Indicator Of Kit

Logo for the IOK project

Open source detection rules for phishing site techniques, kits, and threat actors 🕵️

  • Simple: based on Sigma, a simple detection rules language 🚀
  • Rich metadata: rules have descriptions, tags, and links to blog posts or related rules.

Use cases:

title: Fake Chrome error page
description: |
    The Chrome error page HTML is built into the browser: you should never see it in the response from a
    This is a clear sign that the site is employing cloaking/anti-analysis techniques.

            - '<body id="t" class="neterror" style="font-family: '
            - '<div id="main-frame-error" class="interstitial-wrapper" jstcache="0">'
    condition: chromeHTMLFragments


title: coinbase-page-title description: | Sites with the same page title as Coinbase but not hosted on level: potentially_malicious detection: coinbaseTitle: title: - "Coinbase – Buy & Sell Bitcoin, Ethereum, and more with trust" - "Coinbase - Sign In" realDomain: hostname: - condition: coinbaseTitle and not realDomain

Rule matches