azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Session log: multi-user setup, audit + gap fixes, Howard onboarding package

Browse Source 
Two session logs:
- session-logs/2026-04-16-session.md: cross-cutting (multi-user, audit, infrastructure)
- guru-rmm session log appended: MSI installer, Len's Auto Brokerage, Uranus, migration drift

Gap fixes: GrepAI initialized + MCP server added, Ollama models pulling,
settings.json created (bypassPermissions), MCP_SERVERS.md written.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-04-16 18:55:28 -07:00
parent a18157b5fa
commit 100a491ac6
20 changed files with 1617 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

142
clients/internal-infrastructure/reports/2026-04-16-howard-breach-check.md Normal file
View File

@@ -0,0 +1,142 @@
# Howard — Breach Check (azcomputerguru.com)
**Date:** 2026-04-16
**Tenant:** AZ Computer Guru (azcomputerguru.com, `ce61461e-81a0-4c84-bb4a-7b354a9a356d`)
**Subject:** howard@azcomputerguru.com (object id `c99de3bd-ddc1-43f1-907f-e84b91273660`)
**Tool:** Claude-MSP-Access / ComputerGuru - AI Remediation — via `/remediation-tool check`
**Scope:** Read-only
## Summary
- **No breach indicators.** Every one of the 174 foreign sign-in attempts in the last 30 days FAILED. Zero successful non-US sign-ins.
- Mailbox clean at the Graph level: 3 inbox rules, all user-authored filters (Telnyx status, Atlas_LNP whitelabel, Facebook notifications). No forward/redirect/delete actions.
- 4 OAuth grants + 8 app role assignments — all MSP-relevant apps (Syncro, Kaseya SSO, Tailscale, Graph Explorer, Perfect Wiki, ASUS, Uizard). No unfamiliar consents.
- 6 auth methods — all legitimate MFA (password, SMS, OATH token, 3 Microsoft Authenticator registrations across phone upgrades).
- **Password age: 18 months** (last changed 2024-09-24). Rotate as hygiene.
- **Ongoing credential-stuffing campaign:** attempts from CN (32), IN (32), KR (28), LU (15, via Azure CLI), BR (14), DE, JP, HK, MA, RU, SE, AE, GM, LA, NO, PT, TN, TW, UA, BG, BN, ID, PE, SO, TH, UG. All blocked.
## Target details
| Field | Value |
|---|---|
| UPN | howard@azcomputerguru.com |
| Object ID | c99de3bd-ddc1-43f1-907f-e84b91273660 |
| Account Enabled | true |
| Created | 2024-08-14 |
| Last Password Change | 2024-09-24 (18 months ago) |
## Per-check findings
### 1. Inbox rules (Graph) — CLEAN
3 rules, all user-authored folder moves:
- `Telnex` — Telnyx status notifications (noreply@statuspage.io) -> folder
- `Move all messages from Atlas_LNP@whitelabelcomm.com to whitelabeel` — WhiteLabel Comm LNP tickets -> folder
- `facebook` — Facebook notification senders -> folder
No Forward/Redirect/Delete actions.
### 2. Mailbox forwarding / settings — CLEAN
No forwarding via Graph user/mailboxSettings. Exchange REST check blocked (see Gaps).
### 3. Hidden inbox rules / delegates / SendAs / mailbox-level forwarding — BLOCKED (403)
Exchange REST returned empty bodies — app's service principal lacks Exchange Administrator role in the azcomputerguru tenant. See Gaps.
### 4. OAuth consents + app role assignments — CLEAN
OAuth grants (user-consented scopes on Microsoft Graph):
| Client ID | Scopes |
|---|---|
| `bda7b1c9-f852-4916-ba9a-5942623882d8` | openid profile User.Read offline_access |
| `0f06016e-1ad1-4996-ad6c-25233e3bd997` | offline_access Calendars.ReadWrite |
| `c1ba11bc-9be2-4720-b6ac-7a19d3f31029` | openid email profile |
| `fe7fb591-b8ea-4715-87ee-b46375eb32c9` | User.Read email profile Team.ReadBasic.All Channel.ReadBasic.All offline_access openid |
App role assignments (apps Howard has access to):
| Resource | Created |
|---|---|
| Syncro (original) | 2021-12-06 |
| Syncro v2 | 2024-08-27 |
| ASUS Account | 2024-11-07 |
| Perfect Wiki | 2025-02-11 |
| KaseyaSSO | 2025-05-11 |
