sync: auto-sync from GURU-BEAST-ROG at 2026-07-16 10:11:10

Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-07-16 10:11:10
This commit is contained in:
Winter Williams
2026-07-16 10:12:05 -07:00
parent 7e1525711a
commit eba471a61a
18 changed files with 65387 additions and 0 deletions

1
.khalsa-diag1.b64 Normal file

File diff suppressed because one or more lines are too long

28
.khalsa-diag1.ps1 Normal file
View File

@@ -0,0 +1,28 @@
$ErrorActionPreference='SilentlyContinue'
$o=New-Object System.Text.StringBuilder
function W($s){[void]$script:o.AppendLine($s)}
W '=DEFENDER='
$m=Get-MpComputerStatus
W ("mode=$($m.AMRunningMode) rtp=$($m.RealTimeProtectionEnabled) av=$($m.AntivirusEnabled) sig=$($m.AntivirusSignatureLastUpdated)")
W '=DETECTIONS(5)='
Get-MpThreatDetection|Sort-Object InitialDetectionTime -Descending|Select-Object -First 5|ForEach-Object{W ("$($_.InitialDetectionTime) :: $(($_.Resources -join ';'))")}
W '=PUP MATCHES='
$u=@('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*','HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*')
$apps=Get-ItemProperty $u|Where-Object DisplayName
$apps|Where-Object{$_.DisplayName -match 'McAfee|WebAdvisor|Norton|Avast|AVG|Avira|Driver|CCleaner|Clean|Optim|ByteFence|Segurazo|OneLaunch|Wave|TotalAV|Restoro|Reimage|Booster|Accelerate'}|ForEach-Object{W ("$($_.DisplayName) | $($_.Publisher)")}
W '=HKLM RUN='
(Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run').PSObject.Properties|Where-Object{$_.Name -notmatch '^PS'}|ForEach-Object{W ("$($_.Name)=$($_.Value)")}
(Get-ItemProperty 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run').PSObject.Properties|Where-Object{$_.Name -notmatch '^PS'}|ForEach-Object{W ("W64:$($_.Name)=$($_.Value)")}
W '=USER RUN='
Get-ChildItem Registry::HKEY_USERS|Where-Object{$_.Name -match 'S-1-5-21' -and $_.Name -notmatch '_Classes'}|ForEach-Object{
$sid=$_.PSChildName
(Get-ItemProperty ($_.PSPath+'\Software\Microsoft\Windows\CurrentVersion\Run')).PSObject.Properties|Where-Object{$_.Name -notmatch '^PS'}|ForEach-Object{W ("[$sid] $($_.Name)=$($_.Value)")}
}
W '=NONMS TASKS='
Get-ScheduledTask|Where-Object{$_.TaskPath -notlike '\Microsoft*'}|ForEach-Object{W ("$($_.TaskPath)$($_.TaskName) [$($_.State)]")}
W ("=APPTOTAL= $($apps.Count)")
$full=$o.ToString()
$full|Out-File C:\Windows\Temp\acg-diag1.txt -Encoding utf8
$apps|Sort-Object DisplayName|ForEach-Object{"$($_.DisplayName) | $($_.Publisher)"}|Add-Content C:\Windows\Temp\acg-diag1.txt -Encoding utf8
$full
'=DONE STAGE1='

