sync: auto-sync from GURU-5070 at 2026-07-09 15:56:52
Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-07-09 15:56:52
This commit is contained in:
@@ -0,0 +1,85 @@
|
||||
## User
|
||||
- **User:** Mike Swanson (mike)
|
||||
- **Machine:** GURU-5070
|
||||
- **Role:** admin
|
||||
|
||||
## Session Summary
|
||||
|
||||
Handled three unrelated pieces of work plus a doc lookup. First, ran a compromise check on the M365 tenant cryoweave.com. The tenant was not yet onboarded to the ComputerGuru remediation app suite (consent audit graded RED — all tiers failed to mint tokens), so onboarded it via the single-consent `/onboard365` flow: sent the Tenant Admin consent link to Mike's Discord, and after acceptance provisioned the full suite (Security Investigator, Exchange Operator, User Manager) with all Entra directory roles. Defender was skipped cleanly (tenant is not MDE-licensed). Post-onboard consent audit graded AMBER, with the only gaps being SharePoint scopes not needed for a breach sweep.
|
||||
|
||||
The sweep found cryoweave's owner account `greg@cryoweave.com` under an active, targeted, distributed password-spray, but NOT compromised. The tenant has no Entra ID Premium, so tenant-wide sign-in logs and Identity Protection are unavailable; the investigation used per-user interactive + non-interactive sign-in logs instead. Every attack attempt failed at the password step ("Incorrect password" / error 50126 and 50053 lockout) — zero MFA-stage failures (no 50074/50076/500121), meaning the attacker never obtained a valid password. All 968 successful auths in 30 days came from Greg's own two US IPs (68.0.180.209 workstation, 2600:1011:* Verizon mobile) via legitimate apps. Inbox rules were benign (Alignable sorting), the one OAuth grant was Greg's own Gmail mobile app since 2022, and Security Defaults (MFA) is enabled tenant-wide. Verified Greg's MFA phone matches Mike's provided number (+1 5208080149). A breach report was written to `clients/cryoweave/reports/2026-07-08-breach-check.md`. Mike declined a password reset (Greg will self-reset).
|
||||
|
||||
Second, logged a Four Paws onsite in Syncro via `/syncro`: 1 hour warranty (Brother software install on the rebuilt server), a follow-up to the earlier server-rebuild ticket #32447. Created new linked warranty ticket #32524, added a $0 warranty labor line (product 1049360, Exempt Labor), posted description + resolution comments (email-suppressed), created a $0 invoice, marked Invoiced, and posted a bot alert.
|
||||
|
||||
Third, vaulted an OITVOIP provisioning admin credential (username Prov_Admin) via the `vault` skill as a new entry `msp-tools/oitvoip-provisioning.sops.yaml`, kept separate from the existing reseller API key entry `msp-tools/oitvoip.sops.yaml`. Finally, read the NetSapiens `GET /ns-api/v2/version` API reference doc for the ongoing VoIP provisioning work.
|
||||
|
||||
## Key Decisions
|
||||
|
||||
- **Full onboarding over investigator-only for cryoweave** — Mike chose the complete `/onboard365` suite provisioning rather than just the read-only investigator consent, since cryoweave is a managed tenant that will need remediation tiers available later.
|
||||
- **Proceeded with the sweep at AMBER consent** — the only post-onboard gaps were SharePoint scopes (`Sites.Read.All`, cert-based `Sites.FullControl.All`), which a compromise sweep does not require; core Graph read + Exchange read + risky-user paths were all present.
|
||||
- **Pivoted the sweep to per-user logs** — tenant-wide sign-in / risky-user queries 403'd on "not premium"; used per-user interactive + non-interactive sign-in logs (which remain accessible without P1) to reach a confident verdict.
|
||||
- **Distinguished password-fail vs MFA-denied** — checked `authenticationStepResultDetail` and error-code families specifically to answer whether any attempt passed the password and was stopped only by MFA; none did, which is a stronger clean verdict than "compromised but MFA-blocked."
|
||||
- **New linked warranty ticket for Four Paws, not appended to #32447** — #32447 was already invoiced; a separate $0 warranty ticket (#32524) referencing the parent keeps the invoiced job closed and gives the warranty work its own tracked record.
|
||||
- **Skipped the block-rate upsell note on the $0 warranty invoice** — the standard non-block invoice note does not belong on warranty work.
|
||||
- **Separate vault entry for the OITVOIP provisioning login** — a portal/admin login is a distinct credential type from the existing reseller API key; kept as a sibling entry, cross-referenced in notes, both discoverable under `oitvoip*`.
|
||||
|
||||
## Problems Encountered
|
||||
|
||||
- **`vault_path` not set in identity.json on GURU-5070** — `onboard-tenant.sh` / `get-token.sh` failed with exit 3 ("vault_path not set ... and VAULT_ROOT_ENV env var not set"). Resolved by exporting `VAULT_ROOT_ENV=/d/vault` for the remediation-tool script calls (documented quirk; VAULT_ROOT_ENV is the remediation-tool workaround, not the vault-read pattern). Logged to errorlog.md.
|
||||
- **errorlog.md rebase conflict during first /sync** — this machine and Howard both appended entries; resolved by keeping all entries newest-on-top, `git add` + `git rebase --continue`, then re-ran sync to complete push/vault phases.
|
||||
|
||||
## Configuration Changes
|
||||
|
||||
- Created `clients/cryoweave/reports/2026-07-08-breach-check.md` — full compromise-check report.
