azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

wiki: compile kittle (full) — BEC/ACH incident, entry-point root cause, CA hardening; mark kittle-design superseded

Browse Source 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-06-09 17:21:31 -07:00
parent 4adf2c586c
commit ac82e359a7
2 changed files with 404 additions and 218 deletions
Download Patch File Download Diff File Expand all files Collapse all files

618
wiki/clients/kittle.md
View File

@@ -1,55 +1,63 @@
---
type: client
name: kittle
display_name: Kittle (client)
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
display_name: Kittle Design & Construction LLC
last_compiled: 2026-06-09
compiled_by: GURU-5070/claude-main
sources:
- wiki/clients/kittle.md
- wiki/clients/kittle-design.md
- clients/kittle/session-logs/2026-06/2026-06-08-mike-bec-incident-remediation.md
- clients/kittle/session-logs/2026-06/2026-06-09-mike-kittle-bec-ach-fraud-ic3.md
- clients/kittle/session-logs/2026-06/2026-06-09-mike-kittle-bec-marco-remediation.md
- clients/kittle/reports/2026-06-09-ic3-bec-fraud-report.md
- clients/kittle/reports/2026-06-08-breach-check.md
- clients/kittle-design/session-logs/2026-06/2026-06-08-mike-m365-full-sweep.md
- clients/kittle-design/session-logs/2026-04-24-session.md
- clients/kittle/docs/overview.md
- clients/kittle/docs/servers/server.md
- clients/kittle/docs/network/topology.md
- clients/kittle/docs/network/firewall.md
- clients/kittle/docs/network/dns.md
- clients/kittle/docs/network/dhcp.md
- clients/kittle/docs/network/vlans.md
- clients/kittle/docs/cloud/m365.md
- clients/kittle/docs/cloud/azure.md
- clients/kittle/docs/rmm/rmm.md
- clients/kittle/docs/security/antivirus.md
- clients/kittle/docs/security/backup.md
- clients/kittle/docs/issues/log.md
- clients/kittle/docs/email/dkim-dmarc-setup.md
- clients/kittle/PROJECT_STATE.md
- clients/kittle/session-logs/2026-05-08-howard-joshua-onsite-and-gururmm-onboarding.md
backlinks:
- "[[clients/kittle-design]]"
- "[[projects/gururmm]]"
- "[[clients/internal-infrastructure]]"
---
# Kittle Design & Construction LLC
## Overview
## Profile
- **Business type:** General contractor (construction)
- **Business type:** General contractor / design-build (construction)
- **Contract type:** Break-fix
- **Syncro customer ID:** 32460233
- **Managed devices (Syncro assets):** 2
- **Open tickets:** 0 (all June 2026 incident tickets Invoiced/Resolved as of 2026-06-09)
- **Billing rate:** (verify — Labor - Remote Business, product_id 1190473 observed)
- **Hours remaining:** N/A (Break-fix, no prepaid block)
- **Address:** 2539 N Balboa Ave #125, Tucson, AZ 85705
- **Phone:** 520.299.0404 | **Fax:** 520.299.0477
- **Website:** kittlearizona.com
- **Syncro customer ID:** 32460233
- **Status:** Active — onboarding in progress (as of 2026-05-08)
- **Billing model:** [unverified] — no contract or rate documented in source files
- **Hours remaining:** [unverified] — not documented
- **Status:** Active — ongoing post-incident hardening
---
## Contacts
### Key Contacts
| Name | Title | Email | Notes |
|------|-------|-------|-------|
| Ken Schagel | Owner / Primary Contact | ken@kittlearizona.com | |
| Kimberly Ross | Admin | admin@kittlearizona.com | Primary M365 contact per session log |
| Darline Cabrera | Bookkeeper | accounting@kittlearizona.com | Role account: `accountant` on AD |
| Joshua Sutherland | Employee (new 2026-05-08) | joshua@kittlearizona.com | Took over Wrex's workstation |
| Howard Enos | MSP Tech (ACG) | — | AD account: `sysadmin` (Domain Admin) |
| Ken Schagel | Owner / Primary Contact | ken@kittlearizona.com | Was Global Admin; roles stripped during incident, need to re-add appropriate admin role once fully cleared |
| Kimberly Ross | Office Admin ("Kim") | admin@kittlearizona.com | Admin@ mailbox; MFA reset 2026-06-09 to phone-only |
| Darline Cabrera | Bookkeeper | accounting@kittlearizona.com | Role account (AD: accountant); impersonated by attacker during ACH fraud — (verify: internal employee or external contractor?) |
| Joshua Sutherland | Employee (new 2026-05-08) | joshua@kittlearizona.com | Replaced Wrex; FullAccess + SendAs to Wrex's former shared mailbox |
| Lori Schagel | (verify role) | Lori@kittlearizona.com | Had 10 pre-existing admin roles incl. GA — stripped and downscoped to User Administrator 2026-06-08 |
| Alexis Schagel | (verify role) | alexis@kittlearizona.com | Compromised in April 2026; remediated |
| Marco Fragoso | Employee | marco@kittlearizona.com | Compromised June 2026; password reset + sessions revoked 2026-06-09 |
| Hayden Schagel | Employee | hayden@kittlearizona.com | |
| Scott Zehner | Employee | scott@kittlearizona.com | Phone-only MFA (no Authenticator) |
| Howard Enos | MSP Tech (ACG) | — | AD account: sysadmin (Domain Admin) |
**Known M365 users (licensed):**
- Office 365 E3 (no Teams): Alexis Schagel, Kalvin Hairston, Ken Schagel, Wrex Watson
**Additional M365 users (licensed):**
- Office 365 E3 (No Teams): Alexis Schagel, Kalvin Hairston, Ken Schagel, Wrex Watson
- Business Standard: Accounting, Admin (Kimberly Ross), Brandon Blazer, Hayden Schagel, Jason Stubblefield, Johnny Calhoun, Joshua Sutherland, Lori Schagel, Marco Fragoso, Michael Sanchez, Neal Crusius, Scott Zehner
---
@@ -60,7 +68,9 @@ sources:
| Hostname | IP | OS | Role | Hardware | Notes |
|----------|----|----|------|----------|-------|
| SERVER | 10.0.0.5 | Windows Server 2025 Standard **EVALUATION** | Primary DC, DNS, DHCP (unused), File Server, Print Server | HPE ProLiant MicroServer Gen11, Intel Xeon E-2414 (4 cores), 80 GB RAM | [WARNING] EVALUATION license — expires 180 days from install. Shuts down hourly after expiry. Syncro asset: `SERVER2021` (id `10584015`) |
| SERVER (asset: SERVER2021) | 10.0.0.5 | Windows Server 2025 Standard **EVALUATION** | Primary DC, DNS, File Server, Print Server | HPE ProLiant MicroServer Gen11, Intel Xeon E-2414 (4 cores), 80 GB RAM | [WARNING] EVALUATION license — expires 180 days from install. Shuts down hourly after expiry. Check: `slmgr /dlv` |
**[WARNING] NO BACKUP EXISTS.** No Windows Server Backup, no third-party agent, no cloud backup. SERVER is the only DC; failure = loss of AD, DNS, file shares, and QuickBooks data permanently.
**SERVER storage:**
@@ -69,128 +79,61 @@ sources:
| C: | OS | ~11 TB | Primary volume (NTFS) |
| Secondary | Server2 2022_03_31 | ~2 TB | Purpose unknown — possibly old server backup/migration data |
**[WARNING]** Unknown service listening on TCP port 8019 on SERVER. Not a standard Windows/AD port. Likely QuickBooks or ScreenConnect — needs identification (`netstat -ano | findstr 8019`).