1
.khalsa-diag2.b64 Normal file
View File

@@ -0,0 +1 @@
JABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoAJwA9AEEAVgAgAFAAUgBPAEQAVQBDAFQAUwA9ACcACgBHAGUAdAAtAEMAaQBtAEkAbgBzAHQAYQBuAGMAZQAgAC0ATgBhAG0AZQBzAHAAYQBjAGUAIAByAG8AbwB0AC8AUwBlAGMAdQByAGkAdAB5AEMAZQBuAHQAZQByADIAIAAtAEMAbABhAHMAcwBOAGEAbQBlACAAQQBuAHQAaQBWAGkAcgB1AHMAUAByAG8AZAB1AGMAdAAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAAIgAkACgAJABfAC4AZABpAHMAcABsAGEAeQBOAGEAbQBlACkAIABzAHQAYQB0AGUAPQAwAHgAJAAoACcAewAwADoAeAB9ACcAIAAtAGYAIAAkAF8ALgBwAHIAbwBkAHUAYwB0AFMAdABhAHQAZQApACIAIAB9AAoAJwA9AFMARQBDAFUAUgBJAFQAWQAgAEEAUABQAFMAIABJAE4AIABJAE4AVgBFAE4AVABPAFIAWQA9ACcACgBHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIABDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcAGEAYwBnAC0AZABpAGEAZwAxAC4AdAB4AHQAIAB8ACAAUwBlAGwAZQBjAHQALQBTAHQAcgBpAG4AZwAgACcAQgBpAHQAZABlAGYAZQBuAGQAZQByAHwAVwBlAGIAcgBvAG8AdAB8AFMAZQBuAHQAaQBuAGUAbAB8AFMAbwBwAGgAbwBzAHwARABhAHQAdABvAHwASAB1AG4AdAByAGUAcwBzAHwATQBhAGwAdwBhAHIAZQBiAHkAdABlAHMAfABUAHIAZQBuAGQAfABLAGEAcwBwAGUAcgBzAGsAeQB8AEUAUwBFAFQAfABNAGMAQQBmAGUAZQB8AE4AbwByAHQAbwBuAHwAQQB2AGEAcwB0AHwAQQBWAEcAfABTAGUAYwB1AHIAaQB0AHkAfABDAEMAbABlAGEAbgBlAHIAfABEAGUAZgBlAG4AZABlAHIAJwAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAAJABfAC4ATABpAG4AZQAuAFQAcgBpAG0AKAApACAAfQAKACcAPQBOAE8AVABJAEYASQBDAEEAVABJAE8ATgAgAEEATABMAE8AVwBTAD0AJwAKAGYAbwByAGUAYQBjAGgAKAAkAGIAIABpAG4AIAAnAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAJwAsACcATQBpAGMAcgBvAHMAbwBmAHQAXABFAGQAZwBlACcAKQB7AAoAIAAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcACoAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAJABiAFwAVQBzAGUAcgAgAEQAYQB0AGEAXAAqAFwAUAByAGUAZgBlAHIAZQBuAGMAZQBzACIAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAKACAAIAAgACAAJAB3AGgAbwA9ACQAXwAuAEYAdQBsAGwATgBhAG0AZQAgAC0AcgBlAHAAbABhAGMAZQAgACcAXgBDADoAXABcAFUAcwBlAHIAcwBcAFwAKABbAF4AXABcAF0AKwApAC4AKgAnACwAJwAkADEAJwAKACAAIAAgACAAJABwAHIAbwBmAD0AJABfAC4ARABpAHIAZQBjAHQAbwByAHkALgBOAGEAbQBlAAoAIAAgACAAIAAkAGoAPQBHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAF8ALgBGAHUAbABsAE4AYQBtAGUAIAAtAFIAYQB3ACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4ACgAgACAAIAAgACQAZQB4AD0AJABqAC4AcAByAG8AZgBpAGwAZQAuAGMAbwBuAHQAZQBuAHQAXwBzAGUAdAB0AGkAbgBnAHMALgBlAHgAYwBlAHAAdABpAG8AbgBzAC4AbgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAKACAAIAAgACAAaQBmACgAJABlAHgAKQB7ACAAJABlAHgALgBQAFMATwBiAGoAZQBjAHQALgBQAHIAbwBwAGUAcgB0AGkAZQBzACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBWAGEAbAB1AGUALgBzAGUAdAB0AGkAbgBnACAALQBlAHEAIAAxAH0AIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACIAQQBMAEwATwBXACAAJAB3AGgAbwAgACgAJABiACAAJABwAHIAbwBmACkAIAA6ADoAIAAkACgAJABfAC4ATgBhAG0AZQApACIAIAB9ACAAfQAKACAAIAB9AAoAfQAKACcAPQBFAFgAVABFAE4AUwBJAE8ATgBTAD0AJwAKAGYAbwByAGUAYQBjAGgAKAAkAGIAIABpAG4AIAAnAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAJwAsACcATQBpAGMAcgBvAHMAbwBmAHQAXABFAGQAZwBlACcAKQB7AAoAIAAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcACoAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAJABiAFwAVQBzAGUAcgAgAEQAYQB0AGEAXAAqAFwARQB4AHQAZQBuAHMAaQBvAG4AcwBcACoAIgAgAC0ARABpAHIAZQBjAHQAbwByAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAKACAAIAAgACAAJABtAGYAPQBHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAIgAkACgAJABfAC4ARgB1AGwAbABOAGEAbQBlACkAXAAqAFwAbQBhAG4AaQBmAGUAcwB0AC4AagBzAG8AbgAiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAgACAAIAAgAGkAZgAoACQAbQBmACkAewAgACQAbQA9AEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgACQAbQBmAC4ARgB1AGwAbABOAGEAbQBlACAALQBSAGEAdwB8AEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAgACQAbgBtAD0AJABtAC4AbgBhAG0AZQA7ACAAaQBmACgAJABuAG0AIAAtAGwAaQBrAGUAIAAnAF8AXwBNAFMARwAqACcAKQB7ACQAbgBtAD0AIgBpAGQAOgAkACgAJABfAC4ATgBhAG0AZQApACIAfQA7ACAAIgAkAGIAIAA6ADoAIAAkAG4AbQAiACAAfQAKACAAIAB9ACAAfAAgAFMAbwByAHQALQBPAGIAagBlAGMAdAAgAC0AVQBuAGkAcQB1AGUACgB9AAoAJwA9AEQATwBOAEUAIABTAFQAQQBHAEUAMgA9ACcACgA=

23
.khalsa-diag2.ps1 Normal file
View File

@@ -0,0 +1,23 @@
$ErrorActionPreference='SilentlyContinue'
'=AV PRODUCTS='
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | ForEach-Object { "$($_.displayName) state=0x$('{0:x}' -f $_.productState)" }
'=SECURITY APPS IN INVENTORY='
Get-Content C:\Windows\Temp\acg-diag1.txt | Select-String 'Bitdefender|Webroot|Sentinel|Sophos|Datto|Huntress|Malwarebytes|Trend|Kaspersky|ESET|McAfee|Norton|Avast|AVG|Security|CCleaner|Defender' | ForEach-Object { $_.Line.Trim() }
'=NOTIFICATION ALLOWS='
foreach($b in 'Google\Chrome','Microsoft\Edge'){
Get-ChildItem "C:\Users\*\AppData\Local\$b\User Data\*\Preferences" | ForEach-Object {
$who=$_.FullName -replace '^C:\\Users\\([^\\]+).*','$1'
$prof=$_.Directory.Name
$j=Get-Content $_.FullName -Raw | ConvertFrom-Json
$ex=$j.profile.content_settings.exceptions.notifications
if($ex){ $ex.PSObject.Properties | Where-Object {$_.Value.setting -eq 1} | ForEach-Object { "ALLOW $who ($b $prof) :: $($_.Name)" } }
}
}
'=EXTENSIONS='
foreach($b in 'Google\Chrome','Microsoft\Edge'){
Get-ChildItem "C:\Users\*\AppData\Local\$b\User Data\*\Extensions\*" -Directory | ForEach-Object {
$mf=Get-ChildItem "$($_.FullName)\*\manifest.json" | Select-Object -First 1
if($mf){ $m=Get-Content $mf.FullName -Raw|ConvertFrom-Json; $nm=$m.name; if($nm -like '__MSG*'){$nm="id:$($_.Name)"}; "$b :: $nm" }
} | Sort-Object -Unique
}
'=DONE STAGE2='

1
.khalsa-diag3.b64 Normal file
View File

@@ -0,0 +1 @@
JABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoAJwA9AE8ARgBGAEkAQwBFAC8ATQBDAEEARgBFAEUAIABJAE4AIABJAE4AVgBFAE4AVABPAFIAWQA9ACcACgBHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIABDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcAGEAYwBnAC0AZABpAGEAZwAxAC4AdAB4AHQAIAB8ACAAUwBlAGwAZQBjAHQALQBTAHQAcgBpAG4AZwAgACcATwBmAGYAaQBjAGUAfAAzADYANQB8AE0AYwBBAGYAZQBlACcAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAJABfAC4ATABpAG4AZQAuAFQAcgBpAG0AKAApAH0AIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAewAkAF8AIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAXgBTAGUAYwB1AHIAaQB0AHkAIABVAHAAZABhAHQAZQB8AF4AVQBwAGQAYQB0AGUAIABmAG8AcgAgAE0AaQBjAHIAbwBzAG8AZgB0AHwAXgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAVQBwAGQAYQB0AGUAJwB9ACAAfAAgAFMAbwByAHQALQBPAGIAagBlAGMAdAAgAC0AVQBuAGkAcQB1AGUACgAnAD0AUABFAFIALQBVAFMARQBSACAASQBOAFMAVABBAEwATABFAEQAIABBAFAAUABTAD0AJwAKAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAFMARQBSAFMAIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAewAkAF8ALgBOAGEAbQBlACAALQBtAGEAdABjAGgAIAAnAFMALQAxAC0ANQAtADIAMQAnACAALQBhAG4AZAAgACQAXwAuAE4AYQBtAGUAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAXwBDAGwAYQBzAHMAZQBzACcAfQAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAewAKACAAIAAkAHMAaQBkAD0AJABfAC4AUABTAEMAaABpAGwAZABOAGEAbQBlAAoAIAAgAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAoACQAXwAuAFAAUwBQAGEAdABoACsAJwBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFUAbgBpAG4AcwB0AGEAbABsAFwAKgAnACkAIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAIABEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAIAAiAFsAJABzAGkAZABdACAAJAAoACQAXwAuAEQAaQBzAHAAbABhAHkATgBhAG0AZQApACAAfAAgACQAKAAkAF8ALgBQAHUAYgBsAGkAcwBoAGUAcgApACIAIAB9AAoAfQAKACcAPQBFAEQARwBFACAARQBYAFQARQBOAFMASQBPAE4AUwA9ACcACgBHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAIgBDADoAXABVAHMAZQByAHMAXAAqAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAE0AaQBjAHIAbwBzAG8AZgB0AFwARQBkAGcAZQBcAFUAcwBlAHIAIABEAGEAdABhAFwAKgBcAEUAeAB0AGUAbgBzAGkAbwBuAHMAXAAqACIAIAAtAEQAaQByAGUAYwB0AG8AcgB5ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AAoAIAAgACQAbQBmAD0ARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgACIAJAAoACQAXwAuAEYAdQBsAGwATgBhAG0AZQApAFwAKgBcAG0AYQBuAGkAZgBlAHMAdAAuAGoAcwBvAG4AIgAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoAIAAgAGkAZgAoACQAbQBmACkAewAgACQAbQA9AEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgACQAbQBmAC4ARgB1AGwAbABOAGEAbQBlACAALQBSAGEAdwB8AEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAgACQAbgBtAD0AJABtAC4AbgBhAG0AZQA7ACAAaQBmACgAJABuAG0AIAAtAGwAaQBrAGUAIAAnAF8AXwBNAFMARwAqACcAKQB7ACQAbgBtAD0AIgBpAGQAOgAkACgAJABfAC4ATgBhAG0AZQApACIAfQA7ACAAJABuAG0AIAB9AAoAfQAgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIAAtAFUAbgBpAHEAdQBlAAoAJwA9AEMASABSAE8ATQBFACAARQBYAFQAIABJAEQAUwA9ACcACgBHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAIgBDADoAXABVAHMAZQByAHMAXAAqAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXABVAHMAZQByACAARABhAHQAYQBcACoAXABFAHgAdABlAG4AcwBpAG8AbgBzAFwAKgAiACAALQBEAGkAcgBlAGMAdABvAHIAeQAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAewAkAF8ALgBOAGEAbQBlAH0AIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAALQBVAG4AaQBxAHUAZQAKACcAPQBEAE8ATgBFACAAUwBUAEEARwBFADMAPQAnAAoA

16
.khalsa-diag3.ps1 Normal file
View File

@@ -0,0 +1,16 @@
$ErrorActionPreference='SilentlyContinue'
'=OFFICE/MCAFEE IN INVENTORY='
Get-Content C:\Windows\Temp\acg-diag1.txt | Select-String 'Office|365|McAfee' | ForEach-Object{$_.Line.Trim()} | Where-Object{$_ -notmatch '^Security Update|^Update for Microsoft|^Definition Update'} | Sort-Object -Unique
'=PER-USER INSTALLED APPS='
Get-ChildItem Registry::HKEY_USERS | Where-Object{$_.Name -match 'S-1-5-21' -and $_.Name -notmatch '_Classes'} | ForEach-Object{
$sid=$_.PSChildName
Get-ItemProperty ($_.PSPath+'\Software\Microsoft\Windows\CurrentVersion\Uninstall\*') | Where-Object DisplayName | ForEach-Object{ "[$sid] $($_.DisplayName) | $($_.Publisher)" }
}
'=EDGE EXTENSIONS='
Get-ChildItem "C:\Users\*\AppData\Local\Microsoft\Edge\User Data\*\Extensions\*" -Directory | ForEach-Object{
$mf=Get-ChildItem "$($_.FullName)\*\manifest.json" | Select-Object -First 1
if($mf){ $m=Get-Content $mf.FullName -Raw|ConvertFrom-Json; $nm=$m.name; if($nm -like '__MSG*'){$nm="id:$($_.Name)"}; $nm }
} | Sort-Object -Unique
'=CHROME EXT IDS='
Get-ChildItem "C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Extensions\*" -Directory | ForEach-Object{$_.Name} | Sort-Object -Unique
'=DONE STAGE3='

1
.khalsa-diag4.b64 Normal file
View File

@@ -0,0 +1 @@
JABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoAJwA9AEgATwBTAFQAUwAgACgAbgBvAG4ALQBjAG8AbQBtAGUAbgB0ACkAPQAnAAoARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgBcAGQAcgBpAHYAZQByAHMAXABlAHQAYwBcAGgAbwBzAHQAcwAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAB7ACQAXwAgAC0AbQBhAHQAYwBoACAAJwBcAFMAJwAgAC0AYQBuAGQAIAAkAF8AIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAXgBcAHMAKgAjACcAfQAKACcAPQBXAEkATgBIAFQAVABQACAAUABSAE8AWABZAD0AJwAKAG4AZQB0AHMAaAAgAHcAaQBuAGgAdAB0AHAAIABzAGgAbwB3ACAAcAByAG8AeAB5ACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0AHsAJABfACAALQBtAGEAdABjAGgAIAAnAFwAUwAnAH0ACgAnAD0AVQBTAEUAUgAgAFAAUgBPAFgAWQA9ACcACgBHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBTAEUAUgBTACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0AHsAJABfAC4ATgBhAG0AZQAgAC0AbQBhAHQAYwBoACAAJwBTAC0AMQAtADUALQAyADEAJwAgAC0AYQBuAGQAIAAkAF8ALgBOAGEAbQBlACAALQBuAG8AdABtAGEAdABjAGgAIAAnAF8AQwBsAGEAcwBzAGUAcwAnAH0AIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsACgAgACAAJABwAD0ARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACgAJABfAC4AUABTAFAAYQB0AGgAKwAnAFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwASQBuAHQAZQByAG4AZQB0ACAAUwBlAHQAdABpAG4AZwBzACcAKQAKACAAIAAiAFsAJAAoACQAXwAuAFAAUwBDAGgAaQBsAGQATgBhAG0AZQApAF0AIABlAG4AYQBiAGwAZQA9ACQAKAAkAHAALgBQAHIAbwB4AHkARQBuAGEAYgBsAGUAKQAgAHMAZQByAHYAZQByAD0AJAAoACQAcAAuAFAAcgBvAHgAeQBTAGUAcgB2AGUAcgApACAAYQB1AHQAbwBjAGYAZwA9ACQAKAAkAHAALgBBAHUAdABvAEMAbwBuAGYAaQBnAFUAUgBMACkAIgAKAH0ACgAnAD0ARABOAFMAPQAnAAoARwBlAHQALQBEAG4AcwBDAGwAaQBlAG4AdABTAGUAcgB2AGUAcgBBAGQAZAByAGUAcwBzACAALQBBAGQAZAByAGUAcwBzAEYAYQBtAGkAbAB5ACAASQBQAHYANAAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAB7ACQAXwAuAFMAZQByAHYAZQByAEEAZABkAHIAZQBzAHMAZQBzAH0AIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAIAAiACQAKAAkAF8ALgBJAG4AdABlAHIAZgBhAGMAZQBBAGwAaQBhAHMAKQA6ACAAJAAoACQAXwAuAFMAZQByAHYAZQByAEEAZABkAHIAZQBzAHMAZQBzACAALQBqAG8AaQBuACAAJwAsACcAKQAiACAAfQAKACcAPQBCAFIATwBXAFMARQBSACAAUwBFAEEAUgBDAEgALwBTAFQAQQBSAFQAVQBQAD0AJwAKAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcACoAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAFUAcwBlAHIAIABEAGEAdABhAFwAKgBcAFAAcgBlAGYAZQByAGUAbgBjAGUAcwAiACwAIgBDADoAXABVAHMAZQByAHMAXAAqAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAE0AaQBjAHIAbwBzAG8AZgB0AFwARQBkAGcAZQBcAFUAcwBlAHIAIABEAGEAdABhAFwAKgBcAFAAcgBlAGYAZQByAGUAbgBjAGUAcwAiACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AAoAIAAgACQAdwBoAG8APQAkAF8ALgBGAHUAbABsAE4AYQBtAGUAIAAtAHIAZQBwAGwAYQBjAGUAIAAnAF4AQwA6AFwAXABVAHMAZQByAHMAXABcACgAWwBeAFwAXABdACsAKQAuACoAJwAsACcAJAAxACcACgAgACAAJABqAD0ARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAJABfAC4ARgB1AGwAbABOAGEAbQBlACAALQBSAGEAdwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuAAoAIAAgACQAcwBwAD0AJABqAC4AZABlAGYAYQB1AGwAdABfAHMAZQBhAHIAYwBoAF8AcAByAG8AdgBpAGQAZQByAF8AZABhAHQAYQAuAHQAZQBtAHAAbABhAHQAZQBfAHUAcgBsAF8AZABhAHQAYQAuAGsAZQB5AHcAbwByAGQACgAgACAAJABzAHUAPQAoACQAagAuAHMAZQBzAHMAaQBvAG4ALgBzAHQAYQByAHQAdQBwAF8AdQByAGwAcwAgAC0AagBvAGkAbgAgACcAOwAnACkACgAgACAAJABoAHAAPQAkAGoALgBoAG8AbQBlAHAAYQBnAGUACgAgACAAaQBmACgAJABzAHAAIAAtAG8AcgAgACQAcwB1ACAALQBvAHIAIAAkAGgAcAApAHsAIAAiAFsAJAB3AGgAbwAgACQAKAAkAF8ALgBEAGkAcgBlAGMAdABvAHIAeQAuAE4AYQBtAGUAKQBdACAAcwBlAGEAcgBjAGgAPQAkAHMAcAAgAHMAdABhAHIAdAB1AHAAPQAkAHMAdQAgAGgAbwBtAGUAPQAkAGgAcAAiACAAfQAKAH0ACgAnAD0AQgBSAE8AVwBTAEUAUgAgAFMASABPAFIAVABDAFUAVABTAD0AJwAKACQAcwBoAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBvAG0ATwBiAGoAZQBjAHQAIABXAFMAYwByAGkAcAB0AC4AUwBoAGUAbABsAAoARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAKgBcAEQAZQBzAGsAdABvAHAAXAAqAC4AbABuAGsAJwAsACcAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABEAGUAcwBrAHQAbwBwAFwAKgAuAGwAbgBrACcALAAnAEMAOgBcAFUAcwBlAHIAcwBcACoAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwASQBuAHQAZQByAG4AZQB0ACAARQB4AHAAbABvAHIAZQByAFwAUQB1AGkAYwBrACAATABhAHUAbgBjAGgAXABVAHMAZQByACAAUABpAG4AbgBlAGQAXABUAGEAcwBrAEIAYQByAFwAKgAuAGwAbgBrACcAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsACgAgACAAJABsAD0AJABzAGgALgBDAHIAZQBhAHQAZQBTAGgAbwByAHQAYwB1AHQAKAAkAF8ALgBGAHUAbABsAE4AYQBtAGUAKQAKACAAIABpAGYAKAAkAGwALgBUAGEAcgBnAGUAdABQAGEAdABoACAALQBtAGEAdABjAGgAIAAnAGMAaAByAG8AbQBlAHwAbQBzAGUAZABnAGUAfABmAGkAcgBlAGYAbwB4AHwAaQBlAHgAcABsAG8AcgBlACcAIAAtAGEAbgBkACAAJABsAC4AQQByAGcAdQBtAGUAbgB0AHMAIAAtAG0AYQB0AGMAaAAgACcAXABTACcAKQB7ACAAIgAkACgAJABfAC4ARgB1AGwAbABOAGEAbQBlACkAIAAtAD4AIAAkACgAJABsAC4AVABhAHIAZwBlAHQAUABhAHQAaAApACAAQQBSAEcAUwA6ACAAJAAoACQAbAAuAEEAcgBnAHUAbQBlAG4AdABzACkAIgAgAH0ACgB9AAoAJwA9AEQATwBOAEUAIABTAFQAQQBHAEUANAA9ACcACgA=

28
.khalsa-diag4.ps1 Normal file
View File

@@ -0,0 +1,28 @@
$ErrorActionPreference='SilentlyContinue'
'=HOSTS (non-comment)='
Get-Content C:\Windows\System32\drivers\etc\hosts | Where-Object{$_ -match '\S' -and $_ -notmatch '^\s*#'}
'=WINHTTP PROXY='
netsh winhttp show proxy | Where-Object{$_ -match '\S'}
'=USER PROXY='
Get-ChildItem Registry::HKEY_USERS | Where-Object{$_.Name -match 'S-1-5-21' -and $_.Name -notmatch '_Classes'} | ForEach-Object{
$p=Get-ItemProperty ($_.PSPath+'\Software\Microsoft\Windows\CurrentVersion\Internet Settings')
"[$($_.PSChildName)] enable=$($p.ProxyEnable) server=$($p.ProxyServer) autocfg=$($p.AutoConfigURL)"
}
'=DNS='
Get-DnsClientServerAddress -AddressFamily IPv4 | Where-Object{$_.ServerAddresses} | ForEach-Object{ "$($_.InterfaceAlias): $($_.ServerAddresses -join ',')" }
'=BROWSER SEARCH/STARTUP='
Get-ChildItem "C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences","C:\Users\*\AppData\Local\Microsoft\Edge\User Data\*\Preferences" | ForEach-Object{
$who=$_.FullName -replace '^C:\\Users\\([^\\]+).*','$1'
$j=Get-Content $_.FullName -Raw | ConvertFrom-Json
$sp=$j.default_search_provider_data.template_url_data.keyword
$su=($j.session.startup_urls -join ';')
$hp=$j.homepage
if($sp -or $su -or $hp){ "[$who $($_.Directory.Name)] search=$sp startup=$su home=$hp" }
}
'=BROWSER SHORTCUTS='
$sh=New-Object -ComObject WScript.Shell
Get-ChildItem 'C:\Users\*\Desktop\*.lnk','C:\Users\Public\Desktop\*.lnk','C:\Users\*\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\*.lnk' | ForEach-Object{
$l=$sh.CreateShortcut($_.FullName)
if($l.TargetPath -match 'chrome|msedge|firefox|iexplore' -and $l.Arguments -match '\S'){ "$($_.FullName) -> $($l.TargetPath) ARGS: $($l.Arguments)" }
}
'=DONE STAGE4='

