diff --git a/clients/jimmy/onboarding-baselines/BLASTER2-20260619T191759.json b/clients/jimmy/onboarding-baselines/BLASTER2-20260619T191759.json new file mode 100644 index 00000000..5f9588dc --- /dev/null +++ b/clients/jimmy/onboarding-baselines/BLASTER2-20260619T191759.json @@ -0,0 +1,945 @@ +{ + "host": "BLASTER2", + "collected_at_utc": "2026-06-19T19:17:04Z", + "os": { + "caption": "Microsoft Windows 10 Pro", + "version": "10.0.19045", + "build": "19045", + "install_date": "2023-07-20T18:05:54Z", + "last_boot_utc": "2026-06-19T15:48:34Z", + "architecture": "64-bit" + }, + "facts": { + "builtin_admin_enabled": false, + "os_eol": { + "eol_date": "2025-10-14", + "release": "Win10 22H2" + }, + "pending_updates": 5, + "pending_reboot": true, + "uptime_days": 0.1, + "acg_managed_tools": [ + "ScreenConnect / ConnectWise Control", + "Splashtop (SOS/Streamer)", + "Syncro / Kabuto" + ], + "hardware": { + "model": "0967B5U", + "manufacturer": "LENOVO", + "bios_date": "2013-07-15", + "cpu_logical": 4, + "bios_version": "F1KT54AUS", + "cpu_cores": 4, + "ram_gb": 3.8, + "serial": "MGN1197", + "cpu": "Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz" + }, + "third_party_av_active": false, + "os_build": "19045", + "secure_boot": null, + "backup_agents": [ + { + "label": "Acronis", + "service": "AcrSch2Svc", + "state": "Running" + }, + { + "label": "Acronis", + "service": "afcdpsrv", + "state": "Running" + }, + { + "label": "Acronis", + "service": "syncagentsrv", + "state": "Running" + } + ], + "autoruns_run_keys": [ + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "SecurityHealth", + "value": "C:\\WINDOWS\\system32\\SecurityHealthSystray.exe" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "RTHDVCPL", + "value": "C:\\Program Files\\Realtek\\Audio\\HDA\\RAVCpl64.exe -s" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Fastboot", + "value": "C:\\Program Files (x86)\\Lenovo\\RapidBoot HDD Accelerator\\FBConsole.exe" + } + ], + "local_users": [ + { + "last_logon": "2013-10-17", + "name": "Administrator", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "DefaultAccount", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "Guest", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "HomeGroupUser$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-06-19", + "name": "Jimmy", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-06-18", + "name": "localadmin", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-05-27", + "name": "scans", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "", + "name": "WDAGUtilityAccount", + "password_never_expires": false, + "enabled": false + } + ], + "scheduled_tasks_count": 10, + "volumes": [ + { + "drive": "C:", + "size_gb": 230, + "free_pct": 31.2, + "free_gb": 71.9 + }, + { + "drive": "E:", + "size_gb": 7451.9, + "free_pct": 0, + "free_gb": 0.7 + }, + { + "drive": "Q:", + "size_gb": 2.3, + "free_pct": 96, + "free_gb": 2.2 + } + ], + "network_adapters": [ + { + "dhcp": true, + "description": "Realtek PCIe GbE Family Controller", + "gateway": [ + "192.168.0.1" + ], + "mac": "D4:3D:7E:CE:57:29", + "ip": [ + "192.168.0.95", + "fe80::c6a9:daea:630b:2011" + ], + "dns": [ + "8.8.8.8", + "8.8.4.4" + ] + } + ], + "failed_autostart_services": [ + { + "name": "GoogleUpdaterInternalService150.0.7863.0", + "display": "Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)", + "state": "Stopped" + }, + { + "name": "GoogleUpdaterService150.0.7863.0", + "display": "Google Updater Service (GoogleUpdaterService150.0.7863.0)", + "state": "Stopped" + }, + { + "name": "gpsvc", + "display": "Group Policy Client", + "state": "Stopped" + }, + { + "name": "KaseyaConnectAPIService", + "display": "Kaseya Connect API Service", + "state": "Stopped" + }, + { + "name": "RasMan", + "display": "Remote Access Connection Manager", + "state": "Stopped" + }, + { + "name": "stisvc", + "display": "Windows Image Acquisition (WIA)", + "state": "Stopped" + }, + { + "name": "WMPNetworkSvc", + "display": "Windows Media Player Network Sharing Service", + "state": "Stopped" + } + ], + "stability_14d": { + "unexpected_shutdowns": 2, + "disk_errors": 0, + "bugchecks": 0 + }, + "exposure": { + "smb1_enabled": false, + "laps_present": true, + "rdp_enabled": true, + "uac_enabled": true, + "rdp_nla": false + }, + "accounts_password_never_expires": [], + "installed_software": [ + { + "publisher": "Adobe", + "name": "Adobe Acrobat (64-bit)", + "version": "24.002.20895" + }, + { + "publisher": "HARMAN International", + "name": "Adobe AIR", + "version": "33.1.1.821" + }, + { + "publisher": "Adobe Systems Incorporated", + "name": "Adobe Refresh Manager", + "version": "1.8.0" + }, + { + "publisher": "Adobe Systems, Inc.", + "name": "Adobe Shockwave Player 12.1", + "version": "12.1.3.153" + }, + { + "publisher": "Research In Motion Ltd.", + "name": "BlackBerry Desktop Software 7.1", + "version": "7.1.0.41" + }, + { + "publisher": "Research In Motion Ltd.", + "name": "BlackBerry Device Software v6.0.0 for the BlackBerry 9650 smartphone", + "version": "6.0.0.719 (Platform 4.4.0.560)" + }, + { + "publisher": "FranklinCovey", + "name": "FormsWizard", + "version": "4.0.50" + }, + { + "publisher": "Google LLC", + "name": "Google Chrome", + "version": "149.0.7827.115" + }, + { + "publisher": "Google Inc.", + "name": "Google Toolbar for Internet Explorer", + "version": "1.0.0" + }, + { + "publisher": "Google Inc.", + "name": "Google Update Helper", + "version": "1.3.25.11" + }, + { + "publisher": "Intel", + "name": "Intel AppUp(R) center", + "version": "3.8.0.41900.72" + }, + { + "publisher": "Intel Corporation", + "name": "Intel(R) Control Center", + "version": "1.2.1.1007" + }, + { + "publisher": "Intel Corporation", + "name": "Intel(R) Management Engine Components", + "version": "8.0.0.1351" + }, + { + "publisher": "Intel Corporation", + "name": "Intel(R) OpenCL CPU Runtime", + "version": "" + }, + { + "publisher": "Intel Corporation", + "name": "Intel(R) Processor Graphics", + "version": "9.17.10.2932" + }, + { + "publisher": "Intel Corporation", + "name": "Intel? Trusted Connect Service Client", + "version": "1.23.216.0" + }, + { + "publisher": "Oracle", + "name": "Java 7 Update 65 (64-bit)", + "version": "7.0.650" + }, + { + "publisher": "Oracle", + "name": "Java 7 Update 67", + "version": "7.0.670" + }, + { + "publisher": "Oracle, Inc.", + "name": "Java Auto Updater", + "version": "2.1.67.1" + }, + { + "publisher": "KYOCERA Document Solutions Inc.", + "name": "Kyocera Product Library", + "version": "5.0.2608" + }, + { + "publisher": "KYOCERA Document Solutions Inc.", + "name": "KYOCERA Status Monitor 5", + "version": "5.0.52.4" + }, + { + "publisher": "KYOCERA Document Solutions Inc.", + "name": "Kyocera TWAIN Driver", + "version": "2.0.6513" + }, + { + "publisher": "Lenovo Group Limited", + "name": "Lenovo Patch Utility 64 bit", + "version": "1.3.0.9" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft .NET Framework 4.8", + "version": "4.8.03761" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Edge", + "version": "149.0.4022.69" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Edge WebView2 Runtime", + "version": "149.0.4022.69" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Office Home and Business 2013 - en-us", + "version": "15.0.5603.1000" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Silverlight", + "version": "5.1.50918.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2012 Express LocalDB ", + "version": "11.3.6020.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2012 Management Objects (x64)", + "version": "11.1.3000.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft System CLR Types for SQL Server 2012 (x64)", + "version": "11.1.3000.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Update Health Tools", + "version": "3.74.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable", + "version": "8.0.56336" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable", + "version": "8.0.59193" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable", + "version": "8.0.61001" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable (x64)", + "version": "8.0.56336" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable (x64)", + "version": "8.0.59192" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable (x64)", + "version": "8.0.61000" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148", + "version": "9.0.30729.4148" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161", + "version": "9.0.30729.6161" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17", + "version": "9.0.30729" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148", + "version": "9.0.30729.4148" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161", + "version": "9.0.30729.6161" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501", + "version": "12.0.30501.