wiki+memory: consolidate kittle-design -> kittle (redirect stub); add feedback memories (syncro preview, refresh-first, autonomy scope)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -2,117 +2,20 @@
|
||||
type: client
|
||||
name: kittle-design
|
||||
display_name: Kittle Design & Construction
|
||||
last_compiled: 2026-05-24
|
||||
compiled_by: DESKTOP-0O8A1RL/claude-main
|
||||
last_compiled: 2026-06-09
|
||||
compiled_by: GURU-5070/claude-main
|
||||
superseded_by: clients/kittle.md
|
||||
sources:
|
||||
- clients/kittle-design/session-logs/2026-04-24-session.md
|
||||
backlinks:
|
||||
- clients/kittle
|
||||
---
|
||||
|
||||
# Kittle Design & Construction
|
||||
# Kittle Design & Construction — SUPERSEDED
|
||||
|
||||
## Overview
|
||||
|
||||
- **Business type:** Design & construction firm
|
||||
- **M365 tenant:** kittlearizona.com
|
||||
- **Billing model:** Time and materials [unverified — one ticket observed]
|
||||
- **Billing rate:** Unknown (Labor - Remote Business, product_id 1190473)
|
||||
- **Contract status:** Unknown
|
||||
- **Syncro ticket:** #32207
|
||||
|
||||
## Contacts
|
||||
|
||||
| Name | UPN | Notes |
|
||||
|---|---|---|
|
||||
| Alexis | alexis@kittlearizona.com | Confirmed compromise — hidden inbox rule, duplicate Authenticator, password reset issued |
|
||||
| Ken | Ken@kittlearizona.com | Suspicious inbox rule "Admin" (Capital One/Bill.com) — status unconfirmed as of session end |
|
||||
| Lori | Lori@kittlearizona.com | Two Authenticator entries (different Samsung models — likely phone upgrade) |
|
||||
| Scott | scott@kittlearizona.com | Phone-only MFA, no Authenticator enrolled |
|
||||
|
||||
## Infrastructure
|
||||
|
||||
- **On-premises servers/workstations:** Not documented.
|
||||
- **Entra P1/P2:** NOT licensed — sign-in logs and Identity Protection unavailable.
|
||||
- Token cache location (local): `/tmp/remediation-tool/3d073ebe-806a-4a5e-9035-3c7c4a264fc0/`
|
||||
|
||||
## Network
|
||||
|
||||
*(not documented)*
|
||||
|
||||
## Cloud / M365
|
||||
|
||||
| Property | Value |
|
||||
|---|---|
|
||||
| Tenant domain | kittlearizona.com |
|
||||
| Tenant ID | 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 |
|
||||
| Entra P1/P2 | No — sign-in logs unavailable |
|
||||
| Exchange Admin role | Assigned to Security Investigator SP (manually) |
|
||||
|
||||
### Service Principals (Remediation Tool)
|
||||
|
||||
| App | SP Object ID | Role |
|
||||
|---|---|---|
|
||||
| Security Investigator | 26e16c7a-0ac8-4f85-bdd7-992611bbd271 | Exchange Administrator |
|
||||
| Exchange Operator | 775ec856-f032-4dcf-a499-ccf7f9bce07b | Exchange Administrator |
|
||||
| User Manager | ea0277ab-497c-45f7-b88a-e2d53f54a4c7 | User Administrator + Authentication Administrator |
|
||||
| Tenant Admin | 0caa0dde-3f8d-4d46-ab26-aa0d38add0b5 | *(role not documented)* |
|
||||
|
||||
> [WARNING] Alexis's temp password `KittleGwiNUK#2026` was in the session log. This is a force-change-on-login temp password issued 2026-04-23 — it should already be changed. Do not use. Store any active credentials in vault only.
|
||||
|
||||
### Alexis — Compromise Details
|
||||
|
||||
- **Hidden inbox rule "."** — was routing Howmet-related emails to Conversation History folder. Deleted.
|
||||
- **Emails recovered** (moved back to inbox, HTTP 201):
|
||||
- "RE: Kittle Visit to review open projects and Billing discrepancies" — Erick.Martinez1@howmet.com (2025-03-04)
|
||||
- "RE: HOWMET FASTENING SYSTEMS, PURCHASE ORDER: 221422333" — Miguel.Angulo@howmet.com (2025-03-04)
|
||||
- "FW: Please ignore. | Petra" — Buy.PayHowmet@howmet.com (2025-02-28)
|
||||
- **Duplicate Authenticator entries** — two entries, same device name "iPhone 12 Pro Max" but different app versions. Suspicious entry ID: `c927402a-75c6-4a55-840a-86d1eea43a9b` (app version 6.8.40). Pending removal after confirmation from Alexis.