0
.khalsa-manual.err Normal file
View File

12989
.khalsa-manual.json Normal file

File diff suppressed because one or more lines are too long

12989
.khalsa-session.json Normal file

File diff suppressed because one or more lines are too long

13016
.khalsa-session2.json Normal file

File diff suppressed because one or more lines are too long

13043
.khalsa-session3.json Normal file

File diff suppressed because one or more lines are too long

13070
.khalsa-session4.json Normal file

File diff suppressed because one or more lines are too long

1
.khalsa-ticket.json Normal file

File diff suppressed because one or more lines are too long

View File

@@ -0,0 +1,102 @@
# Breach Check + Remediation: Orders@valleywideplastering.com
**Date:** 2026-07-16
**Tenant:** Valleywide Plastering (valleywideplastering.com, 5c53ae9f-7071-4248-b834-8685b646450f)
**Subject:** Orders@valleywideplastering.com
**Tool:** ComputerGuru remediation app suite — tiers used: Security Investigator `bfbc12a4` (Graph reads), Investigator-EXO (Exchange reads), User Manager `64fac46b` (session revoke), Tenant Admin `709e6eed` (device deletion)
**Scope:** included remediation (device deletion + session revoke, confirmed by Winter in Discord)
**Requested by:** Winter (Discord @winterguru), thread 1527356833902362654
## Summary
- **Confirmed AiTM token-theft compromise on 2026-07-02 17:20 UTC** — sign-in from datacenter IP 172.245.92.208 (ColoCrossing) to Microsoft Intune Enrollment with "MFA requirement satisfied by claim in the token" (replayed session token; CA MFA passed on the stolen claim).
- **Attacker registered persistence device `DESKTOP-YQL6X9KX`** at 2026-07-02 17:21:00Z (Entra workplace join under this account).
- **Partial remediation already occurred 2026-07-06** (~16:3316:40 UTC): password reset twice + StsRefreshTokenValidFrom bumped via ComputerGuru Tenant Admin; MFA info updated 16:45 UTC.
- **Rogue device was still registered and ENABLED as of 2026-07-16** — deleted this session. Sessions re-revoked.
- Mailbox itself is clean: no rules (incl. hidden), no forwarding, no delegations, no OAuth grants, no outbound abuse.
- **Tenant sweep of attacker IP: only orders@ was touched** — no other VWP users saw sign-ins from 172.245.92.208 (30d window).
## Target details
| Field | Value |
|---|---|
| UPN | Orders@valleywideplastering.com |
| Object ID | 3739c527-f156-49b7-8779-a19033564a0f |
| Account Enabled | true |
| Created | 2023-03-17T21:54:40Z |
| Last Password Change | 2026-07-06T16:39:58Z |
## Per-check findings
### 1. Inbox rules (Graph)
0 rules.
### 2. Mailbox forwarding / settings
No forwarding configured (ForwardingAddress / ForwardingSmtpAddress empty). No auto-reply anomalies.
### 3. Exchange REST (hidden rules, delegates, SendAs, Get-Mailbox)
0 hidden inbox rules. No non-SELF mailbox permissions. No non-SELF SendAs. No mailbox-level forwarding.
### 4. OAuth consents + app role assignments
0 OAuth grants, 0 app role assignments.
### 5. Authentication methods
3 methods, all outside the attack window (benign):
- passwordAuthenticationMethod
- microsoftAuthenticatorAuthenticationMethod — "iPhone 11" (user's phone)
- windowsHelloForBusinessAuthenticationMethod — created 2025-06-24T14:24:00Z (predates incident by a year)
### 6. Sign-ins (30d, interactive)
127 sign-ins. Dominant IP 4.18.160.106 (124 — office egress, Leesburg geo). Error-code mix normal (50072/50076/50079 MFA interrupts, 50140 KMSI).
- 7x 50126 (bad password) on 2026-07-06 16:3522:16 UTC from the office IP = user retrying the OLD password during/after the 7/6 admin reset. Benign.
- **2x from 172.245.92.208 (ColoCrossing datacenter, LA geo) on 2026-07-02 17:20 UTC — Microsoft Authentication Broker → Microsoft Intune Enrollment, Chrome 150, `50199` then `0` (success). "MFA requirement satisfied by claim in the token" = token replay. CA "Require MFA for all users" = success (satisfied by stolen claim); "Block Sign-ins Outside US" notApplied (IP geolocates US).**
- The "non-US" flag in the script summary was a false positive: a 500142 redemption-continuation event from the office IP with no geo populated.
### 7. Directory audits
15 events (30d):
- 2026-07-02 17:21:01Z — "Add registered users to device" + "Add registered owner to device" via Device Registration Service (**attacker device join**).
- 2026-07-06 16:33 + 16:39 UTC — two password resets + StsRefreshTokenValidFrom updates via ComputerGuru Tenant Admin / User Manager (prior remediation).
- 2026-07-06 16:45 UTC — Azure MFA StrongAuthenticationService "Update user" (MFA info re-registration after reset).
### 8. Risky users / risk detections
riskyUser endpoint returned 403 Forbidden — Security Investigator consent on this tenant is PARTIAL (missing User.Read.All, Sites.Read.All; IdentityRiskyUser likely part of the stale grant). riskDetections returned 0. Sign-in risk fields on the attack events are "hidden" (license/scope).
### 9. Sent items (recent 25)
Normal business traffic (orders to suppliers, internal scheduling). No blast patterns, no unusual externals.
### 10. Deleted items (recent 25)
Normal. No deleted security alerts or MFA notifications.
## Suspicious items
- AiTM token replay from 172.245.92.208 (ColoCrossing hosting) on 2026-07-02 17:20 UTC.
- Attacker-registered Entra device `DESKTOP-YQL6X9KX` (deviceId 850e5a7e-c7bb-4d65-9bc4-740e11a61ebc, objectId 575e7b36-8ec1-46df-b66b-c0228ca93c64), registered 2026-07-02 17:21:00Z, still enabled 14 days later. Never signed in after registration.
## Gaps — checks not completed
- Identity Protection riskyUser: 403 (partial Investigator consent). Fix: re-consent
`https://login.microsoftonline.com/5c53ae9f-7071-4248-b834-8685b646450f/adminconsent?client_id=bfbc12a4-f0dd-4e12-b06d-997e7271e10c`
- Consent audit grade AMBER: investigator (missing User.Read.All, Sites.Read.All), exchange-op (missing Mail.ReadWrite, MailboxSettings.ReadWrite), user-manager (missing Directory.ReadWrite.All). Re-consent links in consent-audit output.
## Next actions
1. [DONE this session] Delete rogue device — see below.
2. [DONE this session] Re-revoke sessions.
3. Re-consent the three AMBER apps on this tenant (any Global Admin, links above) — ACG.
4. Consider phishing-resistant MFA / token-protection CA for this tenant; the "Block Sign-ins Outside US" policy did not stop a US-datacenter AiTM proxy. — ACG, discuss with Mike.
5. User awareness: orders@ operator was almost certainly phished ~Jul 2; worth a heads-up to the client contact.
## Remediation actions
| Time (UTC) | Action | Tier | Result |
|---|---|---|---|
| 2026-07-16 ~17:0x | `DELETE /v1.0/devices/575e7b36-8ec1-46df-b66b-c0228ca93c64` (DESKTOP-YQL6X9KX) | tenant-admin | HTTP 204; verified — only legit device ORDERSTY remains registered to user |
| 2026-07-16 ~17:0x | `POST /v1.0/users/3739c527-f156-49b7-8779-a19033564a0f/revokeSignInSessions` | user-manager | HTTP 200, value=true |
Tenant-wide sign-in sweep for 172.245.92.208 (30d): only the two orders@ events on 2026-07-02. No lateral spread.
## Data artifacts
Raw JSON saved at `/tmp/remediation-tool/5c53ae9f-7071-4248-b834-8685b646450f/user-breach/Orders_valleywideplastering_com/` — files:
- 00_user.json, 01_inbox_rules_graph.json, 02_mailbox_settings.json, 03a_InboxRule_hidden.json, 03b_MailboxPermission.json, 03c_RecipientPermission.json, 03d_Mailbox.json, 04a_oauth_grants.json, 04b_app_role_assignments.json, 05_auth_methods.json, 06_signins.json, 07_dir_audits.json, 08a_risky_user.json, 08b_risk_detections.json, 09_sent.json, 10_deleted.json

