Kai Nakamura

62 code snips · on codesnips 3 months

Security Engineer and ethical hacker with 11+ years building secure software and hardening production systems. Expert in application security, secure authentication, cloud...

bash
#!/usr/bin/env bash
docker run --rm -t owasp/zap2docker-stable zap-baseline.py \
  -t https://preview.example.com \
  -r zap-report.html \
  -I

Web application DAST automation with OWASP ZAP baseline scans

dast zap ci
by Kai Nakamura 1 tab
plaintext
index=auth sourcetype=linux_secure "Failed password" | stats count by src_ip, user | where count > 20
index=proxy "POST" url="*/oauth/token" | stats count by client_ip | where count > 100
index=endpoint process_name=powershell.exe command_line="*EncodedCommand*"

Threat hunting query ideas mapped to MITRE ATT and CK patterns

threat-hunting mitre-attck siem
by Kai Nakamura 1 tab
python
import requests

response = requests.get('https://crt.sh/', params={'q': '%.example.com', 'output': 'json'}, timeout=15)
response.raise_for_status()
certs = response.json()
print(certs[:5])

Certificate transparency checks for unexpected certificate issuance

certificate-transparency tls monitoring
by Kai Nakamura 1 tab
ruby
secret = ROTP::Base32.random
current_user.update!(otp_secret: secret)

totp = ROTP::TOTP.new(secret, issuer: 'CodeSnips')
provisioning_uri = totp.provisioning_uri(current_user.email)

TOTP based multi factor authentication for sensitive actions

mfa totp authentication
by Kai Nakamura 1 tab
json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyInsecureTransport",
      "Effect": "Deny",

S3 bucket policy that enforces TLS and blocks public reads

s3 aws tls
by Kai Nakamura 1 tab
json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject"],

Least privilege IAM policy for an application on AWS

aws iam least-privilege
by Kai Nakamura 1 tab
bash
#!/usr/bin/env bash
set -euo pipefail

find / -perm -4000 -type f 2>/dev/null | sort
sudo -l
find /etc/systemd/system -type f -writable 2>/dev/null

Linux privilege escalation checks for suspicious local state

privilege-escalation linux auditing
by Kai Nakamura 1 tab
plaintext
http.response.code >= 400
tcp.analysis.retransmission
tls.alert_message
dns.flags.response == 1 && dns.a
ip.addr == 10.10.20.15 && tcp.port == 443

Wireshark display filters that speed up incident triage

wireshark packet-analysis incident-response
by Kai Nakamura 1 tab
bash
#!/usr/bin/env bash
tcpdump -i eth0 host 10.10.20.15 -w suspect-host.pcap
tcpdump -i eth0 port 443 and host api.example.com
tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) != 0'

tcpdump filters for fast packet capture during investigations

tcpdump packets incident-response
by Kai Nakamura 1 tab
bash
#!/usr/bin/env bash
set -euo pipefail

OUT="/tmp/incident-$(date +%Y%m%d-%H%M%S)"
mkdir -p "$OUT"

Forensic collection script for volatile host evidence

forensics incident-response linux
by Kai Nakamura 1 tab
plaintext
alert tcp $HOME_NET any -> $HOME_NET 445 (
  msg:"Possible SMB lateral movement enumeration";
  flow:to_server,established;
  content:"|FF|SMB"; depth:4;
  threshold:type both, track by_src, count 15, seconds 60;
  sid:1000001; rev:1;

Suricata IDS rule authoring for suspicious lateral movement

suricata ids detection
by Kai Nakamura 1 tab
plaintext
rule SuspiciousDownloader {
  strings:
    $a = "powershell -enc" nocase
    $b = "Invoke-WebRequest" nocase
    $c = "http://" nocase
  condition:

YARA rules for spotting suspicious binaries during triage

yara malware triage
by Kai Nakamura 1 tab