Indicator Of Kit

Browse the rules
Logo for the IOK project

Open source detection rules for phishing site techniques, kits, and threat actors 🕵️

  • Simple: based on Sigma, a simple detection rules language 🚀
  • Rich metadata: rules have descriptions, tags, and links to blog posts or related rules.

Use cases:

View on GitHub 
title: Fake Chrome error page
description: |
    The Chrome error page HTML is built into the browser: you should never see it in the response from a
    website.
    This is a clear sign that the site is employing cloaking/anti-analysis techniques.
references:
    - https://twitter.com/phish_report/status/1537825544343011328

detection:
    chromeHTMLFragments:
        html|contains|all:
            - '<body id="t" class="neterror" style="font-family: '
            - '<div id="main-frame-error" class="interstitial-wrapper" jstcache="0">'
    condition: chromeHTMLFragments

Example

title: coinbase-page-title description: | Sites with the same page title as Coinbase but not hosted on coinbase.com level: potentially_malicious detection: coinbaseTitle: title: - "Coinbase – Buy & Sell Bitcoin, Ethereum, and more with trust" - "Coinbase - Sign In" realDomain: hostname: - coinbase.com condition: coinbaseTitle and not realDomain

Rule matches