View File

@@ -0,0 +1,75 @@
# VWP — Orders@ Breach Check + Remediation, Syncro #32557 + Billing
## User
- **Executed by:** ClaudeTools Discord Bot (GURU-BEAST-ROG)
- **Requested by:** Winter Williams (@winterguru, via Discord) - tech
- **Role:** automation (acting on the requester's behalf)
## Session Summary
Winter requested a security check on Orders@valleywideplastering.com via Discord (#tech-department, thread 1527356833902362654). Ran the remediation-tool workflow: consent audit (grade AMBER — three apps with partial grants), then full user-breach-check via Security Investigator + Investigator-EXO tiers.
Found a confirmed AiTM token-theft compromise from 2026-07-02 17:20 UTC: interactive sign-in from datacenter IP 172.245.92.208 (ColoCrossing) to Microsoft Intune Enrollment via Authentication Broker, with "MFA requirement satisfied by claim in the token" (replayed stolen session token — CA MFA passed on the stolen claim). 40 seconds later the attacker registered Entra device DESKTOP-YQL6X9KX to the account (persistence). The "Block Sign-ins Outside US" CA policy did not fire because the proxy IP geolocates to Los Angeles. Directory audits showed a prior partial remediation on 2026-07-06 (~16:33-16:40 UTC): two password resets + StsRefreshTokenValidFrom bumps via ComputerGuru Tenant Admin, MFA info updated 16:45. The mailbox itself was clean: 0 inbox rules (incl. hidden), no forwarding, no non-SELF delegations/SendAs, 0 OAuth grants, sent/deleted items normal. Auth methods all predate the incident (Authenticator iPhone 11; WHfB from 2025-06-24).
The rogue device DESKTOP-YQL6X9KX was still registered and ENABLED 14 days later. With Winter's explicit YES: deleted the device via tenant-admin tier (HTTP 204, verified only legit device ORDERSTY remains) and re-revoked all sessions via user-manager tier (HTTP 200). Tenant-wide sign-in sweep for 172.245.92.208 (30d): only orders@ was touched — no lateral spread. Full report written to clients/valleywide/reports/2026-07-16-orders-breach-check.md.
Created Syncro ticket #32557 for Valley Wide Plastering Inc (customer 31694734) via /syncro with Winter's API key (attribution), status Resolved, priority 1 High, assigned Winter (1737), Initial Issue comment customer-emailed at Winter's direction (Do Not Email = no). Billed 0.5 hrs Labor - Remote Business (product 1190473, $150/hr): VWP is prepaid — block went 16.25 → 15.75 hrs, invoice #68050 total $0.00 with note "Block hours remaining: 15.75.", ticket marked Invoiced. Bot alerts posted to #bot-alerts for both writes.
## Key Decisions
- Used investigator/investigator-exo tiers for all reads; escalated to tenant-admin only for the device DELETE and user-manager for the session revoke (minimum privilege).
- Deleted (not just disabled) the rogue device after Winter's explicit YES — it had never signed in since registration and had no legitimate claim.
- Re-revoked sessions after device deletion even though a 7/6 revoke existed (belt-and-suspenders — device registration postdated nothing, but revoke is free).
- Judged the script's "non-US: 1" flag a false positive (a 500142 event from the office IP with no geo populated); the real finding was the US-datacenter IP that geo checks cannot catch.
- Judged the 7x 50126 failures on 7/6 benign: office-IP retries of the old password during the admin reset window.
- Initial Issue comment posted with do_not_email: false at Winter's explicit instruction (customer gets notified).
- Billed with the delivery-channel product (1190473 remote) per prepaid rules — NOT 9269129; verified block decrement post-invoice.
## Problems Encountered
- riskyUser endpoint returned 403 — Security Investigator consent on this tenant is PARTIAL (missing User.Read.All, Sites.Read.All). Documented re-consent URL in the report; not blocking.
- Consent audit AMBER: investigator, exchange-op, user-manager all have stale partial grants. Re-consent links in the report's Gaps section.
## Configuration Changes
- Created: `clients/valleywide/reports/2026-07-16-orders-breach-check.md` (full breach report)
- Created: this session log
