Educational code samples demonstrating common MITRE ATT&CK techniques and defensive measures. These samples are designed for security awareness training and show both vulnerable code patterns and secure implementations.
These samples are for educational purposes only. They demonstrate security vulnerabilities and attack techniques to help developers understand threats and build better defenses. Do not use vulnerable code examples in production systems.
MITRE ATT&CK Technique: T1110.004 - Credential Stuffing
Demonstrates detection and prevention of credential stuffing attacks where attackers use leaked username/password pairs to gain unauthorized access.
Key Features:
- Rate limiting per IP and per account
- Detection of automation patterns
- Account lockout and IP blocking
- Anomaly detection based on behavioral patterns
Run:
python3 credential_stuffing_detection.pyMITRE ATT&CK Technique: T1059 - Command and Scripting Interpreter
Shows both vulnerable and secure implementations of command execution. Demonstrates how command injection works and how to prevent it.
Key Features:
- Vulnerable code using
os.system()andshell=True - Secure code using subprocess with argument lists
- Input validation and allowlisting
- Attack simulation and defense demonstration
Run:
python3 command_injection.pyMITRE ATT&CK Technique: T1059.006 - Execution via Deserialization
Demonstrates how insecure deserialization (especially with pickle) can lead to arbitrary code execution, and shows safe alternatives using JSON with schema validation.
Key Features:
- Vulnerable pickle deserialization
- Malicious payload demonstration
- Safe JSON-based alternative
- Schema validation and type checking
Run:
python3 unsafe_deserialization.pyMITRE ATT&CK Technique: T1070 - Indicator Removal on Host
Implements tamper-evident logging using cryptographic hash chains, making it detectable when logs are modified or deleted by attackers.
Key Features:
- Cryptographic hash chains for log integrity
- Detection of log tampering and deletion
- Verification function to validate log chain
- Export functionality for secure archival
Run:
python3 tamper_evident_logging.pyMITRE ATT&CK Techniques:
- T1213 - Data from Information Repositories
- T1020 - Automated Exfiltration
Monitors data access patterns to detect anomalous behavior indicating data theft or exfiltration attempts.
Key Features:
- Baseline behavioral modeling
- Volume and velocity anomaly detection
- Time-based anomaly detection (unusual hours)
- Sensitivity-based access monitoring
- Rate limiting and alerting
Run:
python3 data_access_monitor.pyMITRE ATT&CK Technique: T1552 - Unsecured Credentials
Scans source code and configuration files for hardcoded credentials, API keys, passwords, and other secrets that attackers commonly search for.
Key Features:
- Pattern-based detection of various credential types
- Support for multiple file formats
- Severity classification
- False positive reduction
- Detailed reporting
Run:
python3 secrets_scanner.pyMITRE ATT&CK Technique: T1078 - Valid Accounts
Demonstrates authentication monitoring to detect misuse of valid credentials through behavioral analysis and anomaly detection.
Key Features:
- Impossible travel detection (geolocation anomalies)
- Device fingerprint tracking
- Behavioral baseline modeling
- Privilege escalation monitoring
- Risk-based step-up authentication
- Anomalous resource access detection
Run:
python3 auth_monitoring.pyMITRE ATT&CK Technique: T1110.003 - Password Spraying
Detects password spray attacks where attackers try one common password across many accounts to bypass per-account rate limiting.
Key Features:
- Cross-account password pattern detection
- Distributed attack detection (multiple IPs)
- Slow-and-low spray detection
- IP reputation tracking
- Progressive delays and lockouts
- Spray velocity monitoring
Run:
python3 password_spray_detection.pyMITRE ATT&CK Technique: T1565 - Data Manipulation
Implements data integrity verification to detect and prevent unauthorized data modifications using HMAC signatures and audit trails.
Key Features:
- HMAC-based record integrity verification
- Tamper-evident audit trails
- Mass modification detection
- Field-level change tracking
- High-sensitivity field monitoring
- Change velocity analysis
Run:
python3 data_integrity.pyAll samples use only Python standard library - no external dependencies required. Compatible with Python 3.7+.
These samples are designed for:
- Security awareness training
- Developer education on secure coding
- Conference talks and presentations
- Understanding attacker techniques
- Learning defensive programming patterns
- Input Validation: Always validate and sanitize user input
- Least Privilege: Run with minimum necessary permissions
- Defense Monitoring: Implement behavioral monitoring and anomaly detection
- Secure Defaults: Use safe APIs and configurations by default
- Layered Security: Don't rely on a single defensive measure
- Use allowlists over denylists
- Implement rate limiting and throttling
- Log security-relevant events
- Monitor for anomalous behavior
- Use cryptographic verification where appropriate
These educational samples are provided as-is for learning purposes.
These samples are part of the "MITRE ATT&CK for Developers" conference talk. For questions or improvements, please refer to the main repository.
Remember: The best defense is understanding how attacks work and building security into your code from the start! 🛡️