Merge branch 'main' into steam-phish

README.md

@@ -36,17 +36,17 @@ align="right"
 
 IOK indicators are written using [Sigma](https://github.com/SigmaHQ/sigma)
 
-| Field name |   Type   | Description                                                                                          |
-|:----------:|:--------:|------------------------------------------------------------------------------------------------------|
-|   title    |  string  | The title of the site as shown in a browser                                                          |
-|  hostname  |  string  | The hostname of the site                                                                             |
-|    html    |  string  | The contents of the page HTML (as returned by the server)                                            |
-|    dom     |  string  | The contents of the page HTML after loading (e.g. after javascript has executed)                     |
-|     js     | []string | Contents of JavaScript from the page (includes inline scripts as well as scripts loaded externally)  |
-|    css     | []string | Contents of CSS from the page (includes inline stylesheets as well as externally loaded stylesheets) |
-|  cookies   | []string | Cookies from the page. Each is in the form `cookieName=value`                                        |
-|  headers   | []string | Headers sent by the server. Each is in the form `Header-Name: value`                                 |
-|  requests  | []string | URLs of requests made by the page (and assets loaded by the page)                                    |
+| Field name |   Type   | Description                                                                                                           |
+|:----------:|:--------:|-----------------------------------------------------------------------------------------------------------------------|
+|   title    | []string | The title of the site as shown in a browser. If multiple titles are set (e.g. by JavaScript), this contains each one. |
+|  hostname  |  string  | The hostname of the site                                                                                              |
+|    html    |  string  | The contents of the page HTML (as returned by the server)                                                             |
+|    dom     |  string  | The contents of the page HTML after loading (e.g. after javascript has executed)                                      |
+|     js     | []string | Contents of JavaScript from the page (includes inline scripts as well as scripts loaded externally)                   |
+|    css     | []string | Contents of CSS from the page (includes inline stylesheets as well as externally loaded stylesheets)                  |
+|  cookies   | []string | Cookies from the page. Each is in the form `cookieName=value`                                                         |
+|  headers   | []string | Headers sent by the server. Each is in the form `Header-Name: value`                                                  |
+|  requests  | []string | URLs of requests made by the page (and assets loaded by the page)                                                     |
 
 We are always looking for contributions: there's far more phishing kits and techniques than a single team can analyse!
 

go.mod

@@ -4,8 +4,10 @@ go 1.17
 
 require (
 	github.com/bradleyjkemp/cupaloy/v2 v2.6.0
-	github.com/bradleyjkemp/sigma-go v0.6.1
+	github.com/bradleyjkemp/sigma-go v0.6.4
 	golang.org/x/net v0.7.0
+	golang.org/x/sync v0.3.0
+	phish.report/urlscanio-go v0.0.0-20230915155435-2677d74fc8a2
 )
 
 require (

go.sum

@@ -8,8 +8,8 @@ github.com/alecthomas/participle v0.7.1/go.mod h1:HfdmEuwvr12HXQN44HPWXR0lHmVolV
 github.com/alecthomas/repr v0.0.0-20181024024818-d37bc2a10ba1/go.mod h1:xTS7Pm1pD1mvyM075QCDSRqH6qRLXylzS24ZTpRiSzQ=
 github.com/bradleyjkemp/cupaloy/v2 v2.6.0 h1:knToPYa2xtfg42U3I6punFEjaGFKWQRXJwj0JTv4mTs=
 github.com/bradleyjkemp/cupaloy/v2 v2.6.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
-github.com/bradleyjkemp/sigma-go v0.6.1 h1:Pcorn3yOSACgcD8U7f8mss+ZIBgeVpi+09pB0jz3zHA=
-github.com/bradleyjkemp/sigma-go v0.6.1/go.mod h1:E0zOiUWS9/tvbSj6hsA9PXtplKygYTJ7hxgvWUcjJmE=
+github.com/bradleyjkemp/sigma-go v0.6.4 h1:J6Sqwbgv7wsEuP7xbsG8dvTrTc9lhkf5BvYF+gO9vzc=
+github.com/bradleyjkemp/sigma-go v0.6.4/go.mod h1:fHCN8y8cC1l5CYY7oOhPIznHmj/yeGxUvU+vAV7alr4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -33,6 +33,8 @@ golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -56,3 +58,7 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+phish.report/urlscanio-go v0.0.0-20230905142413-ecc6ecfca602 h1:cpBOU2BjQ1amcY5yALjLfsd4ODpA6ckcSwJKH75Ou9A=
+phish.report/urlscanio-go v0.0.0-20230905142413-ecc6ecfca602/go.mod h1:pJPFc89ctVOCv3nhtbb8cPOOjcVDJmCRz7R2O1Z8cQY=
+phish.report/urlscanio-go v0.0.0-20230915155435-2677d74fc8a2 h1:Pf9Z3H+o20DiHIB3n94vXQBttBzDclmujSbTI9Zj6TA=
+phish.report/urlscanio-go v0.0.0-20230915155435-2677d74fc8a2/go.mod h1:pJPFc89ctVOCv3nhtbb8cPOOjcVDJmCRz7R2O1Z8cQY=

