From 75f60df6a6525c9a521f68d5aa671fa4ac44388c Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Thu, 2 Jul 2026 17:30:57 -0700 Subject: [PATCH] sync: auto-sync from GURU-5070 at 2026-07-02 17:30:07 Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-07-02 17:30:07 --- .barb-signins.json | 1 + .../2026-07-02-barbara-account-check.md | 67 +++++++++++++++++ ...2-mike-crowdstrike-rollout-365-appsuite.md | 73 +++++++++++++++++++ 3 files changed, 141 insertions(+) create mode 100644 .barb-signins.json create mode 100644 clients/bardach/reports/2026-07-02-barbara-account-check.md diff --git a/.barb-signins.json b/.barb-signins.json new file mode 100644 index 00000000..d2fb6438 --- /dev/null +++ b/.barb-signins.json @@ -0,0 +1 @@ +{"error":{"code":"Authentication_RequestFromNonPremiumTenantOrB2CTenant","message":"Tenant is not a B2C tenant and doesn't have premium license","innerError":{"date":"2026-07-03T00:23:04","request-id":"38ada771-6185-4abf-9e35-e771af91c0ab","client-request-id":"38ada771-6185-4abf-9e35-e771af91c0ab"}}} \ No newline at end of file diff --git a/clients/bardach/reports/2026-07-02-barbara-account-check.md b/clients/bardach/reports/2026-07-02-barbara-account-check.md new file mode 100644 index 00000000..8a8f6c83 --- /dev/null +++ b/clients/bardach/reports/2026-07-02-barbara-account-check.md @@ -0,0 +1,67 @@ +# Account Health Check — barbara@bardach.net + +- **Date (UTC):** 2026-07-03 00:25 +- **Trigger:** MS Authenticator "behaving crazy," trouble logging in to services +- **Tenant:** bardach.net (`dd4a82e8-85a3-44ac-8800-07945ab4d95f`) +- **Tooling:** remediation-tool 10-point user breach check (investigator + investigator-exo tiers, read-only) + +## Verdict + +**No compromise indicators found.** Account hygiene is clean. The Authenticator trouble +correlates with an MFA re-registration + Windows Hello enrollment performed TODAY at +~2:20 PM local on her own office PC — verify that activity was legitimate (her or a tech). + +## Findings + +| Check | Result | +|---|---| +| Account enabled | true; created 2020-05-24 | +| Password last changed | 2026-01-18 | +| Mail forwarding (internal/SMTP) | none | +| Inbox rules | 1 visible: "Move Graymail to folder" (INKY graymail, **disabled**) — benign | +| Hidden inbox rules | none | +| Mailbox delegates (non-SELF) | none | +| Send-As grants | none | +| OAuth consents | 1: zipForm Plus (Mail.Send, principal consent) — legitimate realtor software | +| App role assignments | 6 (standard) | +| Risk detections | 0 (risky-user API forbidden — no Identity Protection license) | +| Sign-in logs | **unavailable — tenant has no Entra ID P1** (Graph returns NonPremiumTenant) | +| Directory audits (30d) | 3 entries, all today — see timeline | + +## Auth methods (6) — all consistent with Barbara + +| Method | Detail | +|---|---| +| Password | rotated 2026-01-18 | +| SMS phone | +1 520-275-3867 (mobile) | +| Microsoft Authenticator | iPhone (iOS) | +| Windows Hello | BCB-OFFICE26 — **created 2026-07-02 21:24 UTC (2:24 PM local, TODAY)** | +| Windows Hello | LAPTOP-E5EKEJT8 — 2025-11-08 | +| Windows Hello | (blank name) — 2023-09-23, stale leftover from an old PC; candidate for cleanup | + +Registered devices all known/hers: Surface-Pro (2020), BCB-Office (2023), BCB-OFFICE2023, +iPhone 15 Pro Max, LAPTOP-E5EKEJT8, BCB-OFFICE26 (registered 2026-02-13). + +## Today's timeline (UTC) + +| Time | Event | Actor | +|---|---|---| +| 21:19:49 | Update user (MFA method change) | Azure MFA StrongAuthenticationService | +| 21:24:17 | Update user (device registration) | Device Registration Service | +| 21:24:17 | Add Windows Hello for Business credential (BCB-OFFICE26) | barbara@bardach.net | + +## Recommendations + +1. **Confirm the 2:19-2:24 PM changes were legitimate** (Barbara or a tech at BCB-OFFICE26). + If nobody did this deliberately: rotate password + revoke sessions immediately. +2. If unprompted Authenticator pushes continue: remove + re-add the account in the + Authenticator app on her iPhone (fixes broken registrations), confirm phone date/time + is set automatically. +3. Optional hygiene: delete the blank 2023 Windows Hello method. +4. Visibility caveat: without Entra P1 there are no sign-in logs, so MFA-fatigue attempts + cannot be ruled out from logs alone. Cheap insurance if in doubt: password rotation + + session revocation. + +## Raw artifacts + +`/tmp/remediation-tool/dd4a82e8-85a3-44ac-8800-07945ab4d95f/user-breach/barbara_bardach_net/` diff --git a/session-logs/2026-07/2026-07-02-mike-crowdstrike-rollout-365-appsuite.md b/session-logs/2026-07/2026-07-02-mike-crowdstrike-rollout-365-appsuite.md index febedd99..0835bb03 100644 --- a/session-logs/2026-07/2026-07-02-mike-crowdstrike-rollout-365-appsuite.md +++ b/session-logs/2026-07/2026-07-02-mike-crowdstrike-rollout-365-appsuite.md @@ -163,3 +163,76 @@ root RMM agent); staged crowdstrike installers under /var/www/gururmm/downloads/ applied 0.5 prepay, block 10.0->9.5); linked-ref offboarding ticket #32487 (id 113195707, Invoiced). Remote labor product 1190473 @ $150 (category Labor). - Docs: .claude/skills/remediation-tool/references/app-suite.md (authoritative 365 map). + +--- + +## Update: 17:29 PT — PST "Mara audit log" relocation + fast wiki-compile update mode + +### Summary +Two follow-on threads after the earlier save. (1) **Peaceful Spirit — "the Mara audit log":** +Mike asked to change its location to `G:\Shares\Private\Partner Review\Legal Documents - DO NOT +DELETE\_Deletion Reports`. No such mechanism was in our notes/wiki/coord — located it live via +GuruRMM (site SSH was down, no L2TP VPN). It is a scheduled task **`PST Deletion Report (Daily)`** +on PST-SERVER running `C:\PST-Tools\PST-DeletionReport.ps1` (SYSTEM, 06:30), harvesting Security +events 4660/4663 (SACL on `G:\Shares\Scanned`) into a per-day HTML deletion report — the standing +record Mara reviews after the mass-deletion incident. Repointed only `$OutDir` to the legal folder +(left `$Root = G:\Shares\Scanned` — the monitored scope — unchanged), backed up the script, and +validated by a test run (report written, 6 items) + confirmed the daily task unchanged. +(2) **wiki-compile speed:** Mike flagged the wiki rebuild as terribly slow and wanted update-vs- +rebuild. Root cause: the no-flag "refresh" only touched Syncro fields (useless for knowledge), so +capturing real work forced `--full` (reads ALL logs + Sonnet full-article regen). Added a real +**update mode** (new default) and did the PST wiki edit surgically as the exemplar. + +### Key Decisions +- Located the audit mechanism via GuruRMM read-only discovery rather than guessing or asking — + SSH to the CC site needs the L2TP VPN (down); PST-SERVER is a GuruRMM agent (87293069), reachable. +- Changed ONLY `$OutDir`; `$Root` (audited folder) stays `G:\Shares\Scanned`. Backup kept + (`PST-DeletionReport.ps1.bak-20260702`) — reversible one-line change on a HIPAA DC. +- wiki-compile: made **update** the no-flag default = Syncro refresh + incremental merge of ONLY + logs newer than `last_compiled`, via targeted section edits (main agent/Haiku, no Sonnet, no full + regen). `--full` = explicit Rebuild; `--syncro` = instant Syncro-only. Folded old "refresh" into + update. Speedup = small input (new logs only) + small output (surgical edits) + no Sonnet pass. +- Applied the PST wiki edit directly (not via the staged/locked Phase 5 flow) — single known change, + faster; next `--full` reconciles. + +### Problems Encountered +- Wrong RMM status endpoint first (`/api/agents/commands/{id}` returned empty) → correct is + `GET /api/commands/{id}` (from the /rmm command doc). Self-corrected. +- Flagged (not fixed): the target legal folder `...\Legal Documents - DO NOT DELETE\` contains + client-stored credentials in the clear (`passwords`, `Employee password list 2019-01-15.docx`) — + surfaced to Mike for a separate cleanup decision. + +### Configuration Changes +- PST-SERVER (via GuruRMM, agent 87293069): edited `C:\PST-Tools\PST-DeletionReport.ps1` + (`$OutDir` -> legal folder); backup `C:\PST-Tools\PST-DeletionReport.ps1.bak-20260702`. + Scheduled task `PST Deletion Report (Daily)` unchanged. +- claudetools (main, commit 59b5f1f5): `wiki/clients/peaceful-spirit.md` (Deletion Investigation + paragraph + 2026-07-02 History row + frontmatter date), `wiki/index.md` (PST date bump), + `.claude/commands/wiki-compile.md` (+ global copy) — new update/rebuild/syncro modes. + +### Infrastructure & Servers +- PST-SERVER (Peaceful Spirit CC): LAN 192.168.0.2, Server 2016 Essentials DC/file server, + GuruRMM agent `87293069-33b6-45e8-a68f-6811216cdb96` (online). G: is a local drive; SYSTEM has + full access. Site SSH (`sysadmin@192.168.0.2`) requires L2TP VPN to CC (was down this session). +- Audit basis: object-access auditing (File System) = Success+Failure; SACL Everyone/Delete+DC/ + Success on `G:\Shares\Scanned`. Report retention 90 days, generated ~06:30 daily. + +### Commands & Outputs +- Find PST-SERVER agent: `bash .claude/scripts/rmm-search.sh -c "peaceful spirit"`. +- RMM dispatch: `POST $RMM/api/agents/$AGENT/command` {command_type:"powershell", command, timeout_seconds}; + poll `GET $RMM/api/commands/$CID` (.status/.stdout). Server 2016 -> use plain `powershell` + command_type (not ps-encoded EncodedCommand). +- Validation output: `Report written: G:\Shares\Private\Partner Review\Legal Documents - DO NOT + DELETE\_Deletion Reports\Deletion-Report-2026-07-02.html (6 items)`; task LastResult=0, NextRun 07/03 06:30. + +### Pending / Incomplete Tasks +- (unchanged CrowdStrike Tasks 6-9, VWP/Cascades consent AMBERs from earlier.) +- Peaceful Spirit: client credentials stored in the clear in the Legal Documents share — Mike to + decide on cleanup/vaulting separately. +- Optional: run `/wiki-compile client:peaceful-spirit` (now fast update mode) to confirm the new + path end-to-end on the real article next time. + +### Reference Information +- Commit 59b5f1f5 (wiki + wiki-compile update mode). PST-SERVER GuruRMM agent 87293069. +- Script: `C:\PST-Tools\PST-DeletionReport.ps1` (task "PST Deletion Report (Daily)"). +- New report path: `G:\Shares\Private\Partner Review\Legal Documents - DO NOT DELETE\_Deletion Reports`.