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.44.35112", + "version": "14.44.35112.1" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.44.35112", + "version": "14.44.35112" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.44.35112", + "version": "14.44.35112" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio 2010 Tools for Office Runtime (x64)", + "version": "10.0.50903" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio 2010 Tools for Office Runtime (x64)", + "version": "10.0.50908" + }, + { + "publisher": "Microsoft Corporation", + "name": "MSXML 4.0 SP2 (KB954430)", + "version": "4.20.9870.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "MSXML 4.0 SP2 (KB973688)", + "version": "4.20.9876.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "MSXML 4.0 SP2 Parser and SDK", + "version": "4.20.9818.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 15 Click-to-Run Extensibility Component", + "version": "15.0.5603.1000" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 15 Click-to-Run Licensing Component", + "version": "15.0.5603.1000" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 15 Click-to-Run Localization Component", + "version": "15.0.5603.1000" + }, + { + "publisher": "Arizona Computer Guru", + "name": "Online Backup 8.6", + "version": "8.6" + }, + { + "publisher": "Oracle Corporation", + "name": "Oracle VM VirtualBox 6.1.34", + "version": "6.1.34" + }, + { + "publisher": "Newsoft Technology Corporation", + "name": "Presto! PageManager 9.06 Standard", + "version": "9.06.00" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks", + "version": "22.0.4016.2206" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks Premier: Accountant Edition 2012", + "version": "22.0.4016.2206" + }, + { + "publisher": "Lenovo", + "name": "RapidBoot HDD Accelerator", + "version": "1.00.0802" + }, + { + "publisher": "Realtek", + "name": "Realtek Ethernet Controller All-In-One Windows Driver", + "version": "1.12.0016" + }, + { + "publisher": "Realtek Semiconductor Corp.", + "name": "Realtek High Definition Audio Driver", + "version": "6.0.1.6602" + }, + { + "publisher": "ScreenConnect Software", + "name": "ScreenConnect Client (1912bf3444b41a08)", + "version": "26.3.11.9650" + }, + { + "publisher": "Splashtop Inc.", + "name": "Splashtop Streamer", + "version": "3.8.4.0" + }, + { + "publisher": "Adobe Systems, Inc", + "name": "swMSM", + "version": "12.0.0.1" + }, + { + "publisher": "Servably, Inc.", + "name": "Syncro", + "version": "1.0.201.18410" + }, + { + "publisher": "Acronis", + "name": "True Image 2013", + "version": "16.0.6514" + }, + { + "publisher": "Acronis", + "name": "True Image 2013 Plus Pack", + "version": "16.0.6514" + }, + { + "publisher": "Tweaking.com", + "name": "Tweaking.com - Windows Repair", + "version": "4.14.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Update for Windows 10 for x64-based Systems (KB5001716)", + "version": "8.94.0.0" + }, + { + "publisher": "VideoLAN", + "name": "VLC media player", + "version": "3.0.18" + }, + { + "publisher": "VideoLAN", + "name": "VLC media player", + "version": "3.0.23" + }, + { + "publisher": "Intel Corporation", + "name": "Windows Driver Package - Intel Corporation (igfx) Display (03/19/2012 8.15.10.2696)", + "version": "03/19/2012 8.15.10.2696" + }, + { + "publisher": "Intel", + "name": "Windows Driver Package - Intel hdc (09/10/2010 9.2.0.1011)", + "version": "09/10/2010 9.2.0.1011" + }, + { + "publisher": "Intel", + "name": "Windows Driver Package - Intel System (08/26/2011 9.3.0.1011)", + "version": "08/26/2011 9.3.0.1011" + }, + { + "publisher": "Intel", + "name": "Windows Driver Package - Intel System (09/10/2010 9.2.0.1011)", + "version": "09/10/2010 9.2.0.1011" + }, + { + "publisher": "Intel", + "name": "Windows Driver Package - Intel System (11/20/2010 9.2.0.1016)", + "version": "11/20/2010 9.2.0.1016" + }, + { + "publisher": "Intel", + "name": "Windows Driver Package - Intel USB (12/21/2010 9.2.0.1021)", + "version": "12/21/2010 9.2.0.1021" + }, + { + "publisher": "Realtek", + "name": "Windows Driver Package - Realtek (RTL8167) Net (11/23/2011 7.050.1123.2011)", + "version": "11/23/2011 7.050.1123.2011" + }, + { + "publisher": "Realtek Semiconductor Corp.", + "name": "Windows Driver Package - Realtek Semiconductor Corp. HD Audio Driver (03/27/2012 6.0.1.6602)", + "version": "03/27/2012 6.0.1.6602" + }, + { + "publisher": "Microsoft Corporation", + "name": "Windows XP Mode", + "version": "1.3.7600.16423" + } + ], + "tpm": { + "enabled": false, + "ready": false, + "present": false + }, + "local_groups": [ + "HomeUsers", + "Access Control Assistance Operators", + "Administrators", + "Backup Operators", + "Cryptographic Operators", + "Distributed COM Users", + "Event Log Readers", + "Guests", + "Hyper-V Administrators", + "IIS_IUSRS", + "Network Configuration Operators", + "Performance Log Users", + "Performance Monitor Users", + "Power Users", + "Remote Desktop Users", + "Remote Management Users", + "Replicator", + "System Managed Accounts Group", + "Users" + ], + "battery": { + "present": false + }, + "activation": { + "edition": "Microsoft Windows 10 Pro", + "description": "Windows(R) Operating System, RETAIL channel", + "licensed": true, + "license_status_code": 1 + }, + "time_source": "time.windows.com,0x9", + "chassis_types": [ + 3 + ], + "last_hotfix": { + "hotfix_id": "KB5037768", + "installed_on": "2024-05-16T07:00:00Z" + }, + "scheduled_tasks": [ + { + "path": "\\", + "name": "CreateExplorerShellUnelevatedTask", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineCore", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineUA", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-2324952135-2376640506-3994532062-1007", + "state": "Ready" + }, + { + "path": "\\", + "name": "Shutdown", + "state": "Ready" + }, + { + "path": "\\GoogleSystem\\GoogleUpdater\\", + "name": "GoogleUpdaterTaskSystem150.0.7863.0{3D96EE47-16CF-4988-B177-30FBA8EE384C}", + "state": "Ready" + }, + { + "path": "\\GoogleUserPEH\\", + "name": "RunPlatformExperienceHelper_Daily", + "state": "Ready" + }, + { + "path": "\\GoogleUserPEH\\", + "name": "RunPlatformExperienceHelper_Metrics", + "state": "Ready" + }, + { + "path": "\\Intel\\", + "name": "Intel Service Manager", + "state": "Ready" + }, + { + "path": "\\WPD\\", + "name": "SqmUpload_S-1-5-21-2324952135-2376640506-3994532062-1000", + "state": "Ready" + } + ], + "antivirus_products": [ + "Windows Defender" + ], + "domain_joined": false, + "defender": { + "antispyware_signature_age": 0, + "tamper_protected": true, + "real_time_protection": true, + "nis_enabled": true, + "available": true, + "antivirus_enabled": true, + "am_service_enabled": true + }, + "bitlocker": { + "available": false, + "os_volume": "C:" + }, + "is_laptop": false, + "installed_software_count": 86, + "local_administrators": [ + "Blaster2\\Administrator", + "Blaster2\\Jimmy", + "Blaster2\\localadmin" + ], + "domain": "WORKGROUP", + "foreign_agents": "Kaseya" + }, + "findings": [ + { + "id": "sec.defender.ok", + "category": "security", + "severity": "info", + "title": "Defender active and current", + "detail": "Real-time protection on, service running, signatures current.", + "evidence": "RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True" + }, + { + "id": "sec.av_products.defender_only", + "category": "security", + "severity": "info", + "title": "Defender is the only registered AV", + "detail": "Only Microsoft/Windows Defender is registered in Security Center.", + "evidence": "Windows Defender" + }, + { + "id": "sec.foreign_agents.kaseya", + "category": "security", + "severity": "critical", + "title": "Foreign management/remote-access agent: Kaseya", + "detail": "A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.", + "evidence": "service: KaseyaConnectAPIService (Kaseya Connect API Service) Stopped" + }, + { + "id": "sec.foreign_agents.acg.screenconnect_connectwise_control", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.3.11.9650\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running" + }, + { + "id": "sec.foreign_agents.acg.splashtop_sos_streamer_", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Splashtop (SOS/Streamer)", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Splashtop Streamer 3.8.4.0\nservice: SplashtopRemoteService (Splashtop? Remote