Indicator Of Kit

Open source detection rules for phishing site techniques, kits, and threat actors 🕵️

Simple: based on Sigma, a simple detection rules language 🚀
Rich metadata: rules have descriptions, tags, and links to blog posts or related rules.

Use cases:

title: Fake Chrome error page
description: |
    The Chrome error page HTML is built into the browser: you should never see it in the response from a
    website.
    This is a clear sign that the site is employing cloaking/anti-analysis techniques.
references:
    - https://twitter.com/phish_report/status/1537825544343011328

detection:
    chromeHTMLFragments:
        html|contains|all:
            - '<body id="t" class="neterror" style="font-family: '
            - '<div id="main-frame-error" class="interstitial-wrapper" jstcache="0">'
    condition: chromeHTMLFragments

Analyse a urlscan.io result

Recent matches

hex-encoded-body

hxxps://employmentopportunities2-dot-msfiles24explorer[.]uk[.]r[...

urlscan.io
recaptcha

hxxp://wacochamber[.]com/

urlscan.io
formsubmit-co

hxxp://sync-protocol[.]tech/

urlscan.io
mark-of-the-web

hxxps://improved-protec-users231234[.]click/

urlscan.io
santander-d639dea

hxxps://santander-online-check[.]com/

urlscan.io
microsoft-tech-support-0589be7

hxxps://wiwiiwuuuu98797u[.]z13[.]web[.]core[.]windows[.]net/

urlscan.io
usps-9514901

hxxps://scnv[.]io/ZoW3

urlscan.io
savepage-we

hxxps://onlineseedsbank[.]com/wp-admin/css/myGov1.html

urlscan.io
webscrapbook-cloner

hxxps://hilfe-volksbank-de[.]net/

urlscan.io
webflow-website-creator

hxxp://www[.]thebush-foundation[.]org/aberdeen-area-diversity-co...

urlscan.io