### Workstations
| AD Name | OS | Last Logon | Notes |
|---------|----|------------|-------|
| FRONTDESK | Windows 11 Pro | 2026-03-09 | Front Desk user; Syncro asset id `11122225` |
| ACCOUNTING | Windows 11 Pro for Workstations | 2026-03-09 | `accountant` role account |
| CHRISTINE-WIN10 | Windows 11 Pro | 2026-03-09 | Legacy name; actually Win11 |
| DESKTOP-2560Q7R | Windows 11 Pro | 2026-03-06 | Wrex — now used by Joshua Sutherland; needs rename |
| WINDOWS-QV1B0EL | Windows 11 Pro | 2026-03-06 | User unknown; needs rename |
| DESKTOP-R0KA2UG | Windows 11 Pro | 2026-03-11 | User unknown; needs rename |
| DESKTOP-9B2SMD9 | Windows 11 Pro | 2026-03-06 | User unknown; needs rename |
**Known machine-to-user mapping:** FRONTDESK = Front Desk, ACCOUNTING = accountant (Darline?), CHRISTINE-WIN10 = Christine, DESKTOP-2560Q7R = Wrex/Joshua. Three workstations (WINDOWS-QV1B0EL, DESKTOP-R0KA2UG, DESKTOP-9B2SMD9) unidentified — require onsite correlation.
| AD Name | OS | Notes |
|---------|----|-------|
| FRONTDESK | Windows 11 Pro | Syncro asset id 11122225 |
| ACCOUNTING | Windows 11 Pro for Workstations | `accountant` role account |
| CHRISTINE-WIN10 | Windows 11 Pro | Legacy name; actually Win11 |
| DESKTOP-2560Q7R | Windows 11 Pro | Was Wrex — now Joshua Sutherland; needs rename |
| WINDOWS-QV1B0EL | Windows 11 Pro | User unknown needs onsite correlation + rename |
| DESKTOP-R0KA2UG | Windows 11 Pro | User unknown needs onsite correlation + rename |
| DESKTOP-9B2SMD9 | Windows 11 Pro | User unknown needs onsite correlation + rename |
### Active Directory
- **Domain:** kittle.lan (NetBIOS: KITTLE)
- **Domain Admins:** Administrator, sysadmin (Computer Guru)
- **Total domain users:** 12 (8 regular + sysadmin + QBDataServiceUser34 + joshua.sutherland added 2026-05-08 + Administrator)
- **Domain Admins:** Administrator, sysadmin (ACG)
- **Total domain users:** 12 (including joshua.sutherland added 2026-05-08)
- **Total workstations:** 7
**AD Users:**
| SamAccountName | Display Name | Enabled | Notes |
|---------------|-------------|---------|-------|
| Administrator | Administrator | Yes | Domain Admin |
| alexis | Alexis | Yes | |
| Marco | Marco | Yes | |
| accountant | accountant | Yes | [WARNING] Role-based — should be individual account |
| ken | Ken | Yes | Owner |
| frontdesk | Front Desk | Yes | [WARNING] Role-based — should be individual account |
| lori | Lori | Yes | |
| wrex | Wrex | Yes | [WARNING] Wrex's PC now used by Joshua |
| sysadmin | Computer Guru | Yes | MSP Domain Admin |
| QBDataServiceUser34 | QuickBooks service | Yes | Service account |
| joshua.sutherland | Joshua Sutherland | Yes | Created 2026-05-08; UPN joshua.sutherland@kittle.lan, email joshua@kittlearizona.com |
### File Shares
| Share | Path | Notes |
|-------|------|-------|
| Home | C:\Shares\Home | User home folders; mapped via HomeFolder GPO |
| QBooks | C:\Shares\Home\QBooks | QuickBooks data files |
| NETLOGON | (default) | AD logon scripts |
| SYSVOL | (default) | Group Policy |
**[WARNING]** Role-based AD accounts (`accountant`, `frontdesk`) should be replaced with individual named accounts.
**[WARNING]** Three workstations (WINDOWS-QV1B0EL, DESKTOP-R0KA2UG, DESKTOP-9B2SMD9) user-to-machine mapping unconfirmed.
### Installed Software (SERVER)
| Software | Notes |
|----------|-------|
| QuickBooks Pro 2024 (v34) | [WARNING] Should NOT be on a DC — migrate to workstation |
| QuickBooks Pro 2024 (v34) | [WARNING] Should NOT be on a DC — migrate to ACCOUNTING workstation; data at C:\Shares\Home\QBooks |
| ScreenConnect | Remote access agent |
### Backup
**ScreenConnect note:** Command runner defaults to `cmd` context — PowerShell scripts MUST be prefixed with `#!ps` or they fail silently.
[WARNING] NO BACKUP EXISTS. No Windows Server Backup, no third-party agent, no cloud backup. If SERVER fails, AD, DNS, file shares, and QuickBooks data are permanently lost. SERVER is the only domain controller.
### Antivirus / EDR
*(not documented)* — no AV/EDR product deployed or documented.
---
## Network
### Topology
### Network
- **Subnet:** Single flat 10.0.0.0/24 — no VLANs, no segmentation
- **Gateway:** 10.0.0.1 (ISP router — consumer-grade, acts as gateway + DHCP + only "firewall")
- **Switch:** UniFi USW-Lite-16-PoE at 10.0.0.122 (MAC: 0C:EA:14:8A:8D:7F); managed by ACG's self-hosted UniFi controller
- **~31 devices** observed on network via ARP — most unidentified (phones, printers, APs, workstations)
- **~31 devices** on network (most unidentified)
**Key device IPs:**
**[WARNING] NO dedicated firewall.** ISP router is the only perimeter device. No stateful inspection, IDS/IPS, content filtering, or granular rules. Recommendation: Deploy pfSense or commercial UTM (FortiGate, SonicWall).
| Device | IP | Notes |
|--------|----|-------|
| ISP Router | 10.0.0.1 | Gateway, DHCP, only perimeter device |
| SERVER (DC) | 10.0.0.5 | Static |
| UniFi Switch | 10.0.0.122 | Should have DHCP reservation |
**DHCP:** [WARNING] Runs on ISP router (10.0.0.1), NOT on SERVER. Windows DHCP role installed on SERVER but has zero scopes. Unknown what DNS server is handed out via DHCP — AD name resolution may be broken for domain clients.
### Firewall
**Internal DNS:** Windows DNS on SERVER (10.0.0.5), AD-integrated. Forwarder: 10.0.0.1 only. No reverse lookup zone. No secondary forwarder.
[WARNING] NO dedicated firewall. ISP router at 10.0.0.1 (MAC: 42:0f:c1:f0:e6:43 — randomized/consumer MAC) is the only perimeter device. No stateful inspection, IDS/IPS, content filtering, or granular rules. The firewall.md template is empty — no firewall config has been documented because none exists.
**External DNS (kittlearizona.com):** Hybrid NSOne + Squarespace nameservers.
**Recommendation:** Deploy pfSense (free) or commercial UTM (FortiGate, SonicWall) between ISP router and LAN switch.
### File Shares (SERVER)
### VLANs
| Share | Path | Notes |
|-------|------|-------|
| Home | C:\Shares\Home | User home folders; mapped via HomeFolder GPO |
| QBooks | C:\Shares\Home\QBooks | QuickBooks data files |
| NETLOGON / SYSVOL | (default) | AD logon scripts / Group Policy |
No VLANs configured. All devices on the same broadcast domain. The vlans.md template exists but is empty — no VLAN segmentation is deployed.
### DNS
**Internal DNS:** Windows DNS on SERVER (10.0.0.5), AD-integrated.
- Zones: kittle.lan, _msdcs.kittle.lan
- Forwarder: 10.0.0.1 (ISP router) — single forwarder, no redundancy
- No reverse lookup zone for 10.0.0.0/24 (PTR lookups fail)
**External DNS (kittlearizona.com):** Hybrid NSOne + Squarespace nameservers
| Nameservers |
|-------------|
| dns1.p02.nsone.net, dns2.p02.nsone.net, dns3.p02.nsone.net, dns4.p02.nsone.net |
| ns01.squarespacedns.com, ns02.squarespacedns.com, ns03.squarespacedns.com, ns04.squarespacedns.com |
**Email DNS records (as of 2026-04-23):**
| Record | Status | Value |
|--------|--------|-------|
| MX | [OK] | kittlearizona-com.mail.protection.outlook.com |
| SPF | [OK] | v=spf1 include:spf.protection.outlook.com -all |
| DKIM | [WARNING] MISSING | Not configured — HIGH PRIORITY |
| DMARC | [WARNING] MISSING | Not configured — HIGH PRIORITY |
**DKIM/DMARC setup guide:** `clients/kittle/docs/email/dkim-dmarc-setup.md`
DNS registrar: Unknown — needs identification.
### DHCP
[WARNING] DHCP runs on the ISP router (10.0.0.1), not on SERVER. The Windows DHCP role is installed on SERVER but has zero scopes configured. Unknown what DNS server is handed out via DHCP — if DHCP hands out ISP DNS instead of 10.0.0.5, AD name resolution may break for domain clients. DHCP range, lease time, and reservations not documented (need ISP router admin access to check).
**GPO Note:** HomeFolder GPO drive map MUST stay as `Update` (not `Replace`). Replace tears down and recreates the drive connection every ~90 min GP refresh cycle, killing open Explorer windows.
---
@@ -200,40 +143,62 @@ DNS registrar: Unknown — needs identification.
| Field | Value |
|-------|-------|
| Tenant name | kittlearizona.com |
| Tenant domain | kittlearizona.com |
| Tenant ID | 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 |
| Primary domain | kittlearizona.com |
| Entra licensing | **Entra ID P2** (P2 added 2026-06-09; was Business Premium / P1 only before) |
| Admin portal | https://admin.microsoft.com |
### Licensing (as of 2026-04-28)
### Licensing (as of 2026-06-09)
| License | Qty | Assigned | Available |
|---------|-----|----------|-----------|
| Microsoft 365 Business Standard (SKU: O365_BUSINESS_PREMIUM, skuId: f245ecc8-75af-4f8e-b61f-27d8114de5f3) | 12 | 12 | 0 |
| Office 365 E3 No Teams (skuId: 46c3a859-c90d-40b3-9551-6178a48d5c18) | 4 | 4 | 0 |
| License | Qty |
|---------|-----|
| Microsoft 365 Business Standard (BUSINESS_PREMIUM) | 12 |
| Office 365 E3 No Teams | 4 |
| Entra ID P2 | (added 2026-06-09 by Mike — qty covers all users) |
ACG `sysadmin` account is unlicensed.
### Exchange Online / Email
### Security Posture (post-hardening, 2026-06-09)
- Mail provider: Microsoft 365 (kittlearizona.com)
- MX: kittlearizona-com.mail.protection.outlook.com
- Shared mailboxes, distribution groups, mail flow rules: *(not documented)*
- Known Outlook accounts in Syncro notes (plaintext — flagged for vault migration): `kittletucson@outlook.com`, `kittletucson2@outlook.com`
| Control | Status |
|---------|--------|
| Security Defaults | **DISABLED** (replaced by CA 2026-06-09) |
| Conditional Access | **ENFORCED** — three policies active (see below) |
| Legacy auth (IMAP/POP/EAS) | Still enabled tenant-wide — [WARNING] disable |
| DKIM | **MISSING** — HIGH PRIORITY |
| DMARC | **MISSING** — HIGH PRIORITY |
| Entra P2 / Identity Protection | Available as of 2026-06-09 |
### Azure
**Conditional Access policies (active as of 2026-06-09):**
- `ACG - Require MFA for all users` — enforced; break-glass `sysadmin@` excluded
- `ACG - Block legacy authentication` — enforced; sysadmin@ excluded
- `ACG - Block non-US sign-ins` — enforced; named location "United States (ACG)"; sysadmin@ excluded
*(not documented)* — Azure subscription template is empty; no Azure VMs or cloud resources documented.
### Email DNS (kittlearizona.com)
### Entra ID / Hybrid Join
| Record | Status | Value |
|--------|--------|-------|
| MX | [OK] | kittlearizona-com.mail.protection.outlook.com |
| SPF | [OK] | v=spf1 include:spf.protection.outlook.com -all |
| DKIM | [WARNING] MISSING | Not configured — HIGH PRIORITY |
| DMARC | [WARNING] MISSING | Not configured — HIGH PRIORITY |
- Hybrid joined: [unverified] — not documented
- No Azure AD Connect server documented
- MFA enforcement status: [unverified]
External DNS registrar: Unknown — needs identification.
### SharePoint / OneDrive / Teams
### MSP App Service Principals (in-tenant)
*(not documented)*
| App | SP Object ID (in Kittle tenant) | Role |
|-----|----------------------------------|------|
| Security Investigator | 26e16c7a-0ac8-4f85-bdd7-992611bbd271 | Exchange Administrator |
| Exchange Operator | 775ec856-f032-4dcf-a499-ccf7f9bce07b | Exchange Administrator |
| User Manager | ea0277ab-497c-45f7-b88a-e2d53f54a4c7 | User Administrator + Authentication Administrator |
| Tenant Admin | 0caa0dde-3f8d-4d46-ab26-aa0d38add0b5 | (including JIT Privileged Authentication Administrator — MUST be removed; see Open Items) |
| ComputerGuru AI Remediation | 2fd24cfa-8533-460f-9cbb-53cc4a32d3f5 | — |
### SharePoint / OneDrive
Confirmed clean post-incident (2026-06-08): no attacker-created files, pages, or external sharing links.
---
@@ -247,102 +212,323 @@ ACG `sysadmin` account is unlicensed.
| Site name | Main Office |
| Site ID | 851376d1-33be-46ee-9e48-be44767e4a0a |
| Site code | SILVER-HAWK-7639 |
| Site address | 2539 N Balboa Ave #125, Tucson AZ 85705 |
| API key (enrollment) | Vault: `clients/kittle/gururmm-site-main.sops.yaml` (vault commit 6eb3414) |
| API key (enrollment) | Vault: `clients/kittle/gururmm-site-main.sops.yaml` |
| Dashboard | https://rmm.azcomputerguru.com |
| API | https://rmm-api.azcomputerguru.com |
**GuruRMM client and site created 2026-05-08** by Howard during Joshua onboarding onsite. Agent deployment was in progress at time of log:
- SERVER (SERVER2021) — agent install pending/in-progress during onsite
- Wrex's workstation (DESKTOP-2560Q7R) — agent install pending/in-progress during onsite
- Enrolled agent IDs and hostnames: *(not yet documented — confirm after onsite)*
**Agent deployment command (ScreenConnect, requires `#!ps` prefix):**
```powershell
#!ps
$u='https://rmm-api.azcomputerguru.com/downloads/gururmm-agent-windows-amd64-latest.exe';
$d='C:\Windows\Temp\gururmm-agent.exe';
Invoke-WebRequest $u -UseBasicParsing -OutFile $d;
& $d install --server-url 'wss://rmm-api.azcomputerguru.com/ws' --api-key '<key-from-vault>'
```
GuruRMM client + site created 2026-05-08 (Howard onsite). Agent deployment in progress:
- SERVER (SERVER2021) — agent install initiated 2026-05-08; confirm enrolled
- Workstations — rollout pending; deploy to FRONTDESK + others
---
## Active Projects / Open Items
## Access
### CRITICAL — Must Resolve
- **RDP / Remote (SERVER):** ScreenConnect (installed) | `\\10.0.0.5` on-prem
- **M365 Admin Portal:** https://admin.microsoft.com (tenant: kittlearizona.com)
- **Entra Portal:** https://entra.microsoft.com
- **GuruRMM Dashboard:** https://rmm.azcomputerguru.com (site: SILVER-HAWK-7639)
- **Vault path (M365 incident credentials):** `clients/kittle/m365-ken-schagel-incident.sops.yaml`
- **Vault path (GuruRMM enrollment key):** `clients/kittle/gururmm-site-main.sops.yaml`
- **Vault path (SERVER admin):** `clients/kittle/server2021.sops.yaml` (migrate from Syncro plaintext — see Open Items)
- **Known Outlook accounts in Syncro notes (plaintext — migrate to vault):** kittletucson@outlook.com, kittletucson2@outlook.com
- [ ] **Activate Windows Server 2025 full license on SERVER** — evaluation expires after 180 days; server shuts down hourly after expiry. Check remaining time: `slmgr /dlv`
- [ ] **Implement backup for SERVER** — No backup exists. Options: Windows Server Backup to USB/NAS, Veeam Free, cloud backup (Backblaze B2/Wasabi)
- [ ] **Migrate credentials from Syncro plaintext to SOPS vault:**
- SERVER admin (`administrator / AXman2Z`) → `clients/kittle/server2021.sops.yaml`
- Outlook accounts (`kittletucson@outlook.com`, `kittletucson2@outlook.com`) → vault
- Strip plaintext from Syncro customer notes after vaulting
**[WARNING]** SERVER admin password and Outlook credentials are currently stored as plaintext in Syncro customer notes. Migrate to vault and strip from Syncro.
