Security Engineer and ethical hacker with 11+ years building secure software and hardening production systems. Expert in application security, secure authentication, cloud...
#!/usr/bin/env bash
docker run --rm -t owasp/zap2docker-stable zap-baseline.py \
-t https://preview.example.com \
-r zap-report.html \
-I
index=auth sourcetype=linux_secure "Failed password" | stats count by src_ip, user | where count > 20
index=proxy "POST" url="*/oauth/token" | stats count by client_ip | where count > 100
index=endpoint process_name=powershell.exe command_line="*EncodedCommand*"
import requests
response = requests.get('https://crt.sh/', params={'q': '%.example.com', 'output': 'json'}, timeout=15)
response.raise_for_status()
certs = response.json()
print(certs[:5])
secret = ROTP::Base32.random
current_user.update!(otp_secret: secret)
totp = ROTP::TOTP.new(secret, issuer: 'CodeSnips')
provisioning_uri = totp.provisioning_uri(current_user.email)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyInsecureTransport",
"Effect": "Deny",
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
#!/usr/bin/env bash
set -euo pipefail
find / -perm -4000 -type f 2>/dev/null | sort
sudo -l
find /etc/systemd/system -type f -writable 2>/dev/null
http.response.code >= 400
tcp.analysis.retransmission
tls.alert_message
dns.flags.response == 1 && dns.a
ip.addr == 10.10.20.15 && tcp.port == 443
#!/usr/bin/env bash
tcpdump -i eth0 host 10.10.20.15 -w suspect-host.pcap
tcpdump -i eth0 port 443 and host api.example.com
tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) != 0'
#!/usr/bin/env bash
set -euo pipefail
OUT="/tmp/incident-$(date +%Y%m%d-%H%M%S)"
mkdir -p "$OUT"
alert tcp $HOME_NET any -> $HOME_NET 445 (
msg:"Possible SMB lateral movement enumeration";
flow:to_server,established;
content:"|FF|SMB"; depth:4;
threshold:type both, track by_src, count 15, seconds 60;
sid:1000001; rev:1;
rule SuspiciousDownloader {
strings:
$a = "powershell -enc" nocase
$b = "Invoke-WebRequest" nocase
$c = "http://" nocase
condition: