sync: auto-sync from GURU-BEAST-ROG at 2026-07-16 10:11:10
Author: Mike Swanson Machine: GURU-BEAST-ROG Timestamp: 2026-07-16 10:11:10
This commit is contained in:
1
.khalsa-diag1.b64
Normal file
1
.khalsa-diag1.b64
Normal file
File diff suppressed because one or more lines are too long
28
.khalsa-diag1.ps1
Normal file
28
.khalsa-diag1.ps1
Normal file
@@ -0,0 +1,28 @@
|
|||||||
|
$ErrorActionPreference='SilentlyContinue'
|
||||||
|
$o=New-Object System.Text.StringBuilder
|
||||||
|
function W($s){[void]$script:o.AppendLine($s)}
|
||||||
|
W '=DEFENDER='
|
||||||
|
$m=Get-MpComputerStatus
|
||||||
|
W ("mode=$($m.AMRunningMode) rtp=$($m.RealTimeProtectionEnabled) av=$($m.AntivirusEnabled) sig=$($m.AntivirusSignatureLastUpdated)")
|
||||||
|
W '=DETECTIONS(5)='
|
||||||
|
Get-MpThreatDetection|Sort-Object InitialDetectionTime -Descending|Select-Object -First 5|ForEach-Object{W ("$($_.InitialDetectionTime) :: $(($_.Resources -join ';'))")}
|
||||||
|
W '=PUP MATCHES='
|
||||||
|
$u=@('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*','HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*')
|
||||||
|
$apps=Get-ItemProperty $u|Where-Object DisplayName
|
||||||
|
$apps|Where-Object{$_.DisplayName -match 'McAfee|WebAdvisor|Norton|Avast|AVG|Avira|Driver|CCleaner|Clean|Optim|ByteFence|Segurazo|OneLaunch|Wave|TotalAV|Restoro|Reimage|Booster|Accelerate'}|ForEach-Object{W ("$($_.DisplayName) | $($_.Publisher)")}
|
||||||
|
W '=HKLM RUN='
|
||||||
|
(Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run').PSObject.Properties|Where-Object{$_.Name -notmatch '^PS'}|ForEach-Object{W ("$($_.Name)=$($_.Value)")}
|
||||||
|
(Get-ItemProperty 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run').PSObject.Properties|Where-Object{$_.Name -notmatch '^PS'}|ForEach-Object{W ("W64:$($_.Name)=$($_.Value)")}
|
||||||
|
W '=USER RUN='
|
||||||
|
Get-ChildItem Registry::HKEY_USERS|Where-Object{$_.Name -match 'S-1-5-21' -and $_.Name -notmatch '_Classes'}|ForEach-Object{
|
||||||
|
$sid=$_.PSChildName
|
||||||
|
(Get-ItemProperty ($_.PSPath+'\Software\Microsoft\Windows\CurrentVersion\Run')).PSObject.Properties|Where-Object{$_.Name -notmatch '^PS'}|ForEach-Object{W ("[$sid] $($_.Name)=$($_.Value)")}
|
||||||
|
}
|
||||||
|
W '=NONMS TASKS='
|
||||||
|
Get-ScheduledTask|Where-Object{$_.TaskPath -notlike '\Microsoft*'}|ForEach-Object{W ("$($_.TaskPath)$($_.TaskName) [$($_.State)]")}
|
||||||
|
W ("=APPTOTAL= $($apps.Count)")
|
||||||
|
$full=$o.ToString()
|
||||||
|
$full|Out-File C:\Windows\Temp\acg-diag1.txt -Encoding utf8
|
||||||
|
$apps|Sort-Object DisplayName|ForEach-Object{"$($_.DisplayName) | $($_.Publisher)"}|Add-Content C:\Windows\Temp\acg-diag1.txt -Encoding utf8
|
||||||
|
$full
|
||||||
|
'=DONE STAGE1='
|
||||||
1
.khalsa-diag2.b64
Normal file
1
.khalsa-diag2.b64
Normal file
@@ -0,0 +1 @@
|
|||||||
|
JABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoAJwA9AEEAVgAgAFAAUgBPAEQAVQBDAFQAUwA9ACcACgBHAGUAdAAtAEMAaQBtAEkAbgBzAHQAYQBuAGMAZQAgAC0ATgBhAG0AZQBzAHAAYQBjAGUAIAByAG8AbwB0AC8AUwBlAGMAdQByAGkAdAB5AEMAZQBuAHQAZQByADIAIAAtAEMAbABhAHMAcwBOAGEAbQBlACAAQQBuAHQAaQBWAGkAcgB1AHMAUAByAG8AZAB1AGMAdAAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAAIgAkACgAJABfAC4AZABpAHMAcABsAGEAeQBOAGEAbQBlACkAIABzAHQAYQB0AGUAPQAwAHgAJAAoACcAewAwADoAeAB9ACcAIAAtAGYAIAAkAF8ALgBwAHIAbwBkAHUAYwB0AFMAdABhAHQAZQApACIAIAB9AAoAJwA9AFMARQBDAFUAUgBJAFQAWQAgAEEAUABQAFMAIABJAE4AIABJAE4AVgBFAE4AVABPAFIAWQA9ACcACgBHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIABDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcAGEAYwBnAC0AZABpAGEAZwAxAC4AdAB4AHQAIAB8ACAAUwBlAGwAZQBjAHQALQBTAHQAcgBpAG4AZwAgACcAQgBpAHQAZABlAGYAZQBuAGQAZQByAHwAVwBlAGIAcgBvAG8AdAB8AFMAZQBuAHQAaQBuAGUAbAB8AFMAbwBwAGgAbwBzAHwARABhAHQAdABvAHwASAB1AG4AdAByAGUAcwBzAHwATQBhAGwAdwBhAHIAZQBiAHkAdABlAHMAfABUAHIAZQBuAGQAfABLAGEAcwBwAGUAcgBzAGsAeQB8AEUAUwBFAFQAfABNAGMAQQBmAGUAZQB8AE4AbwByAHQAbwBuAHwAQQB2AGEAcwB0AHwAQQBWAEcAfABTAGUAYwB1AHIAaQB0AHkAfABDAEMAbABlAGEAbgBlAHIAfABEAGUAZgBlAG4AZABlAHIAJwAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAAJABfAC4ATABpAG4AZQAuAFQAcgBpAG0AKAApACAAfQAKACcAPQBOAE8AVABJAEYASQBDAEEAVABJAE8ATgAgAEEATABMAE8AVwBTAD0AJwAKAGYAbwByAGUAYQBjAGgAKAAkAGIAIABpAG4AIAAnAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAJwAsACcATQBpAGMAcgBvAHMAbwBmAHQAXABFAGQAZwBlACcAKQB7AAoAIAAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcACoAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAJABiAFwAVQBzAGUAcgAgAEQAYQB0AGEAXAAqAFwAUAByAGUAZgBlAHIAZQBuAGMAZQBzACIAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAKACAAIAAgACAAJAB3AGgAbwA9ACQAXwAuAEYAdQBsAGwATgBhAG0AZQAgAC0AcgBlAHAAbABhAGMAZQAgACcAXgBDADoAXABcAFUAcwBlAHIAcwBcAFwAKABbAF4AXABcAF0AKwApAC4AKgAnACwAJwAkADEAJwAKACAAIAAgACAAJABwAHIAbwBmAD0AJABfAC4ARABpAHIAZQBjAHQAbwByAHkALgBOAGEAbQBlAAoAIAAgACAAIAAkAGoAPQBHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAF8ALgBGAHUAbABsAE4AYQBtAGUAIAAtAFIAYQB3ACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4ACgAgACAAIAAgACQAZQB4AD0AJABqAC4AcAByAG8AZgBpAGwAZQAuAGMAbwBuAHQAZQBuAHQAXwBzAGUAdAB0AGkAbgBnAHMALgBlAHgAYwBlAHAAdABpAG8AbgBzAC4AbgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAKACAAIAAgACAAaQBmACgAJABlAHgAKQB7ACAAJABlAHgALgBQAFMATwBiAGoAZQBjAHQALgBQAHIAbwBwAGUAcgB0AGkAZQBzACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBWAGEAbAB1AGUALgBzAGUAdAB0AGkAbgBnACAALQBlAHEAIAAxAH0AIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACIAQQBMAEwATwBXACAAJAB3AGgAbwAgACgAJABiACAAJABwAHIAbwBmACkAIAA6ADoAIAAkACgAJABfAC4ATgBhAG0AZQApACIAIAB9ACAAfQAKACAAIAB9AAoAfQAKACcAPQBFAFgAVABFAE4AUwBJAE8ATgBTAD0AJwAKAGYAbwByAGUAYQBjAGgAKAAkAGIAIABpAG4AIAAnAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAJwAsACcATQBpAGMAcgBvAHMAbwBmAHQAXABFAGQAZwBlACcAKQB7AAoAIAAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcACoAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAJABiAFwAVQBzAGUAcgAgAEQAYQB0AGEAXAAqAFwARQB4AHQAZQBuAHMAaQBvAG4AcwBcACoAIgAgAC0ARABpAHIAZQBjAHQAbwByAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAKACAAIAAgACAAJABtAGYAPQBHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAIgAkACgAJABfAC4ARgB1AGwAbABOAGEAbQBlACkAXAAqAFwAbQBhAG4AaQBmAGUAcwB0AC4AagBzAG8AbgAiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAgACAAIAAgAGkAZgAoACQAbQBmACkAewAgACQAbQA9AEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgACQAbQBmAC4ARgB1AGwAbABOAGEAbQBlACAALQBSAGEAdwB8AEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAgACQAbgBtAD0AJABtAC4AbgBhAG0AZQA7ACAAaQBmACgAJABuAG0AIAAtAGwAaQBrAGUAIAAnAF8AXwBNAFMARwAqACcAKQB7ACQAbgBtAD0AIgBpAGQAOgAkACgAJABfAC4ATgBhAG0AZQApACIAfQA7ACAAIgAkAGIAIAA6ADoAIAAkAG4AbQAiACAAfQAKACAAIAB9ACAAfAAgAFMAbwByAHQALQBPAGIAagBlAGMAdAAgAC0AVQBuAGkAcQB1AGUACgB9AAoAJwA9AEQATwBOAEUAIABTAFQAQQBHAEUAMgA9ACcACgA=
|
||||||
23
.khalsa-diag2.ps1
Normal file
23
.khalsa-diag2.ps1
Normal file
@@ -0,0 +1,23 @@
|
|||||||
|
$ErrorActionPreference='SilentlyContinue'
|
||||||
|
'=AV PRODUCTS='
|
||||||
|
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | ForEach-Object { "$($_.displayName) state=0x$('{0:x}' -f $_.productState)" }
|
||||||
|
'=SECURITY APPS IN INVENTORY='
|
||||||
|
Get-Content C:\Windows\Temp\acg-diag1.txt | Select-String 'Bitdefender|Webroot|Sentinel|Sophos|Datto|Huntress|Malwarebytes|Trend|Kaspersky|ESET|McAfee|Norton|Avast|AVG|Security|CCleaner|Defender' | ForEach-Object { $_.Line.Trim() }
|
||||||
|
'=NOTIFICATION ALLOWS='
|
||||||
|
foreach($b in 'Google\Chrome','Microsoft\Edge'){
|
||||||
|
Get-ChildItem "C:\Users\*\AppData\Local\$b\User Data\*\Preferences" | ForEach-Object {
|
||||||
|
$who=$_.FullName -replace '^C:\\Users\\([^\\]+).*','$1'
|
||||||
|
$prof=$_.Directory.Name
|
||||||
|
$j=Get-Content $_.FullName -Raw | ConvertFrom-Json
|
||||||
|
$ex=$j.profile.content_settings.exceptions.notifications
|
||||||
|
if($ex){ $ex.PSObject.Properties | Where-Object {$_.Value.setting -eq 1} | ForEach-Object { "ALLOW $who ($b $prof) :: $($_.Name)" } }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
'=EXTENSIONS='
|
||||||
|
foreach($b in 'Google\Chrome','Microsoft\Edge'){
|
||||||
|
Get-ChildItem "C:\Users\*\AppData\Local\$b\User Data\*\Extensions\*" -Directory | ForEach-Object {
|
||||||
|
$mf=Get-ChildItem "$($_.FullName)\*\manifest.json" | Select-Object -First 1
|
||||||
|
if($mf){ $m=Get-Content $mf.FullName -Raw|ConvertFrom-Json; $nm=$m.name; if($nm -like '__MSG*'){$nm="id:$($_.Name)"}; "$b :: $nm" }
