in your own projects (including commercial ones!) as long as you credit phish.report/IOK as the source.

For more details, read OpenStreetMap's guidance (who also use the ODbL license).

About

IOK (Indicator Of Kit) is an open source language and ruleset for detecting phishing threat actor tools and tactics

Topics

Resources

License

Stars

Watchers

Forks

Languages