KKeensafeBreach & Attack Sim
← All scenarios

bas-007 — Credential stuffing — leaked admin → admin panel

critical · risk 95 · Identity

CTI lkc-007 (admin@keensafeglobalbank.com:Admin123! from stealer log) reused on /admin/login.

MITRE & OWASP

T1110.004 Credential Stuffing A07:2021

Preconditions

  • admin.keensafeglobalbank.com reachable
  • ALLOWED_TEST_IPS includes attacker

Attack path

  1. attacker — POST /login as admin@keensafeglobalbank.com / Admin123!
  2. app — MFA accepts '0000'
  3. attacker — Browse /users and /audit-logs
  4. attacker — Tamper with audit log via DELETE

Run

Running emits evidence JSON; no real exploitation runs.

View latest evidence 
(no output yet — click Simulate)

Remediation

Real MFA; password breach detection; admin-panel IP allowlist already enabled.