|
||||||
|
} | Sort-Object -Unique
|
||||||
|
}
|
||||||
|
'=DONE STAGE2='
|
||||||
1
.khalsa-diag3.b64
Normal file
1
.khalsa-diag3.b64
Normal file
@@ -0,0 +1 @@
|
|||||||
|
JABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoAJwA9AE8ARgBGAEkAQwBFAC8ATQBDAEEARgBFAEUAIABJAE4AIABJAE4AVgBFAE4AVABPAFIAWQA9ACcACgBHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIABDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcAGEAYwBnAC0AZABpAGEAZwAxAC4AdAB4AHQAIAB8ACAAUwBlAGwAZQBjAHQALQBTAHQAcgBpAG4AZwAgACcATwBmAGYAaQBjAGUAfAAzADYANQB8AE0AYwBBAGYAZQBlACcAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAJABfAC4ATABpAG4AZQAuAFQAcgBpAG0AKAApAH0AIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAewAkAF8AIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAXgBTAGUAYwB1AHIAaQB0AHkAIABVAHAAZABhAHQAZQB8AF4AVQBwAGQAYQB0AGUAIABmAG8AcgAgAE0AaQBjAHIAbwBzAG8AZgB0AHwAXgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAVQBwAGQAYQB0AGUAJwB9ACAAfAAgAFMAbwByAHQALQBPAGIAagBlAGMAdAAgAC0AVQBuAGkAcQB1AGUACgAnAD0AUABFAFIALQBVAFMARQBSACAASQBOAFMAVABBAEwATABFAEQAIABBAFAAUABTAD0AJwAKAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAFMARQBSAFMAIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAewAkAF8ALgBOAGEAbQBlACAALQBtAGEAdABjAGgAIAAnAFMALQAxAC0ANQAtADIAMQAnACAALQBhAG4AZAAgACQAXwAuAE4AYQBtAGUAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAXwBDAGwAYQBzAHMAZQBzACcAfQAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAewAKACAAIAAkAHMAaQBkAD0AJABfAC4AUABTAEMAaABpAGwAZABOAGEAbQBlAAoAIAAgAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAoACQAXwAuAFAAUwBQAGEAdABoACsAJwBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFUAbgBpAG4AcwB0AGEAbABsAFwAKgAnACkAIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAIABEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAIAAiAFsAJABzAGkAZABdACAAJAAoACQAXwAuAEQAaQBzAHAAbABhAHkATgBhAG0AZQApACAAfAAgACQAKAAkAF8ALgBQAHUAYgBsAGkAcwBoAGUAcgApACIAIAB9AAoAfQAKACcAPQBFAEQARwBFACAARQBYAFQARQBOAFMASQBPAE4AUwA9ACcACgBHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAIgBDADoAXABVAHMAZQByAHMAXAAqAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAE0AaQBjAHIAbwBzAG8AZgB0AFwARQBkAGcAZQBcAFUAcwBlAHIAIABEAGEAdABhAFwAKgBcAEUAeAB0AGUAbgBzAGkAbwBuAHMAXAAqACIAIAAtAEQAaQByAGUAYwB0AG8AcgB5ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AAoAIAAgACQAbQBmAD0ARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgACIAJAAoACQAXwAuAEYAdQBsAGwATgBhAG0AZQApAFwAKgBcAG0AYQBuAGkAZgBlAHMAdAAuAGoAcwBvAG4AIgAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoAIAAgAGkAZgAoACQAbQBmACkAewAgACQAbQA9AEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgACQAbQBmAC4ARgB1AGwAbABOAGEAbQBlACAALQBSAGEAdwB8AEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAgACQAbgBtAD0AJABtAC4AbgBhAG0AZQA7ACAAaQBmACgAJABuAG0AIAAtAGwAaQBrAGUAIAAnAF8AXwBNAFMARwAqACcAKQB7ACQAbgBtAD0AIgBpAGQAOgAkACgAJABfAC4ATgBhAG0AZQApACIAfQA7ACAAJABuAG0AIAB9AAoAfQAgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIAAtAFUAbgBpAHEAdQBlAAoAJwA9AEMASABSAE8ATQBFACAARQBYAFQAIABJAEQAUwA9ACcACgBHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAIgBDADoAXABVAHMAZQByAHMAXAAqAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXABVAHMAZQByACAARABhAHQAYQBcACoAXABFAHgAdABlAG4AcwBpAG8AbgBzAFwAKgAiACAALQBEAGkAcgBlAGMAdABvAHIAeQAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAewAkAF8ALgBOAGEAbQBlAH0AIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAALQBVAG4AaQBxAHUAZQAKACcAPQBEAE8ATgBFACAAUwBUAEEARwBFADMAPQAnAAoA
|
||||||
16
.khalsa-diag3.ps1
Normal file
16
.khalsa-diag3.ps1
Normal file
@@ -0,0 +1,16 @@
|
|||||||
|
$ErrorActionPreference='SilentlyContinue'
|
||||||
|
'=OFFICE/MCAFEE IN INVENTORY='
|
||||||
|
Get-Content C:\Windows\Temp\acg-diag1.txt | Select-String 'Office|365|McAfee' | ForEach-Object{$_.Line.Trim()} | Where-Object{$_ -notmatch '^Security Update|^Update for Microsoft|^Definition Update'} | Sort-Object -Unique
|
||||||
|
'=PER-USER INSTALLED APPS='
|
||||||
|
Get-ChildItem Registry::HKEY_USERS | Where-Object{$_.Name -match 'S-1-5-21' -and $_.Name -notmatch '_Classes'} | ForEach-Object{
|
||||||
|
$sid=$_.PSChildName
|
||||||
|
Get-ItemProperty ($_.PSPath+'\Software\Microsoft\Windows\CurrentVersion\Uninstall\*') | Where-Object DisplayName | ForEach-Object{ "[$sid] $($_.DisplayName) | $($_.Publisher)" }
|
||||||
|
}
|
||||||
|
'=EDGE EXTENSIONS='
|
||||||
|
Get-ChildItem "C:\Users\*\AppData\Local\Microsoft\Edge\User Data\*\Extensions\*" -Directory | ForEach-Object{
|
||||||
|
$mf=Get-ChildItem "$($_.FullName)\*\manifest.json" | Select-Object -First 1
|
||||||
|
if($mf){ $m=Get-Content $mf.FullName -Raw|ConvertFrom-Json; $nm=$m.name; if($nm -like '__MSG*'){$nm="id:$($_.Name)"}; $nm }
|
||||||
|
} | Sort-Object -Unique
|
||||||
|
'=CHROME EXT IDS='
|
||||||
|
Get-ChildItem "C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Extensions\*" -Directory | ForEach-Object{$_.Name} | Sort-Object -Unique
|
||||||
|
'=DONE STAGE3='
|
||||||
1
.khalsa-diag4.b64
Normal file
1
.khalsa-diag4.b64
Normal file
@@ -0,0 +1 @@
|
|||||||
|
JABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoAJwA9AEgATwBTAFQAUwAgACgAbgBvAG4ALQBjAG8AbQBtAGUAbgB0ACkAPQAnAAoARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgBcAGQAcgBpAHYAZQByAHMAXABlAHQAYwBcAGgAbwBzAHQAcwAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAB7ACQAXwAgAC0AbQBhAHQAYwBoACAAJwBcAFMAJwAgAC0AYQBuAGQAIAAkAF8AIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAXgBcAHMAKgAjACcAfQAKACcAPQBXAEkATgBIAFQAVABQACAAUABSAE8AWABZAD0AJwAKAG4AZQB0AHMAaAAgAHcAaQBuAGgAdAB0AHAAIABzAGgAbwB3ACAAcAByAG8AeAB5ACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0AHsAJABfACAALQBtAGEAdABjAGgAIAAnAFwAUwAnAH0ACgAnAD0AVQBTAEUAUgAgAFAAUgBPAFgAWQA9ACcACgBHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBTAEUAUgBTACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0AHsAJABfAC4ATgBhAG0AZQAgAC0AbQBhAHQAYwBoACAAJwBTAC0AMQAtADUALQAyADEAJwAgAC0AYQBuAGQAIAAkAF8ALgBOAGEAbQBlACAALQBuAG8AdABtAGEAdABjAGgAIAAnAF8AQwBsAGEAcwBzAGUAcwAnAH0AIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsACgAgACAAJABwAD0ARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACgAJABfAC4AUABTAFAAYQB0AGgAKwAnAFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwASQBuAHQAZQByAG4AZQB0ACAAUwBlAHQAdABpAG4AZwBzACcAKQAKACAAIAAiAFsAJAAoACQAXwAuAFAAUwBDAGgAaQBsAGQATgBhAG0AZQApAF0AIABlAG4AYQBiAGwAZQA9ACQAKAAkAHAALgBQAHIAbwB4AHkARQBuAGEAYgBsAGUAKQAgAHMAZQByAHYAZQByAD0AJAAoACQAcAAuAFAAcgBvAHgAeQBTAGUAcgB2AGUAcgApACAAYQB1AHQAbwBjAGYAZwA9ACQAKAAkAHAALgBBAHUAdABvAEMAbwBuAGYAaQBnAFUAUgBMACkAIgAKAH0ACgAnAD0ARABOAFMAPQAnAAoARwBlAHQALQBEAG4AcwBDAGwAaQBlAG4AdABTAGUAcgB2AGUAcgBBAGQAZAByAGUAcwBzACAALQBBAGQAZAByAGUAcwBzAEYAYQBtAGkAbAB5ACAASQBQAHYANAAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAB7ACQAXwAuAFMAZQByAHYAZQByAEEAZABkAHIAZQBzAHMAZQBzAH0AIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAIAAiACQAKAAkAF8ALgBJAG4AdABlAHIAZgBhAGMAZQBBAGwAaQBhAHMAKQA6ACAAJAAoACQAXwAuAFMAZQByAHYAZQByAEEAZABkAHIAZQBzAHMAZQBzACAALQBqAG8AaQBuACAAJwAsACcAKQAiACAAfQAKACcAPQBCAFIATwBXAFMARQBSACAAUwBFAEEAUgBDAEgALwBTAFQAQQBSAFQAVQBQAD0AJwAKAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcACoAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAFUAcwBlAHIAIABEAGEAdABhAFwAKgBcAFAAcgBlAGYAZQByAGUAbgBjAGUAcwAiACwAIgBDADoAXABVAHMAZQByAHMAXAAqAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAE0AaQBjAHIAbwBzAG8AZgB0AFwARQBkAGcAZQBcAFUAcwBlAHIAIABEAGEAdABhAFwAKgBcAFAAcgBlAGYAZQByAGUAbgBjAGUAcwAiACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AAoAIAAgACQAdwBoAG8APQAkAF8ALgBGAHUAbABsAE4AYQBtAGUAIAAtAHIAZQBwAGwAYQBjAGUAIAAnAF4AQwA6AFwAXABVAHMAZQByAHMAXABcACgAWwBeAFwAXABdACsAKQAuACoAJwAsACcAJAAxACcACgAgACAAJABqAD0ARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAJABfAC4ARgB1AGwAbABOAGEAbQBlACAALQBSAGEAdwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuAAoAIAAgACQAcwBwAD0AJABqAC4AZABlAGYAYQB1AGwAdABfAHMAZQBhAHIAYwBoAF8AcAByAG8AdgBpAGQAZQByAF8AZABhAHQAYQAuAHQAZQBtAHAAbABhAHQAZQBfAHUAcgBsAF8AZABhAHQAYQAuAGsAZQB5AHcAbwByAGQACgAgACAAJABzAHUAPQAoACQAagAuAHMAZQBzAHMAaQBvAG4ALgBzAHQAYQByAHQAdQBwAF8AdQByAGwAcwAgAC0AagBvAGkAbgAgACcAOwAnACkACgAgACAAJABoAHAAPQAkAGoALgBoAG8AbQBlAHAAYQBnAGUACgAgACAAaQBmACgAJABzAHAAIAAtAG8AcgAgACQAcwB1ACAALQBvAHIAIAAkAGgAcAApAHsAIAAiAFsAJAB3AGgAbwAgACQAKAAkAF8ALgBEAGkAcgBlAGMAdABvAHIAeQAuAE