diff --git a/wiki/clients/safesite.md b/wiki/clients/safesite.md new file mode 100644 index 0000000..9617c08 --- /dev/null +++ b/wiki/clients/safesite.md @@ -0,0 +1,70 @@ +--- +title: Safe Site Utility Services LLC +type: client +slug: safesite +last_verified: 2026-06-08 +source_logs: + - session-logs/2026-06/2026-06-08-mike-safesite-investigation.md +--- + +# Safe Site Utility Services LLC + +MSP client. Fragmented endpoint management across **four** systems (Datto RMM, Intune/MDM, +ScreenConnect, Syncro) — a GuruRMM consolidation is in progress. + +## M365 tenant +- **Domain:** safesitellc.com · **Tenant ID:** `71b4e637-c802-4137-a812-ae50dbc839e3` +- **Onboarded apps (ComputerGuru MSP suite), verified live 2026-06-08:** + - Security Investigator, User Manager, Tenant Admin — Graph, consented + reading. + - **Intune Manager** (`46986910-aa47-4e5e-b596-f65c6b485abb`) — **consented 2026-06-08** (Mike, GA). + Holds full Intune write scopes (DeviceManagementConfiguration/ManagedDevices/Apps ReadWrite.All + + ManagedDevices.PrivilegedOperations.All). Use the `intune-manager` get-token tier. + - Exchange Operator/Investigator-EXO: token issues but EXO `InvokeCommand` 401 — the SP lacks the + **Exchange Administrator** role in-tenant (not yet assigned). Defender tier: reachable but **0 + devices onboarded** to MDE (no endpoint EDR telemetry). +- **get-token note:** `~/.claude/identity.json` lacks `vault_path` on GURU-5070 → pass + `VAULT_ROOT_ENV=D:/vault` to `remediation-tool/scripts/get-token.sh`. + +## Intune posture (45 Windows devices, enrollment-only) +- 45 Windows MDM devices; **no compliance policies, no configuration profiles** (settings catalog + empty). Enrollment configs are all default. **One** deployed app: **ScreenConnect Client**. +- **Security gaps:** 22 of 45 **unencrypted** (no BitLocker, nothing enforcing it); 8 noncompliant. +- Devices enrolled under **IT/admin accounts** (JonathanB@, sysadmin@, subhamb@, mailadmin1@), NOT + end users — so Intune's `userPrincipalName` does NOT identify the real operator. Use **Datto's + Last User** for person→machine attribution instead. + +## Endpoint management fragmentation (reconciled 2026-06-08) +Unified inventory by hostname across all four sources = **73 unique machines**. +- **Datto RMM = the near-master list (71/73)** and carries real `Last User` + AV/EDR status. + Only `0325-DELL3550` and `LAPTOP` are absent from Datto (Intune-only). +- Intune 42 · Syncro 24 · GuruRMM 18 (as of 2026-06-08). +- No Datto API creds in vault — Datto data comes from console CSV export. +- ScreenConnect API key only supports `GetSessionsByName` (blank for agents) → **cannot enumerate** + the fleet; see [[reference_screenconnect_api]]. + +## GuruRMM +- Client **Safesite** `fe17552f-736b-42ec-86a2-0e6f107f2397`. Sites: **Bell** (RED-HAWK-6595), + **Glendale** (SWIFT-OCEAN-8321), **Unknown** (LIGHT-CLOUD-3585, created 2026-06-08 as the + catch-all bucket for un-attributed push installs). +- 18 agents enrolled; **55 of 73 machines still need the agent**. Agents observed **offline / + WS-disconnected** 2026-06-08 (dispatches go to `pending`) while the same machines are **Online in + Datto** — Datto/Intune are the live push channels, not GuruRMM, right now. + +## NexSite recalled-email investigation (2026-06-08) +External sender m.paris@nexsitepartners.com sent "Re: NWWells - SafeSite - Vendor Forms" with +attachment **`SSUS 06122026.PDF`** to 9 Safe Site recipients on 2026-06-08 ~18:54 UTC; recalled. +IT contact: Jonathan Byrd (j.byrd@nexsitepartners.com). Goal: determine if the PDF was +accessed/downloaded on managed endpoints. +- **No EDR back-telemetry** (MDE 0 devices) → endpoint history can only come from **on-disk + artifact recovery** (file search + Zone.Identifier MotW + Outlook cache + browser DL history + + RecentDocs), run via a live channel. +- **Recipient → machine (via Datto Last User):** beeanna=`0225-DELL3550`, david=`0622-DAVID-HP`, + jon=`0525-ASUSFX707Z`, justinb=`0525-DELL3550-1`, lennyg=`DESKTOP-3USU20B`, + suzannep=`1122-SUZANNE-DELL`, travisf=`MSI`, jeremiahw=`DESKTOP-LOPKB4G`, thomasc=`0724-DELL3550`. +- Caveat: artifact recovery proves "downloaded=yes"; it cannot prove "never accessed". Only covers + managed machines (not phones/personal). Time-sensitive — artifacts age out. + +## Open items +- Choose forensic channel (Datto console job vs Intune proactive remediation) — GuruRMM agents + offline. Push GuruRMM agent to the 55 gap machines. Assign Exchange Admin role to the Sec + Investigator SP if mailbox-audit forensic is wanted. Remediate the 22 unencrypted endpoints.