|
||||
- Created `msp-tools/oitvoip-provisioning.sops.yaml` (vault repo) — OITVOIP provisioning admin credential.
|
||||
- `errorlog.md` — appended remediation-tool token-failure entry; resolved a merge conflict.
|
||||
- Onboarded M365 tenant cryoweave.com to the remediation app suite (service principals + Entra roles provisioned in the customer tenant).
|
||||
- Syncro: created ticket #32524, invoice for Four Paws.
|
||||
|
||||
## Credentials & Secrets
|
||||
|
||||
- **OITVOIP Provisioning Admin** — username `Prov_Admin`, password `YJ5UgRd9pV` ("OIT Provisioning Password"). Vaulted at `msp-tools/oitvoip-provisioning.sops.yaml` (fields under `credentials:` username/password). Related reseller API key remains at `msp-tools/oitvoip.sops.yaml`.
|
||||
- No new cryoweave credentials created (declined password reset). Greg's verified MFA phone: +1 5208080149.
|
||||
|
||||
## Infrastructure & Servers
|
||||
|
||||
- **cryoweave.com** tenant ID: `44705a37-b5d8-4bb1-882d-e18775612ada`.
|
||||
- Enabled accounts: `greg@cryoweave.com` (owner, object id b6e806d7-2b9a-4566-9c0d-f3d29b25c88d), `admin@cryoweave.onmicrosoft.com` (09ea3149-...), `sysadmin@cryoweave.com` (ACG mgmt, created 2026-06-15).
|
||||
- Provisioned SPs: Tenant Admin 423a68e9-69a1-4f62-a82c-ff47d14609e6, Security Investigator c82fb747-..., Exchange Operator 6ab8ee74-..., User Manager 8adc24b5-....
|
||||
- Security Defaults: ENABLED. No Entra ID Premium (P1/P2). No MDE license.
|
||||
- Greg legit source IPs: 68.0.180.209 (US workstation), 2600:1011:* (US Verizon mobile).
|
||||
- **Four Paws** — Syncro customer id 33050383 (Josh Fender, fourpawsarizona@gmail.com), prepay_hours 0. Server-rebuild parent ticket #32447 (id 112974771).
|
||||
- **OITVOIP / PacketDial (NetSapiens)** — API v2 base `https://pbx.packetdial.com/ns-api/v2` (fallback `https://api.ucaasnetwork.com/ns-api/v2`); docs `https://docs.ns-api.com` (v44.4).
|
||||
|
||||
## Commands & Outputs
|
||||
|
||||
```bash
|
||||
# Onboard cryoweave (needed VAULT_ROOT_ENV on this machine)
|
||||
export VAULT_ROOT_ENV=/d/vault
|
||||
bash ~/.claude/skills/onboard365/scripts/onboard365.sh link cryoweave.com
|
||||
bash ~/.claude/skills/onboard365/scripts/onboard365.sh provision cryoweave.com # all roles [OK]
|
||||
|
||||
# Sweep (per-user, tenant-wide 403'd on no-premium)
|
||||
bash ~/.claude/skills/remediation-tool/scripts/user-breach-check.sh cryoweave.com greg@cryoweave.com
|
||||
|
||||
# MFA verify — matched +1 5208080149
|
||||
curl .../users/<oid>/authentication/phoneMethods # mobile +1 5208080149
|
||||
```
|
||||
|
||||
- Error codes on cryoweave attack traffic: 50126 (bad password), 50053 (smart lockout). Zero MFA-family (50074/50076/500121). Attack IPs spanned ~20 countries (RU, NO, NZ, CA, DE, JP, ZA, TW, etc.).
|
||||
- Syncro: ticket #32524 (id 113664846), line item id 43203342 (1049360 @ $0), invoice id 1650995889 (total $0.00). Bot alert message_id 1524814837329432696.
|
||||
|
||||
## Pending / Incomplete Tasks
|
||||
|
||||
- **cryoweave:** Greg to self-reset his password (proactive, spray is ongoing but failing). No further action required; Security Defaults MFA + smart lockout are holding. Optional future: Entra ID P1 for geo/named-location Conditional Access if spray persists.
|
||||
- **cryoweave SharePoint scopes** still AMBER (`Sites.Read.All`, cert-based `Sites.FullControl.All`) — not needed unless a future investigation points to SharePoint/file exfil.
|
||||
- **VoIP provisioning** (separate prior session): YMCS `sipServer1` HTTP 412 schema blocker unresolved — needs Yealink support / further ns-api research before end-to-end provisioning works. OITVOIP provisioning admin cred now vaulted for that work.
|
||||
- **guru-rmm submodule** still on branch `fix/linux-musl-glibc-floor` with local work; left untouched by sync.
|
||||
|
||||
## Reference Information
|
||||
|
||||
- Breach report: `clients/cryoweave/reports/2026-07-08-breach-check.md`
|
||||
- cryoweave tenant: `44705a37-b5d8-4bb1-882d-e18775612ada`
|
||||
- Four Paws warranty ticket: https://computerguru.syncromsp.com/tickets/113664846 (#32524); parent rebuild #32447.
|
||||
- Vault: `msp-tools/oitvoip-provisioning.sops.yaml`, `msp-tools/oitvoip.sops.yaml`
|
||||
- NetSapiens API docs: https://docs.ns-api.com/reference/get_version — `GET /ns-api/v2/version`, Bearer auth, no params.
|
||||
Reference in New Issue
Block a user