4AYQBtAGUAKQBdACAAcwBlAGEAcgBjAGgAPQAkAHMAcAAgAHMAdABhAHIAdAB1AHAAPQAkAHMAdQAgAGgAbwBtAGUAPQAkAGgAcAAiACAAfQAKAH0ACgAnAD0AQgBSAE8AVwBTAEUAUgAgAFMASABPAFIAVABDAFUAVABTAD0AJwAKACQAcwBoAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBvAG0ATwBiAGoAZQBjAHQAIABXAFMAYwByAGkAcAB0AC4AUwBoAGUAbABsAAoARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAKgBcAEQAZQBzAGsAdABvAHAAXAAqAC4AbABuAGsAJwAsACcAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABEAGUAcwBrAHQAbwBwAFwAKgAuAGwAbgBrACcALAAnAEMAOgBcAFUAcwBlAHIAcwBcACoAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwASQBuAHQAZQByAG4AZQB0ACAARQB4AHAAbABvAHIAZQByAFwAUQB1AGkAYwBrACAATABhAHUAbgBjAGgAXABVAHMAZQByACAAUABpAG4AbgBlAGQAXABUAGEAcwBrAEIAYQByAFwAKgAuAGwAbgBrACcAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsACgAgACAAJABsAD0AJABzAGgALgBDAHIAZQBhAHQAZQBTAGgAbwByAHQAYwB1AHQAKAAkAF8ALgBGAHUAbABsAE4AYQBtAGUAKQAKACAAIABpAGYAKAAkAGwALgBUAGEAcgBnAGUAdABQAGEAdABoACAALQBtAGEAdABjAGgAIAAnAGMAaAByAG8AbQBlAHwAbQBzAGUAZABnAGUAfABmAGkAcgBlAGYAbwB4AHwAaQBlAHgAcABsAG8AcgBlACcAIAAtAGEAbgBkACAAJABsAC4AQQByAGcAdQBtAGUAbgB0AHMAIAAtAG0AYQB0AGMAaAAgACcAXABTACcAKQB7ACAAIgAkACgAJABfAC4ARgB1AGwAbABOAGEAbQBlACkAIAAtAD4AIAAkACgAJABsAC4AVABhAHIAZwBlAHQAUABhAHQAaAApACAAQQBSAEcAUwA6ACAAJAAoACQAbAAuAEEAcgBnAHUAbQBlAG4AdABzACkAIgAgAH0ACgB9AAoAJwA9AEQATwBOAEUAIABTAFQAQQBHAEUANAA9ACcACgA=
|
||||||
28
.khalsa-diag4.ps1
Normal file
28
.khalsa-diag4.ps1
Normal file
@@ -0,0 +1,28 @@
|
|||||||
|
$ErrorActionPreference='SilentlyContinue'
|
||||||
|
'=HOSTS (non-comment)='
|
||||||
|
Get-Content C:\Windows\System32\drivers\etc\hosts | Where-Object{$_ -match '\S' -and $_ -notmatch '^\s*#'}
|
||||||
|
'=WINHTTP PROXY='
|
||||||
|
netsh winhttp show proxy | Where-Object{$_ -match '\S'}
|
||||||
|
'=USER PROXY='
|
||||||
|
Get-ChildItem Registry::HKEY_USERS | Where-Object{$_.Name -match 'S-1-5-21' -and $_.Name -notmatch '_Classes'} | ForEach-Object{
|
||||||
|
$p=Get-ItemProperty ($_.PSPath+'\Software\Microsoft\Windows\CurrentVersion\Internet Settings')
|
||||||
|
"[$($_.PSChildName)] enable=$($p.ProxyEnable) server=$($p.ProxyServer) autocfg=$($p.AutoConfigURL)"
|
||||||
|
}
|
||||||
|
'=DNS='
|
||||||
|
Get-DnsClientServerAddress -AddressFamily IPv4 | Where-Object{$_.ServerAddresses} | ForEach-Object{ "$($_.InterfaceAlias): $($_.ServerAddresses -join ',')" }
|
||||||
|
'=BROWSER SEARCH/STARTUP='
|
||||||
|
Get-ChildItem "C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences","C:\Users\*\AppData\Local\Microsoft\Edge\User Data\*\Preferences" | ForEach-Object{
|
||||||
|
$who=$_.FullName -replace '^C:\\Users\\([^\\]+).*','$1'
|
||||||
|
$j=Get-Content $_.FullName -Raw | ConvertFrom-Json
|
||||||
|
$sp=$j.default_search_provider_data.template_url_data.keyword
|
||||||
|
$su=($j.session.startup_urls -join ';')