### HIGH Priority
---
- [ ] **Configure DKIM for kittlearizona.com** — Add CNAME selectors in NSOne/Squarespace; enable signing in M365 Defender Portal. Guide: `clients/kittle/docs/email/dkim-dmarc-setup.md`
- [ ] **Add DMARC policy for kittlearizona.com** — Start with `p=none` (monitor), escalate to `p=quarantine` after 1 week clean
- [ ] **Migrate QuickBooks off the domain controller** — QB should run on ACCOUNTING workstation; data stays on \\SERVER\QBooks
- [ ] **Deploy dedicated firewall** — ISP router only; no stateful inspection or content filtering
- [ ] **Confirm Joshua Sutherland's onsite setup complete** — local admin on Wrex's PC, password changed, GuruRMM agent installed
- [ ] **GuruRMM agent enrollment** — Confirm agents running on SERVER and Wrex's PC; roll out to FRONTDESK and other endpoints
## BEC / ACH Fraud Incident — June 2026
This section documents the major Business Email Compromise and attempted ACH payment-redirection fraud of June 2026. It is the canonical incident record; detail sources are listed in the frontmatter.
### Incident Summary
A nation-state or organized-crime threat actor compromised Ken Schagel's Microsoft 365 account (entry point: credential theft in or before April 2026) and used it to attempt ACH payment-redirection fraud against two Arizona government agencies — the City of Tucson (invoices totaling $130,000+) and the Town of Marana. **The fraud was PREVENTED; no funds moved.** The FBI IC3 complaint was filed 2026-06-09 (Submission ID: `aa2ef50482ca4c05a54ae0f6cb56ffa0`).
### Root Cause and Entry Point
Ken Schagel's credentials were compromised on or before April 2026. The evidence: an IMAP legacy-auth OAuth consent (app 9b504397) was granted FROM Ken's account object ID (`5fc37e1a`) in April 2026. The **April 2026 remediation session revoked that OAuth consent but did not reset Ken's password or revoke his sessions.** As a result, the attacker retained valid credentials and persisted undetected for approximately two months until the June 2026 breach.
Access method: legacy IMAP/OAuth using Microsoft Desktop app `d3590ed6-52b3-4102-aeff-aad2292ab01c` with python-httpx/0.28.1, bypassing MFA (Security Defaults only; no Conditional Access; IMAP/POP/EAS enabled on all mailboxes). The original phishing lure that stole Ken's credentials is not forensically recoverable (mailbox dumpster retention does not go back to the infection date).
### Attack Timeline
| Date/Time (UTC) | Event |
|-----------------|-------|
| 2026-04 (approx) | Ken's credentials stolen (proven via IMAP consent granted from Ken's object ID). April remediation revokes consent but does NOT reset password — attacker persists. |
| 2026-04-23 | ACG April breach check: Alexis fully remediated. Ken's "Admin" inbox rule classified [INFO] (not [WARNING]). Incomplete remediation. |
| 2026-06-05 ~11:52 UTC | Attacker inserts `Accounting.kittlearizona@gmx.com` into live Kittle↔City of Tucson invoice thread (thread poisoning, 3 days before main breach). |
| 2026-06-08 09:03 | Normal Outlook sync (Microsoft IPs) — pre-compromise. |
| 2026-06-08 13:24 | **[BREACH START]** Attacker OWA login from 64.44.131.168 (Chicago IL, AS20278 Nexeon Technologies — VPN/hosting). |
| 2026-06-08 13:37 | Ken's T-Mobile phone accesses account legitimately (Ken is unaware of compromise). |
| 2026-06-08 14:5121:09 | Attacker accesses Accounting@ mailbox as delegate (Ken had FullAccess to Accounting) — 21 MailItemsAccessed events across Inbox\Customers, Assured Partners, Employees, Sent, Deleted. |
| 2026-06-08 15:32 / 16:14 | Attacker sends two "test" emails from OWA. |
| 2026-06-08 15:52 / 16:45 / 18:52 / 20:29 | Attacker sends fraudulent "EFT UPDATE" / ACH banking-change emails from Accounting@ (SendOnBehalf) to Randi Arnett at City of Tucson BSD/AP. Hard-deletes the thread from both Ken@ and Accounting@ after each send to conceal. |
| 2026-06-08 18:3618:53 | Contact harvest: python-httpx/0.28.1 from Azure IP 40.126.41.96, 250+ MailItemsAccessed events. |
| 2026-06-08 21:1421:26 | Phishing blast: 1,000 "Ken Schagel shared a file with you" (fake OneDrive lure) sent in 5 batches from 45.134.224.220 (Kansas City MO, AS147049 PacketHub S.A.). 747 delivered, 227 bounced. Phishing link: `flowinnactuators.com/work.html` (credential harvesting). |
| 2026-06-08 ~21:30 | Howard (ACG) receives phishing email — incident detected. |
| 2026-06-08 21:41 | Mike manually blocks Ken's sign-in in Entra portal, sets temp password. |
| 2026-06-08 ~22:00 | ACG investigation and remediation begins. 5 malicious inbox rules deleted. Lori's 10 admin roles stripped. 740 victim-notification emails sent from admin@ via EWS SOAP. |
| 2026-06-09 (morning) | ACG discovers the ACH fraud angle via audit-log + message-trace analysis; recovers deleted fraud emails + the BSD ACH APPLICATION.pdf from Recoverable Items dumpster. |
| 2026-06-09 | Discovery of marco@ compromise: 2 additional hidden inbox rules filtering Marana AP emails and internal accounting/ken emails. Marco had sent fraudulent "Application for Payment" and "EFT Form Update" emails to the Town of Marana AP (delivered ~17:05 UTC 2026-06-09). |
| 2026-06-09 | Kittle (Darline Cabrera) contacts City of Tucson: **City stops the payment — no funds transferred.** Marana also confirms no ACH cleared after a human contact from Kittle. Attacker had also phoned Marana (vishing) to pressure the change. |
| 2026-06-09 12:46 PM EST | FBI IC3 complaint filed. Submission ID: `aa2ef50482ca4c05a54ae0f6cb56ffa0`. |
| 2026-06-09 | Conditional Access deployed (Security Defaults disabled, CA enforced). Entra P2 added. |
| 2026-06-09 | Ken's password reset in person on-site by Mike. |
### Targeted Payers and Financial Exposure
**City of Tucson (BSD/AP):**
- Contact in fraud thread: Randi Arnett (Finance Manager, Randi.Arnett@tucsonaz.gov); AP: HCDAccountsPayable-Finance@tucsonaz.gov
- Fraudulent ACH/EFT banking-change form (BSD ACH Application) submitted impersonating Darline Cabrera (bookkeeper)
- Exposed invoices: #31468 ($123,776.75 — MMC Generator Upgrade), #31400 (~$8,818 — COT Knights Inn Fire Suppression, EFT scheduled 2026-06-09), #31453 ($41,231 — due 2026-06-28)
- **Total identified exposure: $130,000+** (all future City-of-Tucson payments would have been redirected by an approved ACH change)
- **OUTCOME: City stopped payment before any transfer. $0 actual loss.**
**Town of Marana:**
- Contacts targeted: accountspayable@maranaaz.gov, mmurray@maranaaz.gov, sfields@maranaaz.gov
- Fraudulent "Application for Payment" + "EFT Form Update" emails sent FROM marco@ 2026-06-09
- Attacker also phoned Marana (vishing from phone 659-221-9243) to pressure the bank change
- **OUTCOME: Fraud prevented. No ACH cleared.**
**Mule (fraudulent receiving) accounts:**
| Bank | Routing | Account | Name |
|------|---------|---------|------|
| Truist Bank | 053201607 | 1410020505238 | "Kittle Design & Construction" (fraudulent) |
| First State Bank of East Detroit (MI) | 072410165 | 62100616 | FOAM FACTORY INCORPORATED |
| JPMorgan Chase Bank, N.A. | 021000021 (wire) / 072000326 (ACH) | 2906183268 | FOAM FACTORY INCORPORATED |
Kittle confirmed it has no relationship with Foam Factory Incorporated.