indicators/ETC-e623c655.yml

@@ -0,0 +1,20 @@
+title: ETC Phishing Kit e623c655
+description: |
+    Detects an ETC phishing targeting Japanese users.(etc-meisai.jp)
+
+references:
+    - https://urlscan.io/result/e623c655-a8f4-470d-9e83-be7bd8c201c6
+    - https://urlscan.io/result/e33beca0-d6d7-4bfd-8a57-3818d079d504
+    - https://urlscan.io/result/516e7e00-2ddb-4036-b44c-33456e3e195a
+
+detection:
+    ETCTitle:
+        title: 'ＥＴＣ利用照会サービス'
+    pagePHP:
+        requests|contains: 'funccode.php'
+
+    condition: ETCTitle and pagePHP
+
+tags:
+  - target.etc_meisai
+  - target_country.japan

indicators/saison-b85570be.yml

@@ -0,0 +1,23 @@
+title: SAISON Card Phishing Kit b85570be
+description: |
+    Detects a SAISON Card phishing kit targeting Japanese users.
+references:
+  - https://urlscan.io/result/b85570be-adc3-45f8-83ee-9a4a46737f89
+  - https://urlscan.io/result/4332baf6-7b01-49e9-9d88-b7dcb9ad5a33
+  - https://urlscan.io/result/7ddc9c4a-2a7d-403d-9743-82cb62f0eb02
+
+detection:
+    FormContains: 
+        html|contains: 
+            - 'name="loginForm" id="loginForm" method="post" action="USA0201UIP01SCR.do.php"'
+    TokenContains: 
+        html|contains: 
+            - 'type="hidden" name="_csrf" value="a9410f4f-e742-47a4-bcb4-78b655267747"'
+    pagePHP:
+        requests|contains: 'auth.php'
+
+    condition: FormContains and TokenContains and pagePHP
+
+tags:
+  - target.saison_card
+  - target_country.japan

indicators/smbc-acab82b5.yml

@@ -0,0 +1,24 @@
+title: SMBC Phishing Kit acab82b5
+description: |
+    Detects a SMBC phishing kit targeting Japanese users.
+
+references:
+  - https://urlscan.io/result/acab82b5-6182-4cab-96b1-7e2af19b668b
+  - https://urlscan.io/result/a8a41bab-97ed-43d8-85d8-d760161ab317
+  - https://urlscan.io/result/607f6acb-1301-4ca5-9e33-0e0ca5b7c359
+  - https://urlscan.io/result/6c29c34f-1dac-433c-b2d9-005bd8db3ee1
+
+detection:
+    FormContains: 
+        html|contains: 
+            - 'method="post" id="tijiao" action="1.php"'
+
+    iframeContains: 
+        html|contains: 
+            - 'id="aMpc0Wu2zFxeefIt" style="display: none;"'
+
+    condition: FormContains and iframeContains
+
+tags:
+  - target.smbc
+  - target_country.japan

iok.go

@@ -21,7 +21,7 @@ var config []byte
 var evaluators []*evaluator.RuleEvaluator
 
 type Input struct {
-	Title    string   // Title is the title of the page as it would be shown in a browser
+	Title    []string // Title is the title of the page as it would be shown in a browser. If multiple titles are set (e.g. by JavaScript), this contains each one.
 	Hostname string   // Hostname is the hostname that the page was served from
 	DOM      string   // DOM contains the HTML contents of the primary page *after* it has loaded
 	HTML     string   // HTML contains the HTML response of the primary page
@@ -54,7 +54,7 @@ func GetMatchesForRules(input Input, rules []*evaluator.RuleEvaluator) ([]sigma.
 
 func convertInput(input Input) evaluator.Event {
 	return map[string]interface{}{
-		"title":    input.Title,
+		"title":    toInterfaceSlice(input.Title),
 		"hostname": input.Hostname,
 		"dom":      input.DOM,
 		"html":     input.HTML,
@@ -90,7 +90,7 @@ func ParseRule(path string, contents []byte) (*evaluator.RuleEvaluator, error) {
 		rule.ID, _, _ = strings.Cut(filepath.Base(path), ".")
 	}
 
-	return evaluator.ForRule(rule, evaluator.WithConfig(config)), nil
+	return evaluator.ForRule(rule, evaluator.WithConfig(config), evaluator.CaseSensitive), nil
 }
 
 func init() {

logsource.yml

@@ -3,6 +3,7 @@ backends:
   - github.com/bradleyjkemp/sigma-go
 
 fieldmappings:
+  title: $.title[*]
   js: $.js[*]
   css: $.css[*]
   cookies: $.cookies[*]