diff --git a/clients/cryoweave/reports/2026-07-08-breach-check.md b/clients/cryoweave/reports/2026-07-08-breach-check.md new file mode 100644 index 00000000..783e3ae5 --- /dev/null +++ b/clients/cryoweave/reports/2026-07-08-breach-check.md @@ -0,0 +1,67 @@ +# CryoWeave — M365 Compromise Check + +- **Date (UTC):** 2026-07-08 +- **Tenant:** cryoweave.com / `44705a37-b5d8-4bb1-882d-e18775612ada` +- **Analyst:** Mike Swanson (GURU-5070), ComputerGuru remediation suite +- **Scope:** All 3 enabled accounts. Read-only investigation. + +## Verdict: NOT COMPROMISED — active targeted password-spray in progress, all attempts failing + +`greg@cryoweave.com` is under an **active, distributed, targeted credential-stuffing / password-spray attack**, but the tenant's controls are holding: **every** foreign/tooling sign-in attempt is failing, and **every** successful authentication traces to Greg's own two US IPs via legitimate clients. No account takeover. No malicious persistence. + +## Accounts reviewed + +| Account | Role | Finding | +|---|---|---| +| `greg@cryoweave.com` | Owner (Greg Schickling) | Under active attack, **not breached** — see below | +| `admin@cryoweave.onmicrosoft.com` | Default admin | Clean — 0 sign-ins/rules/grants in 30d | +| `sysadmin@cryoweave.com` | ACG management (ours) | Expected — created 2026-06-15, clean | + +## The attack (greg@cryoweave.com) + +Distributed failed sign-ins across many countries in a tight window, all against Greg's account: + +| Time (UTC) | Result | IP | Geo | Client | +|---|---|---|---|---| +| 07-03 20:54 | 50126 bad-password | 2605:6400:... | US/Las Vegas | Azure CLI | +| 07-08 01:12–01:13 (6x, ~21s) | 50053 locked | 216.26.237.44 / .251.189 / 45.3.41.51 / 65.111.27.198 / 65.111.21.228 | US-Atlanta, CA-Toronto x2, DE x2 | Azure CLI | +| 07-08 06:46 | 50053 locked | 194.5.52.22 | US/LA | AAD PowerShell | +| 07-08 (non-interactive) | 50053 locked | 149.19.29.218 / 89.10.221.226 / 2a09:bac5:... / 38.22.88.23 | NZ, NO, **RU**, CA | "Microsoft Online Services" | + +- **Error 50126** = invalid credentials; **50053** = account locked by smart lockout (too many bad attempts). Attacker does **not** have the password. +- Client apps abused: **Azure CLI**, **AAD PowerShell**, **Microsoft Online Services** — first-party IDs commonly used by spray tooling (pre-consented, scriptable). +- Targeting is account-specific (Greg's UPN hammered globally), i.e. his address + likely an old password sit on a credential-stuffing list. + +## Did any attempt pass the password and get denied at MFA? — NO + +Checked every sign-in's per-step `authenticationStepResultDetail` and the full error-code set across interactive + non-interactive logs (30d): + +- Every attacker attempt resolved to **"Incorrect password"** / "Invalid username or password" at the **password step**. None reached the MFA step. +- Error codes on attack traffic: **only** `50126` (bad password) and `50053` (lockout caused by bad passwords). +- **Zero** MFA-stage codes (`50074`/`50076`/`500121`/`50079`) — i.e. no "password correct → MFA denied" event anywhere. +- 968 successful (err=0) authentications in 30d, **all** from Greg's own IPs (`68.0.180.209` workstation + `2600:1011:*` Verizon mobile). **No** successful auth from any attacker IP. + +**Conclusion:** the password itself is holding — MFA was never even tested by the attacker. Greg's credential is not currently valid to the attacker (as opposed to "compromised but MFA-blocked"). + +Spray scale (context): sustained 2026-07-03 → 07-08 from ~20 countries (JP, HR, ES, HK, ZA, TW, RO, FI, SG, IE, GB, NL, SE, NO, RU, CA, NZ, US, …) via "Microsoft Online Services". + +## Why this is NOT a compromise + +- **0 successful sign-ins** from any non-Greg IP. All err=0 events originate from Greg's own IPs: `68.0.180.209` (US workstation) and `2600:1011:b077:...` (US Verizon mobile), via legit apps (Outlook, Windows/Office services, Gmail mobile app). +- **Security Defaults = ENABLED** → MFA enforced tenant-wide + legacy auth blocked. A correct password guess still hits an MFA challenge to Greg's phone (`+1 520…`, Tucson AZ — consistent). +- **Inbox rules (3): benign** — all sort *Alignable* (small-business networking) mail into folders. No forward/delete/external-redirect, no hidden rules. +- **OAuth grants (1): benign** — "Gmail" app (`EAS.AccessAsUser.All` + `offline_access`), consented 2022-10-15, only ever used from Greg's US IPs = Greg's own phone Gmail app pulling his mailbox. +- **No** malicious forwarding, mailbox delegates, SendAs, or app-role grants. + +## Recommendations + +1. **Reset Greg's password** (precautionary, recommended) — his account is being sprayed globally, so his credential is likely on a breach/stuffing list. Rotate to a strong unique password. +2. **Revoke sessions** after the reset (`invalidateAllRefreshTokens`) — standard hygiene; low risk (only legit tokens observed). +3. **Confirm the MFA phone** `+1 520…` is Greg's and under his control. +4. Security Defaults is already on — the correct baseline for a no-premium tenant. No CA change required. (Optional future: Entra ID P1 for named-location/geo-block Conditional Access if spray volume persists.) +5. No action needed on the failing spray traffic itself — smart lockout + MFA are handling it. + +## Coverage limitations + +- Tenant has **no Entra ID Premium (P1/P2)** — tenant-wide sign-in logs and Identity Protection (risky users) are unavailable; per-user interactive + non-interactive sign-in logs (used above) remain accessible. +- `AuditLog.Read.All` (userRegistrationDetails) and SharePoint (`Sites.Read.All`) scopes not held by the suite in this tenant — not required for this assessment. diff --git a/errorlog.md b/errorlog.md index f2286b59..5084fcf6 100644 --- a/errorlog.md +++ b/errorlog.md @@ -29,6 +29,8 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure · 2026-07-08 | Howard-Home | screenconnect/syncro | [correction] hand-rolled raw curl against ScreenConnect + Syncro APIs to look up machines/billing instead of using the /screenconnect (sc.py), /syncro, and /rmm-search skills [ctx: ref=CLAUDE.md skill-first] +2026-07-08 | GURU-5070 | remediation-tool | onboard-tenant: failed to acquire Tenant Admin token [ctx: tenant=44705a37-b5d8-4bb1-882d-e18775612ada exit=3] + 2026-07-08 | Howard-Home | screenconnect/rmm-enroll | GuruRMM install one-liner failed on 4PAWS-DOC: Get-CimInstance Win32_Processor -> 'No more threads can be created in the system' HRESULT 0x800700a4 (ERROR_MAX_THRDS_REACHED, thread/handle exhaustion). Command delivery was fine; box is in degraded state. Fix: reboot the target, then re-run enroll. [ctx: host=4PAWS-DOC client=FourPaws line=30-Win32_Processor] 2026-07-08 | Howard-Home | rmm/ps-encoded.sh | [friction] iconv not found on HOWARD-HOME Git-Bash -> ps-encoded.sh fails 'encoding produced nothing'; fell back to jq --rawfile direct dispatch [ctx: ref=ps-encoded.sh]