|
||||
- **Sessions revoked** — revokeSignInSessions returned true.
|
||||
- **Password reset** — temp password issued, force-change enforced.
|
||||
- **User object ID:** `74a1eae1-c0dd-4544-a98f-3a18f809785a`
|
||||
- **Exchange identity:** `alexis\2866869517449953281`
|
||||
|
||||
### OAuth Consents Revoked
|
||||
|
||||
**c5df10ae-2aa7-4283-86ef-1884c267a9ac** (AllPrincipals — 7 grants deleted):
|
||||
- Had Directory.ReadWrite.All, RoleManagement, Mail.Send, 50+ scopes — extremely broad.
|
||||
|
||||
**9b504397-914d-4af2-b6d9-9081e80da54e** (IMAP legacy auth — 1 grant deleted):
|
||||
- IMAP.AccessAsUser.All, openid, offline_access — consented by unknown user.
|
||||
|
||||
## GuruRMM
|
||||
|
||||
*(not documented)*
|
||||
|
||||
## Active Projects / Open Items
|
||||
|
||||
| Priority | Action | Owner |
|
||||
|---|---|---|
|
||||
| P1 | Ask Alexis: count Authenticator entries on phone. If only one, remove suspicious entry `c927402a` | Mike |
|
||||
| P1 | Ask Ken: does he recognize the "Admin" inbox rule (Capital One, Bill.com, @flystucson.com)? If no → escalate (password reset, session revocation, rule deletion, check Bill.com/Capital One transactions) | Mike |
|
||||
| P2 | Verify Alexis received temp password `KittleGwiNUK#2026` and has changed it | Mike |
|
||||
| P3 | Remove Lori's old Authenticator (SM-G975U Samsung S10+) after confirming current phone | Mike |
|
||||
| P3 | Enroll Scott in Microsoft Authenticator (currently phone-only MFA) | Mike |
|
||||
| P3 | Invoice ticket #32207 (1.0 hr Labor - Remote Business, product_id 1190473) | Mike |
|
||||
|
||||
## Key Events / History
|
||||
|
||||
### 2026-04-23/24 — Full M365 breach check and remediation
|
||||
|
||||
Full report: `clients/kittle-design/reports/2026-04-23-breach-check.md`
|
||||
|
||||
- Onboarded Exchange Operator and Tenant Admin apps (consent + role assignment).
|
||||
- Exchange Administrator role was NOT assigned to Security Investigator at time of initial breach check — assigned manually during remediation. SMTP forwarding check was therefore incomplete during the breach check phase.
|
||||
- Two high-severity findings: Alexis's hidden inbox rule and duplicate Authenticator.
|
||||
- One unresolved finding: Ken's "Admin" rule — awaiting his response.
|
||||
- Seven OAuth grants deleted from the AllPrincipals consent (c5df10ae) — very broad scopes including Directory.ReadWrite.All.
|
||||
|
||||
## Anti-Patterns / Warnings
|
||||
|
||||
- [WARNING] Ken's inbox rule "Admin" (filtering Capital One, Bill.com, @flystucson.com) is unresolved. If Ken cannot explain it, treat as active compromise: password reset, session revocation, rule deletion, check financial accounts immediately.
|
||||
- [WARNING] SMTP forwarding check was NOT completed — Exchange Admin role was missing on Security Investigator during initial sweep. Re-run SMTP forwarding check on all mailboxes.
|
||||
- [WARNING] Kittle has NO Entra P1/P2 — sign-in log queries and Identity Protection risky user signals are unavailable. Rely on Exchange audit logs and consent audits only.
|
||||
- Do not use the AllPrincipals consent app ID c5df10ae for anything — it was a malicious/overbroad app and all its grants have been revoked.
|
||||
|
||||
## Backlinks
|
||||
|
||||
- *(no related wiki articles yet)*
|
||||
> **This article is superseded. The canonical Kittle record is now [[clients/kittle]] (`wiki/clients/kittle.md`).**
|
||||
>
|
||||
> Consolidated 2026-06-09. `kittle-design` and `kittle` were two articles for the same client
|
||||
> (Kittle Design & Construction LLC, M365 `kittlearizona.com`, Syncro `32460233`). All content —
|
||||
> the April 2026 breach history and the June 2026 BEC/ACH-fraud incident — now lives in the
|
||||
> single canonical article. Update **[clients/kittle.md](kittle.md)** going forward; do not edit this stub.
|
||||
|
||||
Reference in New Issue
Block a user