| Tailscale | 2025-06-28 |
| Graph Explorer | 2025-11-07 |
| Uizard | 2025-11-21 |
All fit MSP-tech profile. Nothing recent + unknown.
### 5. Authentication methods — CLEAN
- Password (2024-09-24)
- Phone `+1 520-585-1310`
- Software OATH token
- Microsoft Authenticator "Pixel 6 Pro"
- Microsoft Authenticator "DE2118"
- Microsoft Authenticator "GooglePixel 6 Pro" (2025-06-25)
Multiple Authenticator entries reflect phone upgrades/re-registrations over time. No method added inside a suspicious window.
### 6. Sign-ins (30d) — CLEAN (attack active, fully blocked)
**200 total sign-ins in 30 days. 174 non-US. Every non-US attempt FAILED. Zero successful foreign sign-ins.**
Foreign failure distribution:
| Country | Attempts | App targeted |
|---|---|---|
| CN | 32 | Office 365 Exchange Online |
| IN | 32 | Office 365 Exchange Online |
| KR | 28 | Office 365 Exchange Online |
| LU | 15 | Microsoft Azure CLI |
| BR | 14 | Office 365 Exchange Online |
| DE | 8 | Azure AD PowerShell |
| JP | 8 | Azure AD PowerShell |
| HK | 4 | Office 365 Exchange Online |
| MA | 4 | Office 365 Exchange Online |
| RU | 3 | Office 365 Exchange Online |
| SE | 3 | Office 365 Exchange Online |
| AE, GM, LA, NO, PT, TN, TW, UA | 2 each | Office 365 Exchange Online |
| BG, BN, ID, PE, SO, TH, UG | 1 each | Office 365 Exchange Online |
Pattern: broad, distributed credential stuffing. Most attempts target legacy auth against Exchange Online. Luxembourg block specifically targets Azure CLI (corporate cloud-admin path). Germany + Japan targets Azure AD PowerShell. **Attacker knows Howard is an MSP admin and is probing admin-grade endpoints.**
### 7. Directory audits (targetResources = Howard) — CLEAN
0 events in 30 days targeting Howard's account. No unauthorized changes.
### 8. Risky users / risk detections — BLOCKED (403)
`IdentityRiskyUser.Read.All` not consented in azcomputerguru tenant. See Gaps.
### 9. Sent items (recent 25) — CLEAN
Normal business correspondence. No blast patterns.
### 10. Deleted items (recent 25) — CLEAN
Normal marketing/notifications. No deleted security alerts.
## Gaps — blocked by missing permissions
### Gap #1: Exchange REST (403)
The ComputerGuru - AI Remediation service principal doesn't have Exchange Administrator role in **our own** azcomputerguru tenant. Blocks:
- Hidden inbox rules (`Get-InboxRule -IncludeHidden`)
- Mailbox permissions / delegates
- SendAs permissions
- Mailbox-level forwarding flags
**Fix:** Entra -> Roles & admins -> Exchange Administrator -> Add assignment -> search "ComputerGuru - AI Remediation" -> Active (permanent).
### Gap #2: Identity Protection (403)
`IdentityRiskyUser.Read.All` not consented in azcomputerguru tenant. Blocks risky user classification and risk detection history.
**Fix:** Admin consent URL -
```
https://login.microsoftonline.com/ce61461e-81a0-4c84-bb4a-7b354a9a356d/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
```
## Priority actions
1. **Rotate Howard's password** — hygiene, 18 months old and he's actively targeted. Good time for a change.
2. **Close the gaps above on our own tenant** — we've been running the remediation tool against customer tenants without ever consenting on our own home tenant. That's an oversight.
3. **Review legacy auth exposure tenant-wide.** The credential-stuffing targets Exchange Online basic auth and AAD PowerShell — both should be blocked by Conditional Access. Confirm CA policies block legacy auth tenant-wide (not just for Howard).
4. **Consider moving Howard to passwordless / FIDO2 as primary** — given the volume of attempts, elevating beyond password+MFA would effectively neutralize the campaign.
## Data artifacts
Raw JSON at `/tmp/remediation-tool/ce61461e-81a0-4c84-bb4a-7b354a9a356d/user-breach/howard_azcomputerguru_com/`