### Attacker Infrastructure
| IP / Domain | Type | Use | Notes |
|-------------|------|-----|-------|
| 64.44.131.168 | IP | OWA access, fraud email sends, evidence deletion | Chicago IL, AS20278 Nexeon Technologies (VPN/hosting) — CA blocked |
| 45.134.224.220 | IP | Phishing blast (1,000 emails) | Kansas City MO, AS147049 PacketHub S.A. — CA blocked |
| 40.126.41.96 | IP | Contact harvest via python-httpx | Microsoft Azure — CA blocked |
| 66.179.30.87 + IPv6 | IP | (threat-intel: nation-state indicator) | CA blocked |
| Accounting.kittlearizona@gmx.com | Email | Thread poisoning / reply-chain hijack | GMX free account; inserted into Kittle↔City invoice thread 2026-06-05 |
| kittlarizona.com | Lookalike domain | Attacker CC reply address (missing 'e') | Namecheap registrar / Zoho email hosting; registered 2026-06-09 15:34 UTC; blocked in-tenant + abuse reports to Zoho + Namecheap |
| tucsonoz.com | Lookalike domain | Impersonating tucsonaz.gov | PublicDomainRegistry / Titan email hosting; used in fraud email (randi.arnett@tucsonoz.com) — blocked in-tenant + abuse reports |
| (659) 221-9243 | Phone | Vishing — pressured Marana to process bank change | Listed on fraudulent ACH form |
| d3590ed6-52b3-4102-aeff-aad2292ab01c | OAuth App | Microsoft Desktop app used for IMAP/token access | First-party app ID, not malicious by itself; used with stolen credentials + python-httpx |
### Malicious Artifacts Removed
**Inbox rules (6/8 — 5 rules across 3 mailboxes):**
| Mailbox | Rule Name | Action | Discovered |
|---------|-----------|--------|------------|
| Ken@kittlearizona.com | "." | Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing | 2026-06-08 |
| Ken@kittlearizona.com | "Admin" | Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing | 2026-06-08 |
| alexis@kittlearizona.com | "..." | Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing | 2026-06-08 |
| Accounting@kittlearizona.com | ".." | Move mail FROM Ken → RSS Feeds (Priority 1) | 2026-06-08 — suppressing ALL inbound at discovery |
| Accounting@kittlearizona.com | "..." | Move ALL mail → RSS Feeds (Priority 2) | 2026-06-08 — suppressing ALL inbound at discovery |
**Inbox rules (6/9 — 2 more on marco@):**
| Mailbox | Action | Subject filter |
|---------|--------|----------------|
| marco@kittlearizona.com | Move to RSS Feeds, MarkAsRead, StopProcessing | "EFT Form Update" / "KDC - Application for Payment #1 Job No. 5654.25" / sender @maranaaz.gov |
| marco@kittlearizona.com | Move to RSS Feeds, MarkAsRead, StopProcessing | Internal: accounting@, ken@ |
**Pre-existing April rule (not attacker-planted — confirmed 2026-06-08):**
- Ken "Christina Micek" rule — StopProcessingRules:true, no action/filter. Confirmed benign by Mike (2026-06-08 full sweep).
**OAuth grants revoked on alexis@ (2026-06-08):**
- PERFECTDATA app — Mail.ReadWrite, Files.ReadWrite (immediately revoked — clearly malicious)
- Alignable app — offline_access, User.Read, Contacts.Read (revoked at Mike's direction)
**April OAuth revocations (pre-incident, 2026-04-23):**
- c5df10ae AllPrincipals app — 7 grants deleted including Directory.ReadWrite.All, RoleManagement, Mail.Send, 50+ scopes
- IMAP legacy auth app 9b504397 — IMAP.AccessAsUser.All (consented by Ken's account object; password NOT reset at the time — root cause of persistence)
**Privilege excess corrected:**
- Lori Schagel: 10 pre-existing admin roles (including Global Administrator) stripped 2026-06-08; re-assigned User Administrator only. Confirmed pre-existing (not attacker-planted) via directoryAudits.
- Ken FullAccess to Accounting@ removed (2026-06-09 remediation) — this delegate access was the vector for attacker to operate the finance mailbox.
### Remediation Actions Completed
| Action | Date | Status |
|--------|------|--------|
| Ken sign-in blocked + temp password set | 2026-06-08 | [OK] — vault: clients/kittle/m365-ken-schagel-incident.sops.yaml |
| Ken sessions revoked + all 10 admin roles stripped | 2026-06-08 | [OK] |
| Ken re-enabled; MFA verified clean | 2026-06-08 | [OK] — single iPhone 12 Pro Max, no attacker devices |
| Ken password reset in person on-site | 2026-06-09 | [OK] — prior temp values superseded/stale |
| Ken outbound-spam send restriction removed | 2026-06-09 | [OK] |
| 5 malicious inbox rules deleted (Ken x2, Alexis x1, Accounting x2) | 2026-06-08 | [OK] — Accounting mail flow restored immediately |
| Alexis PERFECTDATA + Alignable OAuth grants revoked | 2026-06-08 | [OK] |
| Lori 10 admin roles stripped → re-assigned User Administrator | 2026-06-08 | [OK] |
| Lori sessions revoked | 2026-06-08 | [OK] |
| 740 victim-notification emails sent from admin@ | 2026-06-08 | [OK] — via EWS SOAP; 7 automated addresses filtered |
| Wrex sessions revoked + password reset | 2026-06-08 | [OK] |
| marco@ 2 hidden inbox rules deleted | 2026-06-09 | [OK] |
| marco@ password reset (force-change) + sessions revoked | 2026-06-09 | [OK] |
| admin@ (Kim) password reset (force-change) + sessions revoked | 2026-06-09 | [OK] |
| admin@ MFA reset: added phone as default, removed Authenticator | 2026-06-09 | [OK] |
| Ken FullAccess to Accounting@ removed | 2026-06-09 | [OK] |
| Wrex offboarded: disabled, sessions revoked, mailbox → shared | 2026-06-09 | [OK] |
| Joshua FullAccess + SendAs to Wrex's former mailbox | 2026-06-09 | [OK] |
| kittlarizona.com blocked in Kittle tenant Allow/Block List | 2026-06-09 | [OK] |
| tucsonoz.com blocked in-tenant | 2026-06-09 | [OK] |
| Abuse reports sent: Zoho + Namecheap re: kittlarizona.com | 2026-06-09 | [OK] — awaiting takedown response |
| Security Defaults DISABLED; CA policies ENFORCED | 2026-06-09 | [OK] |
| Entra P2 added (all users) | 2026-06-09 | [OK] — Identity Protection now available |
| FBI IC3 complaint filed (aa2ef50482ca4c05a54ae0f6cb56ffa0) | 2026-06-09 | [OK] |
| Syncro tickets updated; billing applied | 2026-06-08/09 | [OK] |
### Incident Evidence (preserved by ACG)
All evidence retained locally at `C:\Users\guru\Downloads\Kittle-IC3-Package\` on GURU-5070:
- FRAUD_BSD_ACH_APPLICATION.pdf — fraudulent ACH change form submitted to City of Tucson (Truist bank details)
- Ken_ACH-FoamFactory.pdf — second ACH form (Foam Factory Inc accounts)
- recovered-fraud-emails.txt — full EFT UPDATE / ACH thread recovered from Recoverable Items dumpster
- attacker-audit-events.csv — 171-event M365 Unified Audit Log export
- IC3-fill-sheet.txt + IC3 complaint report PDF + BANK-FRAUD-NOTIFICATIONS PDF
- resolution-confirmation.txt — City of Tucson payment stop confirmation
---
## Patterns & Known Issues
### [CRITICAL PATTERN] Incomplete remediation = attacker persistence
**What happened:** April 2026 remediation revoked an IMAP OAuth consent that was provably granted by Ken's account. The correct response was: revoke consent + reset Ken's password + revoke Ken's sessions. Instead, only the consent was revoked. The attacker still had Ken's valid password, so they retained full OWA access for ~2 months until June 2026.