Service) Running" + }, + { + "id": "sec.foreign_agents.acg.syncro_kabuto", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Syncro / Kabuto", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Syncro 1.0.201.18410\nservice: Syncro (Syncro) Running" + }, + { + "id": "sec.firewall.error", + "category": "security", + "severity": "unknown", + "title": "Check failed: Windows Firewall profiles", + "detail": "The probe could not complete this check. Manual review recommended.", + "evidence": "Invalid class " + }, + { + "id": "sec.bitlocker.unavailable", + "category": "security", + "severity": "unknown", + "title": "BitLocker status unavailable", + "detail": "Get-BitLockerVolume failed for the OS volume. BitLocker may not be installed (Home edition) or the cmdlet is unavailable. Verify encryption manually (manage-bde -status).", + "evidence": "MountPoint=C:, Get-BitLockerVolume returned null" + }, + { + "id": "sec.local_admins.list", + "category": "security", + "severity": "info", + "title": "Local administrators (3)", + "detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).", + "evidence": "Blaster2\\Administrator\nBlaster2\\Jimmy\nBlaster2\\localadmin" + }, + { + "id": "sec.patch.os_eol", + "category": "security", + "severity": "critical", + "title": "OS build is end-of-life: Win10 22H2", + "detail": "This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.", + "evidence": "Microsoft Windows 10 Pro build 19045; EOL 2025-10-14" + }, + { + "id": "sec.patch.pending", + "category": "security", + "severity": "warning", + "title": "5 pending Windows updates", + "detail": "Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.", + "evidence": "Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 5" + }, + { + "id": "sec.patch.last_hotfix", + "category": "security", + "severity": "info", + "title": "Last hotfix: KB5037768", + "detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).", + "evidence": "KB5037768 installed 2024-05-16T07:00:00Z" + }, + { + "id": "sec.exposure.rdp_no_nla", + "category": "security", + "severity": "critical", + "title": "RDP enabled WITHOUT Network Level Authentication", + "detail": "RDP is on and NLA is not required. This exposes the logon screen pre-auth and is vulnerable to pre-auth exploits and brute force. Require NLA, restrict RDP to VPN/allow-listed IPs, or disable RDP.", + "evidence": "fDenyTSConnections=0; UserAuthentication=0" + }, + { + "id": "sec.exposure.smb1_off", + "category": "security", + "severity": "info", + "title": "SMBv1 disabled", + "detail": "SMBv1 server protocol is disabled.", + "evidence": "EnableSMB1Protocol=False" + }, + { + "id": "sec.exposure.laps_present", + "category": "security", + "severity": "info", + "title": "LAPS detected", + "detail": "A LAPS mechanism is present.", + "evidence": "Windows LAPS reg key" + }, + { + "id": "health.disk_smart.unavailable", + "category": "health", + "severity": "unknown", + "title": "Physical disk health unavailable", + "detail": "Get-PhysicalDisk is unavailable (older OS / RAID controller hiding disks). Verify drive health via vendor tools.", + "evidence": "Get-PhysicalDisk returned null" + }, + { + "id": "health.stability.some", + "category": "health", + "severity": "warning", + "title": "Stability events present in the last 14 days", + "detail": "One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.", + "evidence": "Unexpected shutdowns (id 41)=2; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0" + }, + { + "id": "health.reboot_uptime.pending", + "category": "health", + "severity": "warning", + "title": "Reboot pending", + "detail": "A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.", + "evidence": "PendingFileRenameOperations" + }, + { + "id": "health.failed_services.stopped", + "category": "health", + "severity": "warning", + "title": "7 auto-start service(s) not running", + "detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.", + "evidence": "GoogleUpdaterInternalService150.0.7863.0 (Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)) = Stopped\nGoogleUpdaterService150.0.7863.0 (Google Updater Service (GoogleUpdaterService150.0.7863.0)) = Stopped\ngpsvc (Group Policy Client) = Stopped\nKaseyaConnectAPIService (Kaseya Connect API Service) = Stopped\nRasMan (Remote Access Connection Manager) = Stopped\nstisvc (Windows Image Acquisition (WIA)) = Stopped\nWMPNetworkSvc (Windows Media Player Network Sharing Service) = Stopped" + }, + { + "id": "health.domain.workgroup", + "category": "health", + "severity": "info", + "title": "Not domain-joined (workgroup)", + "detail": "This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.", + "evidence": "PartOfDomain=False; Domain=WORKGROUP" + }, + { + "id": "health.time.source", + "category": "health", + "severity": "info", + "title": "Time service source", + "detail": "Current Windows Time service source.", + "evidence": "Source=time.windows.com,0x9" + }, + { + "id": "health.backup.present", + "category": "health", + "severity": "info", + "title": "Backup agent installed and running", + "detail": "A backup agent service is present and running. Confirm the backup is actually configured and reporting successful jobs (presence != working backup).", + "evidence": "Acronis: AcrSch2Svc = Running\nAcronis: afcdpsrv = Running\nAcronis: syncagentsrv = Running" + } + ] +} diff --git a/clients/jimmy/onboarding-baselines/BLASTER2-20260619T191759.md b/clients/jimmy/onboarding-baselines/BLASTER2-20260619T191759.md new file mode 100644 index 00000000..afb924df --- /dev/null +++ b/clients/jimmy/onboarding-baselines/BLASTER2-20260619T191759.md @@ -0,0 +1,275 @@ +# Onboarding Diagnostic Baseline - BLASTER2 + +- **Grade:** RED +- **Host:** BLASTER2 +- **Client:** Jimmy Company (`jimmy`) +- **Collected (UTC):** 2026-06-19T19:17:04Z +- **Agent ID:** abddc0ce-a226-48f1-b913-263a81013389 +- **Command ID:** 3c5d39d3-b653-4c6f-b8e4-1146c1a59be9 +- **Findings:** 3 critical / 4 warning / 12 info / 3 unknown + +- **OS:** Microsoft Windows 10 Pro (build 19045) + +--- + +## CRITICAL (3) + +### Foreign management/remote-access agent: Kaseya +- **Category:** security +- **ID:** `sec.foreign_agents.kaseya` +- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it. + +``` +service: KaseyaConnectAPIService (Kaseya Connect API Service) Stopped +``` + +### OS build is end-of-life: Win10 22H2 +- **Category:** security +- **ID:** `sec.patch.os_eol` +- This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade. + +``` +Microsoft Windows 10 Pro build 19045; EOL 2025-10-14 +``` + +### RDP enabled WITHOUT Network Level Authentication +- **Category:** security +- **ID:** `sec.exposure.rdp_no_nla` +- RDP is on and NLA is not required. This exposes the logon screen pre-auth and is vulnerable to pre-auth exploits and brute force. Require NLA, restrict RDP to VPN/allow-listed IPs, or disable RDP. + +``` +fDenyTSConnections=0; UserAuthentication=0 +``` + + +## WARNING (4) + +### 5 pending Windows updates +- **Category:** security +- **ID:** `sec.patch.pending` +- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window. + +``` +Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 5 +``` + +### Stability events present in the last 14 days +- **Category:** health +- **ID:** `health.stability.some` +- One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports. + +``` +Unexpected shutdowns (id 41)=2; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0 +``` + +### Reboot pending +- **Category:** health +- **ID:** `health.reboot_uptime.pending` +- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart. + +``` +PendingFileRenameOperations +``` + +### 7 auto-start service(s) not running +- **Category:** health +- **ID:** `health.failed_services.stopped` +- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running. + +``` +GoogleUpdaterInternalService150.0.7863.0 (Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)) = Stopped +GoogleUpdaterService150.0.7863.0 (Google Updater Service (GoogleUpdaterService150.0.7863.0)) = Stopped +gpsvc (Group Policy Client) = Stopped +KaseyaConnectAPIService (Kaseya Connect API Service) = Stopped +RasMan (Remote Access Connection Manager) = Stopped +stisvc (Windows Image Acquisition (WIA)) = Stopped +WMPNetworkSvc (Windows Media Player Network Sharing Service) = Stopped +``` + + +## INFO (12) + +### Defender active and current +- **Category:** security +- **ID:** `sec.defender.ok` +- Real-time protection on, service running, signatures current. + +``` +RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True +``` + +### Defender is the only registered AV +- **Category:** security +- **ID:** `sec.av_products.defender_only` +- Only Microsoft/Windows Defender