- M365 tenant (5c53ae9f-7071-4248-b834-8685b646450f): deleted Entra device object 575e7b36-8ec1-46df-b66b-c0228ca93c64 (DESKTOP-YQL6X9KX, deviceId 850e5a7e-c7bb-4d65-9bc4-740e11a61ebc); revoked sign-in sessions for user 3739c527-f156-49b7-8779-a19033564a0f
## Credentials & Secrets
- None created or discovered. Vault paths used (app certs auto-resolved by get-token.sh): msp-tools/computerguru-security-investigator.sops.yaml, msp-tools/computerguru-exchange-operator.sops.yaml (via investigator-exo), msp-tools/computerguru-user-manager.sops.yaml, msp-tools/computerguru-tenant-admin.sops.yaml; msp-tools/syncro-winter (Syncro attribution).
## Infrastructure & Servers
- Tenant: valleywideplastering.com = 5c53ae9f-7071-4248-b834-8685b646450f
- Target user: Orders@valleywideplastering.com = 3739c527-f156-49b7-8779-a19033564a0f
- Attacker IP: 172.245.92.208 (ColoCrossing datacenter, geolocates Los Angeles)
- Office egress IP: 4.18.160.106 (geolocates Leesburg; 124/127 sign-ins)
- Legit device: ORDERSTY (registered 2025-04-08); rogue device: DESKTOP-YQL6X9KX (registered 2026-07-02 17:21:00Z, deleted 2026-07-16)
- Syncro customer: Valley Wide Plastering Inc (VWP) = 31694734, prepaid block
## Commands & Outputs
- `bash scripts/consent-audit.sh valleywideplastering.com` → GRADE: AMBER (investigator, exchange-op, user-manager partial)
- `bash scripts/user-breach-check.sh valleywideplastering.com Orders@valleywideplastering.com` → artifacts at /tmp/remediation-tool/5c53ae9f-7071-4248-b834-8685b646450f/user-breach/Orders_valleywideplastering_com/
- `DELETE /v1.0/devices/575e7b36-8ec1-46df-b66b-c0228ca93c64` (tenant-admin) → HTTP 204
- `POST /v1.0/users/3739c527-f156-49b7-8779-a19033564a0f/revokeSignInSessions` (user-manager) → HTTP 200 value=true
- `GET /auditLogs/signIns?$filter=ipAddress eq '172.245.92.208'` → only the two orders@ events on 2026-07-02
- Syncro: POST /tickets → id 113912233 (#32557); comment 424044507 (Initial Issue), comment 424044987 (Resolution); line item 43297806 (0.5h @ $150); POST /invoices → 1651071811 (#68050, $0.00); PUT invoice note; PUT status Invoiced
## Pending / Incomplete Tasks
- Re-consent the three AMBER apps on the VWP tenant (any Global Admin; URLs in the report Gaps section) — enables Identity Protection risk reads.
- Discuss phishing-resistant MFA / token-protection CA for VWP with Mike — geo-block CA did not stop the US-datacenter AiTM proxy.
- Client user awareness: orders@ operator was likely phished ~Jul 2.
## Reference Information
- Report: clients/valleywide/reports/2026-07-16-orders-breach-check.md
- Syncro ticket: #32557 → https://computerguru.syncromsp.com/tickets/113912233
- Syncro invoice: #68050 (id 1651071811), $0.00, applied 0.5 prepay hrs; block 16.25 → 15.75
- Discord thread: 1527356833902362654 (#tech-department)
- Bot alerts: message_ids 1527360784940798073 (ticket create), 1527361632278286386 (billing)
- Raw artifacts: /tmp/remediation-tool/5c53ae9f-7071-4248-b834-8685b646450f/user-breach/Orders_valleywideplastering_com/
- Prior related log: clients/valleywide/reports/2026-06-29-offboarding-teresa-carpio.md

View File

@@ -22,6 +22,9 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
2026-07-15 | Howard-Home | msp360/backups | [correction] assumed LAB-SVR (Len's Auto) is a live machine needing attention; correct is LAB-SVR was RETIRED and replaced by LAB-SERVER — repeated correction from Howard
2026-07-15 | Howard-Home | cascades-verification | [correction] reported Synology-to-server sync as 'overstated/partial' from stale wiki (6/18 note); correct is: shared-folder syncs to the server ARE set up — Howard confirmed. Wiki Team Folder [PENDING] lines are stale
2026-07-15 | GURU-BEAST-ROG | discord-bot/attachments | attachment save failing: .attachments/<thread> dir touched but image.png never written (2 attempts, thread 1527062493246263478) [ctx: user=winter]
2026-07-15 | GURU-BEAST-ROG | screenconnect/bash | [friction] printf interpreted in Windows path as vertical tab, mangled SC command; fix: build cmd with echo single-quoted lines not printf format escapes
2026-07-15 | Howard-Home | prairie-schooner/cutover | [correction] assumed a separate USG gateway existed at .136 and was removed at cutover; correct is the .136 device WAS the USW-Lite-16-PoE switch (kept + adopted into UDM Pro) - only the SonicWall was removed