**Rule:** Whenever an OAuth consent or suspicious sign-in is attributed to a specific user account object ID, that account's password MUST be reset and all sessions revoked — not just the consent or the artifact. Revoking an OAuth consent while the underlying credential is still valid accomplishes nothing if the attacker can simply log in directly.
### [CRITICAL PATTERN] Signal misclassification: financial-platform inbox rule + legacy-auth consent = auto-[WARNING]
**What happened:** The April breach check classified Ken's "Admin" inbox rule (filtering Capital One + Bill.com + @flystucson.com) as [INFO] with "confirm with user" guidance. Combined with the IMAP consent from the same user object, these two signals together should have triggered a mandatory [WARNING] and forced password reset — not a "ask Ken to confirm" deferral. "Confirm with the user" is unreliable when the account may already be compromised and the attacker can read incoming verification emails.
**Rule:** Financial-platform filtering inbox rule + legacy-auth IMAP consent from the same user object = treat as [WARNING] regardless of "could be legitimate" explanations. Escalate to password reset + session revocation. Do not defer to user confirmation without first containing the account.
### [PATTERN] Lookalike domain + reply-chain hijack + in-mailbox ACH fraud
This incident used a layered attack pattern:
1. Register a lookalike domain (kittlarizona.com vs kittlearizona.com) for reply-chain insertion.
2. Insert the lookalike address into a legitimate invoice email thread days before accessing the real mailbox (thread poisoning as of 2026-06-05, 3 days early).
3. Once inside the real mailbox, send from the REAL company email address (not the lookalike) for maximum legitimacy.
4. Hard-delete the evidence immediately after each send.
5. Supplement with vishing — phoning the target AP to verbally pressure approval.
**Rule:** ACH/bank-change requests received via email (even from a known email address) should ALWAYS require a callback to a pre-known phone number to verify. Email alone is insufficient authorization for banking changes, even from a trusted sender. The attacker was operating the real mailbox, not just spoofing it.
### [PATTERN] Dual-target simultaneous fraud
The attacker targeted TWO government AP departments simultaneously (City of Tucson from Ken/Accounting; Town of Marana from marco@), indicating prior reconnaissance of Kittle's active government billing relationships. Investigate scope of attacker's knowledge when post-mortems are conducted.
### [PATTERN] No Conditional Access + legacy protocols enabled = MFA bypass
Security Defaults-only protection does not block legacy auth clients (IMAP, POP, EAS, MAPI over HTTP). The attacker used IMAP/OAuth to authenticate without triggering MFA. Without a `Block legacy authentication` CA policy, Security Defaults' MFA enforcement is trivially bypassed by any attacker who can consent or steal a legacy-auth token.
**Rule:** Every tenant in the ACG fleet should have at minimum: `Block legacy authentication` CA policy. The `Require MFA for all users` + `Block non-US` combination adds additional depth. Security Defaults alone is not sufficient for clients with financial operations.
### [PATTERN] Privilege excess amplifies BEC impact
Ken was Global Admin AND had standing FullAccess (delegate) to the Accounting/finance mailbox. With a single credential compromise, the attacker could operate as the owner AND the bookkeeper simultaneously. Attacker leveraged Ken's delegate access to send fraudulent bank-change forms from the bookkeeper's real identity (not the lookalike).
**Rule:** Owners and executives should not hold standing FullAccess to financial mailboxes. If access is genuinely needed, use JIT (just-in-time) access grants, not permanent delegate permissions. Separate the owner identity from the finance identity.
### [PATTERN] Evidence deletion + dumpster recovery
Attacker hard-deleted the entire fraud email thread from both mailboxes immediately after each send. The deleted emails + PDF attachment were recovered from the M365 Recoverable Items dumpster (30-day default retention) via Graph API. **The dumpster saved this investigation.** Without it, the ACH fraud angle would not have been discovered.
**Rule:** Always check the Recoverable Items dumpster (`/mailFolders/recoverableitemsdeletions/messages`) during any BEC investigation. Attacker cleanup is incomplete — they can hard-delete from the mailbox but not from the dumpster without the purge permission they don't hold.
### [PATTERN] Lori GA exposure — pre-existing oversight
Lori Schagel had 10 admin roles including Global Administrator as a pre-existing condition, predating the incident by more than 30 days. Not attacker-planted. Two GA accounts on a 14-user small-business tenant represents unnecessary attack surface. If either is compromised, the other becomes the recovery path — but also becomes an extra target.
**Rule:** Small-business tenants should have exactly one active GA account (or two, with the second being a break-glass with a very strong password and no MFA registration, NOT a named-user account). Review GA assignments at every breach check. Strip and downscope unnecessary GA on sight.
### [WARNING] IMAP/POP/EAS still enabled tenant-wide
Legacy protocols remain enabled as of 2026-06-09. The CA `Block legacy authentication` policy now blocks sign-in via legacy auth, but the protocols themselves are still enabled and could represent residual risk (e.g., if the CA policy is ever accidentally disabled). Disable IMAP/POP/EAS at the mailbox level tenant-wide as defense in depth.
### [WARNING] ScreenConnect command runner defaults to `cmd` context
PowerShell scripts run via ScreenConnect MUST be prefixed with `#!ps`. `Invoke-WebRequest`, `ConvertTo-SecureString`, etc. silently fail without it.
### [WARNING] Do NOT run `Add-LocalGroupMember` on the DC
DCs have no local SAM; the command will fail with "Group Administrators was not found." Run on the target workstation instead.
### [WARNING] SERVER is the sole domain controller with no backup
Any outage = complete loss of AD, DNS, file shares, and QuickBooks data. No failover. No backup. Address before any other infrastructure work.
### [WARNING] QuickBooks Pro 2024 is on the DC
Do not migrate or decommission SERVER without a proper QuickBooks migration plan. Data is at `C:\Shares\Home\QBooks`.
---
## Active Work
### CRITICAL — Residual Incident Items
- [ ] **Remove Privileged Authentication Administrator from Tenant Admin SP in Kittle Entra portal.** (JIT role granted during reset-password.sh for Ken reset on 6/9; script cannot self-remove; MUST be done manually at https://entra.microsoft.com.) See coord todo or track in Syncro.
- [ ] **Disable IMAP/POP/EAS tenant-wide** — CA now blocks legacy auth, but protocols remain enabled. Defense-in-depth: disable at mailbox level.
- [ ] **Confirm bank freeze calls completed** (Truist 844-487-8478 / Enterprise Fraud Mgmt 866-802-4955; First State Bank fraud 866-372-1275; Chase Global Bank Recoveries 866-954-3718 opt 4 / gb.fraud.recovery@jpmorgan.com).
- [ ] **Re-add appropriate admin role to Ken** — all 10 stripped during containment; Ken is owner/GA by function. Re-add Global Administrator + Exchange Administrator once incident is formally closed.
- [ ] **alexis@ duplicate Authenticator cleanup** — entry `c927402a-75c6-4a55-840a-86d1eea43a9b` ("iPhone 12 Pro Max", app ver 6.8.40). Confirm with Alexis how many Kittle accounts are on her phone; remove if only one. Also review OATH token `7d1425ca-27d0-444d-9c36-6b3780c77059` if unused.