is registered in Security Center. + +``` +Windows Defender +``` + +### Expected ACG management tooling present: ScreenConnect / ConnectWise Control +- **Category:** security +- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: ScreenConnect Client (1912bf3444b41a08) 26.3.11.9650 +service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running +``` + +### Expected ACG management tooling present: Splashtop (SOS/Streamer) +- **Category:** security +- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: Splashtop Streamer 3.8.4.0 +service: SplashtopRemoteService (Splashtop? Remote Service) Running +``` + +### Expected ACG management tooling present: Syncro / Kabuto +- **Category:** security +- **ID:** `sec.foreign_agents.acg.syncro_kabuto` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: Syncro 1.0.201.18410 +service: Syncro (Syncro) Running +``` + +### Local administrators (3) +- **Category:** security +- **ID:** `sec.local_admins.list` +- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider). + +``` +Blaster2\Administrator +Blaster2\Jimmy +Blaster2\localadmin +``` + +### Last hotfix: KB5037768 +- **Category:** security +- **ID:** `sec.patch.last_hotfix` +- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata). + +``` +KB5037768 installed 2024-05-16T07:00:00Z +``` + +### SMBv1 disabled +- **Category:** security +- **ID:** `sec.exposure.smb1_off` +- SMBv1 server protocol is disabled. + +``` +EnableSMB1Protocol=False +``` + +### LAPS detected +- **Category:** security +- **ID:** `sec.exposure.laps_present` +- A LAPS mechanism is present. + +``` +Windows LAPS reg key +``` + +### Not domain-joined (workgroup) +- **Category:** health +- **ID:** `health.domain.workgroup` +- This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies. + +``` +PartOfDomain=False; Domain=WORKGROUP +``` + +### Time service source +- **Category:** health +- **ID:** `health.time.source` +- Current Windows Time service source. + +``` +Source=time.windows.com,0x9 +``` + +### Backup agent installed and running +- **Category:** health +- **ID:** `health.backup.present` +- A backup agent service is present and running. Confirm the backup is actually configured and reporting successful jobs (presence != working backup). + +``` +Acronis: AcrSch2Svc = Running +Acronis: afcdpsrv = Running +Acronis: syncagentsrv = Running +``` + + +## UNKNOWN (3) + +### Check failed: Windows Firewall profiles +- **Category:** security +- **ID:** `sec.firewall.error` +- The probe could not complete this check. Manual review recommended. + +``` +Invalid class +``` + +### BitLocker status unavailable +- **Category:** security +- **ID:** `sec.bitlocker.unavailable` +- Get-BitLockerVolume failed for the OS volume. BitLocker may not be installed (Home edition) or the cmdlet is unavailable. Verify encryption manually (manage-bde -status). + +``` +MountPoint=C:, Get-BitLockerVolume returned null +``` + +### Physical disk health unavailable +- **Category:** health +- **ID:** `health.disk_smart.unavailable` +- Get-PhysicalDisk is unavailable (older OS / RAID controller hiding disks). Verify drive health via vendor tools. + +``` +Get-PhysicalDisk returned null +``` + + +--- + +## Inventory Baseline Summary + +- **Manufacturer / Model:** LENOVO / 0967B5U +- **Serial:** MGN1197 +- **CPU:** Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz (4 cores / 4 logical) +- **RAM (GB):** 3.8 +- **BIOS:** F1KT54AUS (2013-07-15) +- **Chassis is laptop:** false +- **TPM present / Secure Boot:** ? / ? +- **Domain joined:** false (WORKGROUP) +- **OS activation licensed:** true +- **Uptime (days):** 0.1 +- **Pending reboot:** true +- **Installed software count:** 86 +- **Scheduled tasks (non-MS, enabled):** 10 +- **Local administrators:** Blaster2\Administrator, Blaster2\Jimmy, Blaster2\localadmin + +### Fixed volumes + +- C: - 71.9 GB free of 230 GB (31.2%) +- E: - 0.7 GB free of 7451.9 GB (0%) +- Q: - 2.2 GB free of 2.3 GB (96%) + +### Network adapters + +- Realtek PCIe GbE Family Controller - IP: 192.168.0.95, fe80::c6a9:daea:630b:2011 - DNS: 8.8.8.8, 8.8.4.4 - DHCP: true + +--- + +## Diff vs Prior Baseline + +- No prior baseline found for this host. This is the first baseline. + +--- + +_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `BLASTER2-20260619T191759.json` (immutable)._