sync: auto-sync from GURU-5070 at 2026-06-09 10:13:37
Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-09 10:13:37
This commit is contained in:
@@ -0,0 +1,73 @@
|
||||
# Safe Site — NexSite recalled-PDF forensic investigation
|
||||
|
||||
## User
|
||||
- **User:** Mike Swanson (mike)
|
||||
- **Machine:** GURU-5070
|
||||
- **Role:** admin
|
||||
|
||||
## Date
|
||||
- Investigation opened 2026-06-08; forensic sweep + reconstruction 2026-06-09.
|
||||
- Reconstructed 2026-06-09 from work done on GURU-5070 (live session `eebb22f9-…`, which was never `/save`d — hence this log).
|
||||
|
||||
## Client
|
||||
- **Safe Site Utility Services LLC** — M365 tenant `safesitellc.com`, tenant ID `71b4e637-c802-4137-a812-ae50dbc839e3`.
|
||||
- GuruRMM client **Safesite** `fe17552f-736b-42ec-86a2-0e6f107f2397` (sites Bell / Glendale / Unknown).
|
||||
|
||||
## The request (from Jonathan Byrd, j.byrd@nexsitepartners.com)
|
||||
External sender `m.paris@nexsitepartners.com` sent **"Re: NWWells - SafeSite - Vendor Forms"** with attachment **`SSUS 06122026.PDF`** to 9 Safe Site recipients on 2026-06-08 ~18:54 UTC. The email was recalled. Question: **was the PDF accessed/downloaded on any managed machine?**
|
||||
|
||||
Recipient → machine (via Datto "Last User"):
|
||||
| Recipient | Machine | GuruRMM enrolled? |
|
||||
|---|---|---|
|
||||
| beeanna | 0225-DELL3550 | yes |
|
||||
| david | 0622-DAVID-HP | yes |
|
||||
| jon | 0525-ASUSFX707Z | yes |
|
||||
| justinb | 0525-DELL3550-1 | yes |
|
||||
| lennyg | DESKTOP-3USU20B | yes |
|
||||
| suzannep | 1122-SUZANNE-DELL | yes |
|
||||
| travisf | MSI | yes |
|
||||
| thomasc | 0724-DELL3550 | yes |
|
||||
| jeremiahw | **DESKTOP-LOPKB4G** | **NOT enrolled** |
|
||||
|
||||
## Mail-side findings (COMPLETE)
|
||||
1. **Mailbox content search** (Graph `$search` for "SSUS 06122026" across all 9 mailboxes) → **all `[CLEAN]`**. The recall succeeded — no message carrying the PDF remains in any of the 9 mailboxes.
|
||||
2. **EXO recall-proof** (`_recall_proof_poller.sh` → `~/Downloads/safesite-recall-proof.json`, pulled 2026-06-09 03:39 UTC, after the Exchange Operator SP's Exchange-Admin role finally propagated):
|
||||
- `Search-UnifiedAuditLog` FreeText "SSUS 06122026" → **0 rows**.
|
||||
- Delete/purge ops (HardDelete/SoftDelete/MoveToDeletedItems) by the 9 recipients → **0 rows**.
|
||||
- `Get-MessageTraceV2` (sender m.paris@nexsitepartners.com) → 74 rows; the message shows **Delivered** to all 9 recipients before recall (distribution list `potholing@` = Expanded).
|
||||
- **Caveat:** the UAL does not log a PDF opened directly from an Outlook attachment, so "0 audit hits" is **not** proof it was never opened — only that there's no mail/SharePoint audit trace.
|
||||
|
||||
## Endpoint forensic sweep (GuruRMM) — the definitive "on disk / downloaded?" check
|
||||
Forensic PowerShell (runs as SYSTEM) searches each user profile's Downloads / Desktop / Documents / Outlook `Content.Outlook` cache / Temp / Recent / OneDrive for `*06122026*`, reads the **Zone.Identifier (Mark-of-the-Web)** on any hit, and scans Chrome/Edge **download-history** DBs for the pattern. Emits JSON `{host, hitCount, hits[]}`.
|
||||
|
||||
**First dispatch (2026-06-09 03:44–15:05 UTC):** 7 commands; only **2 completed**, both **CLEAN (hitCount 0)** — **MSI** (travisf) and **0525-DELL3550-1** (justinb). The other 5 **failed: "Command timeout"** — the Safesite agents are WS-disconnected (alive, `last_seen` updates ~every minute, but no persistent socket), so short-timeout commands expire before pickup.
|
||||
|
||||
**Re-dispatch (2026-06-09 ~15:4x UTC, this session):** same script, `timeout_seconds=1800` so it survives the agents' frequent reconnects. Sent to the 6 remaining enrolled targets:
|
||||
| Machine (recipient) | command_id |
|
||||
|---|---|
|
||||
| 0225-Dell3550 (beeanna) | 86340d9b |
|
||||
| 0622-David-HP (david) | 8d3e6530 |
|
||||
| 0525-ASUSFX707Z (jon) | 9aa25e67 |
|
||||
| DESKTOP-3USU20B (lennyg) | 1cf8dfea |
|
||||
| 1122-Suzanne-Dell (suzannep) | 3322e787 |
|
||||
| 0724-Dell3550 (thomasc) | 16b2a2b1 |
|
||||
|
||||
Results → `~/Downloads/safesite-forensic-results.txt`. **[STATUS: in progress at time of writing — poller collecting.]**
|
||||
|
||||
## Current status / open items (as of 2026-06-09 ~16:10 UTC)
|
||||
- **CLEAN — 7 of 9 machines** (hitCount 0; no `06122026` file, no Mark-of-the-Web, no browser-DL trace):
|
||||
MSI (travisf), 0525-DELL3550-1 (justinb), 0225-DELL3550 (beeanna), 0622-DAVID-HP (david),
|
||||
0525-ASUSFX707Z (jon), 1122-SUZANNE-DELL (suzannep), 0724-DELL3550 (thomasc).
|
||||
- **2 machines deferred — both effectively offline:**
|
||||
- **DESKTOP-3USU20B (lennyg)** — enrolled but agent last checked in 13:43 UTC; forensic command queued (will run on reconnect, else re-dispatch).
|
||||
- **DESKTOP-LOPKB4G (jeremiahw)** — NOT enrolled in GuruRMM and offline; sweep via Datto/Intune or after agent install once back online.
|
||||
- **So far: no evidence the PDF was downloaded or opened on any swept machine.**
|
||||
- Underlying issue: Safesite GuruRMM agents are WS-disconnected (known fleet issue) — they execute on reconnect but short timeouts fail. Use `timeout_seconds=1800` for this fleet until the WS issue is resolved.
|
||||
|
||||
## Syncro
|
||||
- Ticket **#32395** (Safesite LLC, contact Jonathan Byrd) — created 2026-06-09; initial customer-facing update emailed (recall verified + 6/9-then-7/9 clean); internal progress note added.
|
||||
|
||||
## Artifacts on GURU-5070
|
||||
- `~/Downloads/safesite-recall-proof.json` — EXO recall proof.
|
||||
- `~/Downloads/safesite-forensic-results.txt` — endpoint sweep results.
|
||||
- `.claude/scripts/_recall_proof_poller.sh` — the EXO poller (one-shot, completed).
|
||||
Reference in New Issue
Block a user