- [ ] **Wrex license removal** — mailbox converted to shared, user disabled; free the Business Standard license.
- [ ] **Christina Micek inbox rule on Ken** — confirmed benign during 6/8 sweep (copy rule, no suppression). Still worth Ken confirming explicitly for documentation closure.
- [ ] **Warn Ken's phished external contacts** — 740+ recipients received the "Ken Schagel shared a file with you" phishing email; link was `flowinnactuators.com/work.html` (credential harvesting). Formal notification recommended.
- [ ] **Run Entra P2 Identity Protection risky-users scan** — P2 now licensed; first risky-users sweep not yet run.
- [ ] **Confirm kittlarizona.com Zoho + Namecheap takedown** — abuse reports sent 2026-06-09; confirm suspension/removal.
- [ ] **Enable SSPR (Self-Service Password Reset) — portal-only mode** — reduces future recovery friction; limit to portal not mobile/email to avoid account-takeover via SSPR.
- [ ] **Confirm City of Tucson follow-up** — exact invoice amounts (especially #31400 ~$8,818), written documentation of payment stop, any City-side IC3 filing.
### HIGH Priority — Infrastructure
- [ ] **Activate Windows Server 2025 full license on SERVER** — evaluation expires 180 days from install; hourly shutdown after expiry. Check: `slmgr /dlv`.
- [ ] **Implement backup for SERVER** — no backup of any kind. Options: Windows Server Backup to USB/NAS, Veeam Free, cloud backup (Backblaze B2/Wasabi).
- [ ] **Configure DKIM for kittlearizona.com** — guide at `clients/kittle/docs/email/dkim-dmarc-setup.md`.
- [ ] **Add DMARC for kittlearizona.com** — start `p=none`, escalate to `p=quarantine` after 1 week clean.
- [ ] **Migrate credentials from Syncro plaintext to SOPS vault** — SERVER admin, Outlook accounts.
- [ ] **Migrate QuickBooks off the DC** — QB should run on ACCOUNTING workstation.
- [ ] **Deploy dedicated firewall** — ISP router only; no stateful inspection.
### MEDIUM Priority
- [ ] Migrate DHCP from ISP router to Windows Server; verify DNS option hands out 10.0.0.5
- [ ] Replace role-based AD accounts (`accountant`, `frontdesk`) with individual named accounts
- [ ] Rename 4 workstations with generic DESKTOP-xxx / WINDOWS-xxx names
- [ ] Investigate and identify port 8019 on SERVER
- [ ] Identify unknown DNS registrar for kittlearizona.com
- [ ] Verify what DNS server ISP router hands out via DHCP (critical for AD)
- [ ] Investigate email issue: emails moved to folders reappearing in inbox (suspected Outlook cached mode / OST corruption)
- [ ] Identify M365 mailbox need for Joshua Sutherland (AD creation is separate from M365 licensing)
### LOW Priority
- [ ] Create reverse DNS zone for 10.0.0.0/24 (0.0.10.in-addr.arpa)
- [ ] Identify purpose of secondary SERVER volume "Server2 2022_03_31" (~2 TB)
- [ ] Identify 3 unknown workstations (WINDOWS-QV1B0EL, DESKTOP-R0KA2UG, DESKTOP-9B2SMD9) — requires onsite correlation
- [ ] Add secondary DNS forwarder on SERVER (8.8.8.8 or 1.1.1.1) for ISP router failure redundancy
- [ ] Enable DNS scavenging to prevent stale records
- [ ] Identify remaining ~20 unknown ARP entries on the network
- [ ] Identify DHCP reservations on ISP router; create proper reservations for SERVER, switch, printers
- [ ] GuruRMM agent enrollment confirmation — confirm agents running on SERVER and workstations.
- [ ] Lori GA review — discuss with Ken whether she needs any admin role; User Administrator is current scope.
- [ ] Migrate DHCP from ISP router to Windows Server; verify DNS option hands out 10.0.0.5.
- [ ] Replace role-based AD accounts (accountant, frontdesk) with individual named accounts.
- [ ] Rename workstations with generic DESKTOP-xxx / WINDOWS-xxx names.
- [ ] Identify and map 3 unknown workstations.
- [ ] Investigate port 8019 on SERVER (likely QuickBooks or ScreenConnect).
- [ ] Lori old Samsung S10+ Authenticator entry da5454c7 — remove if she's confirmed on current phone.
- [ ] Enroll Scott in Microsoft Authenticator (phone-only MFA currently).
---
## Key Events / History
## History Highlights
| Date | Event |
|------|-------|
| 2026-04-16 | Standard client directory structure applied by Howard; onboarding started |
| 2026-04-23 | Email DNS audit: SPF confirmed OK, DKIM/DMARC confirmed missing |
| 2026-04-28 | M365 licensing documented: 16 total seats (12 Business Standard + 4 E3), all assigned |
| 2026-03-12 | Server audit: discovered evaluation license, no backup, QB on DC, no firewall, role-based accounts, DHCP on ISP router |
| 2026-03-12 | Fixed HomeFolder GPO drive map action from Replace → Update to stop File Explorer closing on GP refresh |
| 2026-03-20 | Deployed "Intranet Zone - File Server" GPO — adds \\SERVER and \\10.0.0.5 to Local Intranet zone; fixes PDF preview on shares (Oct 2025 security update regression) |
| 2026-03-25 | FRONTDESK: folder view sort order fix — cleared Bags/BagMRU registry, disabled auto folder-type detection, forced Details view via AllFolders shell key |
| 2026-05-08 | Howard onsite: AD user `joshua.sutherland` created; GuruRMM client + Main Office site created; GuruRMM enrollment key vaulted; agents being deployed to SERVER and Wrex's PC |
| 2026-04-16 | Client directory structure applied; onboarding started. |
| 2026-04-23 | ACG April M365 breach check (ticket #32207): Alexis hidden inbox rule + duplicate Authenticator remediated; malicious OAuth (c5df10ae AllPrincipals) + IMAP consent (9b504397, GRANTED BY KEN'S ACCOUNT) revoked. Ken "Admin" rule classified [INFO]; password NOT reset — **critical incomplete remediation that enabled 2-month attacker persistence.** |
| 2026-05-08 | Howard onsite: AD user joshua.sutherland created; GuruRMM client + Main Office site created; agent deployment begun. |
| 2026-06-08 | **BEC BREACH DAY.** Ken@ compromised via OWA (13:24 UTC) from Nexeon VPN IP. Attacker used Ken's FullAccess delegate to Accounting@ to send fraudulent ACH banking-change forms to City of Tucson. 1,000-recipient phishing blast sent; 747 delivered. ACG detects at ~21:30 UTC (Howard receives phishing email). Mike blocks Ken at 21:41. Full remediation overnight: 5 malicious inbox rules deleted, Lori's 10 admin roles stripped + re-scoped, 740 victim notifications sent. Syncro ticket #32393 opened. |
| 2026-06-08 (same day, pre-breach) | ACG full M365 security sweep (ticket #32394) confirms April remediation complete, SMTP forwarding clean on all 13 mailboxes. Sweep ran hours before the main breach was detected. |
| 2026-06-09 | ACH fraud discovered: attacker had sent fraudulent BSD ACH bank-change forms to City of Tucson; evidence hard-deleted but recovered from Recoverable Items dumpster. marco@ additional compromise found: 2 hidden inbox rules + fraudulent Marana AP emails. marco@ remediated. Kim (admin@) remediated. Wrex offboarded. CA hardening deployed (Security Defaults disabled, 3 CA policies enforced). Entra P2 added. FBI IC3 filed (#aa2ef50482ca4c05a54ae0f6cb56ffa0). Ken's password changed in person on-site. Tickets #32393/#32394 invoiced. |
| 2026-06-09 | **FRAUD PREVENTED.** City of Tucson stopped payment before any funds transferred (~$130,000+ exposure). Town of Marana confirms no ACH cleared. Attacker used phone (659-221-9243) for vishing against Marana. Total actual financial loss: $0. |
---
## Anti-Patterns / Warnings
## Tickets (Incident-Related)
- [WARNING] **ScreenConnect command runner defaults to `cmd` context** — PowerShell scripts MUST be prefixed with `#!ps` or they will fail silently. `Invoke-WebRequest`, `ConvertTo-SecureString`, etc. all require PowerShell.
