azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-BEAST-ROG at 2026-06-08 16:23:44

Browse Source 
Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-06-08 16:23:44
This commit is contained in:
Mike Swanson
2026-06-08 16:23:48 -07:00
parent 7f7f844eba
commit 31260814ee
1 changed files with 39 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
clients/kittle/session-logs/2026-06/2026-06-08-mike-bec-incident-remediation.md
View File

@@ -220,3 +220,42 @@ Wrex Wrex@kittlearizona.com (sessions revoked, password reset)
- **EWS endpoint:** `https://outlook.office365.com/EWS/Exchange.asmx` - **EWS endpoint:** `https://outlook.office365.com/EWS/Exchange.asmx`
- **Graph directoryAudits:** confirmed working with Security Investigator token (no P1 needed for this endpoint) - **Graph directoryAudits:** confirmed working with Security Investigator token (no P1 needed for this endpoint)
- **Graph signIns:** blocked — requires Entra P1 (`Authentication_RequestFromNonPremiumTenantOrB2CTenant`) - **Graph signIns:** blocked — requires Entra P1 (`Authentication_RequestFromNonPremiumTenantOrB2CTenant`)
---
## Update: 16:23 PT — Post-save follow-up actions
### Additional actions completed after initial save
**Alignable OAuth on Alexis — revoked:**
At Mike's direction, revoked the Alignable OAuth grant on alexis@kittlearizona.com.
- Grant ID: `jB3LklISEEOHpW2kH5IbQLz8wKqAnj1KmLeBzb1HLJrh6qF03cBERamPOhj4CXha`
- App SP client ID: `92cb1d8c-1252-4310-87a5-6da41f921b40`
- Scopes: `offline_access User.Read Contacts.Read`
- HTTP 204 [OK]
**Lori Schagel — downscoped to User Administrator:**
All 10 pre-existing admin roles had been stripped during containment. Re-assigned User Administrator only (confirmed pre-existing GA was unnecessary exposure, not attacker-planted).
- Lori user ID: `5817629b-5832-43c6-b74c-86a05c29c852`
- User Administrator role object ID: `1321d5cd-17bb-40de-891b-1e85667e1c5a`
- roleTemplateId: `fe930be7-5e62-47db-91af-98c3a49a38b1`
- HTTP 204 [OK]
**Lori role assignment timing — confirmed pre-existing:**
directoryAudits query (last 30 days, all RoleManagement events) returned only ACG-initiated removals. Zero "Add member to role" events from any other initiator in the 30-day window. Lori's GA was assigned more than 30 days before the incident — pre-existing, not attacker-planted. Breach report updated to reflect this finding.
**Victim notification confirmed sent:**
Mike asked explicitly — confirmed 740 emails sent via EWS SOAP from admin@kittlearizona.com in 3 batches. All NoError. 747 delivered by phishing campaign; 7 automated addresses filtered (vzwpix, att.net MMS, Microsoft internal, streaming service) before notification send.
**All consent links accepted by Mike** — confirmed all 5 MSP apps (Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on) have admin consent in Kittle tenant.
**Thread deletion failed:** Bot received HTTP 403 Missing Permissions attempting to delete Discord thread 1513652236444504197. Thread remains open.
### Breach report updates
`clients/kittle/reports/2026-06-08-breach-check.md` updated with:
- Lori role assignment confirmed pre-existing (not attacker-planted)
- Alignable OAuth revocation added to remediation table
- Lori User Administrator re-assignment added to remediation table
- Open items updated to reflect resolved items (Ken MFA clean, Lori role timing resolved)
- New open item: Lori GA access review (recommend discussing with Ken whether she needs any admin role)