- [WARNING] **Do NOT run `Add-LocalGroupMember` on the DC to add a user to local Administrators** — DCs have no local SAM; the command will fail with "Group Administrators was not found." Run this on the target workstation instead.
- [WARNING] **SERVER is the sole domain controller** — Any outage = complete loss of AD, DNS, file shares, and QuickBooks data. No backup. No failover.
- [WARNING] **QuickBooks Pro 2024 is on the DC** — Do not migrate or decommission SERVER without a proper QuickBooks migration plan. Data is at `C:\Shares\Home\QBooks`.
- [WARNING] **DHCP DNS server unknown** — ISP router may be handing out ISP DNS instead of 10.0.0.5. Do not assume domain resolution works correctly for all clients. Test before deploying domain-joined systems.
- [WARNING] **Two Outlook account credentials (`kittletucson@outlook.com` / `kittletucson2@outlook.com`) and the SERVER admin password (`administrator / AXman2Z`) are in Syncro customer notes as plaintext.** Migrate to vault and strip from Syncro before any additional access sharing.
- [WARNING] **Wrex's AD account (`wrex`) is still active** but his workstation is now used by Joshua Sutherland. Wrex's account should be reviewed — disable or confirm Wrex is still an employee.
- [WARNING] **Password set during Joshua onboarding (`Kota2020!`) was set with force-change-at-logon.** Confirm Joshua completed the password change; if not, the temp password is known to Howard.
- [WARNING] **DKIM and DMARC are not configured.** Domain kittlearizona.com can be trivially spoofed. Emails to strict recipients (Gmail, Google Workspace) may land in spam.
- [WARNING] **GPO drive map action (HomeFolder GPO)** — Must stay as `Update`, not `Replace`. Changing back to Replace will cause File Explorer to close during GP refresh for users browsing mapped drives.
- [WARNING] **Always use `Update` (not `Replace`) for GPO drive maps** — Replace tears down and recreates the drive connection every ~90 min GP refresh cycle, killing open Explorer windows.
| Ticket | Description | Date | Status |
|--------|-------------|------|--------|
| #32207 | April M365 breach check + Alexis remediation | 2026-04-23 | Invoiced — 1.0 hr |
| #32393 | BEC incident — Ken phishing blast, initial remediation (rules, Lori, notifications) | 2026-06-08 | Invoiced |
| #32394 (ID: 112389608) | Full sweep (pre-incident) + CA hardening + marco remediation + ACH fraud investigation + IC3; 1.5h emergency remote | 2026-06-09 | Invoiced — 1.5h @ $225 = $337.50 (invoice 1650625794) |
---
## Backlinks
- [[projects/gururmm]] — GuruRMM agent enrollment; Kittle is an active RMM client as of 2026-05-08
- [[clients/kittle-design]] — pre-merge article (April breach history); superseded by this article
- [[projects/gururmm]] — GuruRMM agents deployed to Kittle; active RMM client as of 2026-05-08
- [[clients/internal-infrastructure]] — ACG UniFi controller manages Kittle's UniFi switch

4
wiki/index.md
View File

@@ -37,11 +37,11 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
| [Equity Valuation Services (EVS)](clients/evs.md) | Financial services; minimal infra documented; single Win11 VM maintained by Howard; Win11 right-click menu fix applied | 2026-05-24 |
| [Furrier / Desert Rat](clients/furrier.md) | Mike Furrier owner; desertrat.com on websvr/cPanel; DMARC p=reject + Mailprotector SBR fix applied 2026-04-21; tim@ is a forwarder (not a mailbox); Syncro ID 391491 | 2026-05-24 |
| [Horseshoe Management](clients/horseshoe-management.md) | Property management; prepaid block 31.75 hrs remaining at $175/hr; APC Smart-UPS P.17 bypass relay fault cleared; repeat UPS failures suggest electrical issue; plaintext creds in Syncro notes — needs vault migration | 2026-05-24 |
| [Kittle Design & Construction](clients/kittle-design.md) | Design & construction; M365 kittlearizona.com; breach confirmed (Alexis hidden inbox rule + duplicate Authenticator); broad OAuth consent revoked; Ken inbox rule unresolved; no Entra P1/P2 | 2026-05-24 |
| [Kittle Design & Construction](clients/kittle-design.md) | **SUPERSEDED → see [kittle.md](clients/kittle.md)** (consolidated 2026-06-09). Older M365-breach-only article; the canonical Kittle record now lives at clients/kittle.md. | 2026-06-09 |
| [Wolkin Law](clients/wolkin.md) | Law practice; contract type (verify); Robert Wolkin (owner/attorney) + Julie (assistant/remote worker); M365 rswolkin.com (Julie has FullAccess to Robert's mailbox); 3 GuruRMM Win11 agents (FRONT office PC, RSW-Laptop remote, DESKTOP-V1JT1SE Bob's desktop); ZeroTier mesh VPN 17d709436c834c9b (10.147.19.199 FRONT, 10.147.19.54 RSW-Laptop); SMB shares Data/OneDrive/ClientFiles accessible via ZeroTier; printer access incomplete (deferred to Windows PC); active ticket #32369 remote work setup | 2026-06-07 |
| [The Law Offices of Chris Scileppi](clients/scileppi-law.md) | Law firm; Syncro ID 9601863; Sylvia Mac mini (M2 8 GB) mail memory exhaustion; Mail disabled; on webmail; replacement Mac mini (M4 16/24 GB) pending order; GuruRMM enrollment blocked | 2026-05-24 |
| [Western Tire](clients/western-tire.md) | Tire retail (jackfurriers.com brand); Mike Furrier owner (Syncro ID 391491); email migrated from websvr to IX 2026-04-22; 30 mailboxes; SSL cert expires 2026-05-30 | 2026-05-24 |
| [Kittle (general contractor)](clients/kittle.md) | General contractor Tucson AZ; Syncro 32460233; HPE MicroServer Gen11 WS2025 EVAL at 10.0.0.5; no backups, no firewall; DKIM/DMARC missing; 3 plaintext creds in Syncro notes; GuruRMM onboarding 2026-05-08 | 2026-05-24 |
| [Kittle Design & Construction LLC](clients/kittle.md) | **Canonical Kittle article.** GC Tucson AZ; Syncro 32460233; M365 kittlearizona.com (tenant 3d073ebe); **major June 2026 BEC/ACH-fraud incident** — Ken+marco+Accounting compromised, fraudulent bank-change to City of Tucson + Town of Marana ($130K+ exposure, PREVENTED, no loss), IC3 filed; root cause = April credential theft + incomplete remediation (password never reset → ~2mo persistence); CA hardened + Entra P2 added 6/9; HPE MicroServer WS2025 EVAL, no backups/firewall | 2026-06-09 |
| [Khalsa (two-site)](clients/khalsa.md) | Two-site client (Camden + River); onboarding not completed; domain khalsa.local, DC TROUT at 10.11.12.254; Mac domain-join runbook documented; template docs otherwise empty | 2026-05-24 |
| [Lone Star Electrical Systems](clients/lonestar-electrical.md) | Electrical contractor Tucson AZ; Syncro 33809612, prepaid block 13.5 hrs; Google Workspace (not M365); ManageEngine MDM (Zoho); Unraid server (7.1.4, USB migrated 2026-06-02); LS-1/LS-2 Sophos removal COMPLETE (2026-06-02); Defender active on both; field/mobile-first | 2026-06-02 |
| [Anaise](clients/anaise.md) | Single workstation client; contact David (anaisedavid.office@gmail.com); DESKTOP-O8GF4SD; creds in vault at clients/anaise/desktop-o8gf4sd.sops.yaml; onboarding incomplete; M365 enrollment unconfirmed | 2026-05-24 |