|
||||||
|
$hp=$j.homepage
|
||||||
|
if($sp -or $su -or $hp){ "[$who $($_.Directory.Name)] search=$sp startup=$su home=$hp" }
|
||||||
|
}
|
||||||
|
'=BROWSER SHORTCUTS='
|
||||||
|
$sh=New-Object -ComObject WScript.Shell
|
||||||
|
Get-ChildItem 'C:\Users\*\Desktop\*.lnk','C:\Users\Public\Desktop\*.lnk','C:\Users\*\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\*.lnk' | ForEach-Object{
|
||||||
|
$l=$sh.CreateShortcut($_.FullName)
|
||||||
|
if($l.TargetPath -match 'chrome|msedge|firefox|iexplore' -and $l.Arguments -match '\S'){ "$($_.FullName) -> $($l.TargetPath) ARGS: $($l.Arguments)" }
|
||||||
|
}
|
||||||
|
'=DONE STAGE4='
|
||||||
0
.khalsa-manual.err
Normal file
0
.khalsa-manual.err
Normal file
12989
.khalsa-manual.json
Normal file
12989
.khalsa-manual.json
Normal file
File diff suppressed because one or more lines are too long
12989
.khalsa-session.json
Normal file
12989
.khalsa-session.json
Normal file
File diff suppressed because one or more lines are too long
13016
.khalsa-session2.json
Normal file
13016
.khalsa-session2.json
Normal file
File diff suppressed because one or more lines are too long
13043
.khalsa-session3.json
Normal file
13043
.khalsa-session3.json
Normal file
File diff suppressed because one or more lines are too long
13070
.khalsa-session4.json
Normal file
13070
.khalsa-session4.json
Normal file
File diff suppressed because one or more lines are too long
1
.khalsa-ticket.json
Normal file
1
.khalsa-ticket.json
Normal file
File diff suppressed because one or more lines are too long
102
clients/valleywide/reports/2026-07-16-orders-breach-check.md
Normal file
102
clients/valleywide/reports/2026-07-16-orders-breach-check.md
Normal file
@@ -0,0 +1,102 @@
|
|||||||
|
# Breach Check + Remediation: Orders@valleywideplastering.com
|
||||||
|
|
||||||
|
**Date:** 2026-07-16
|
||||||
|
**Tenant:** Valleywide Plastering (valleywideplastering.com, 5c53ae9f-7071-4248-b834-8685b646450f)
|
||||||
|
**Subject:** Orders@valleywideplastering.com
|
||||||
|
**Tool:** ComputerGuru remediation app suite — tiers used: Security Investigator `bfbc12a4` (Graph reads), Investigator-EXO (Exchange reads), User Manager `64fac46b` (session revoke), Tenant Admin `709e6eed` (device deletion)
|
||||||
|
**Scope:** included remediation (device deletion + session revoke, confirmed by Winter in Discord)
|
||||||
|
**Requested by:** Winter (Discord @winterguru), thread 1527356833902362654
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
- **Confirmed AiTM token-theft compromise on 2026-07-02 17:20 UTC** — sign-in from datacenter IP 172.245.92.208 (ColoCrossing) to Microsoft Intune Enrollment with "MFA requirement satisfied by claim in the token" (replayed session token; CA MFA passed on the stolen claim).
|
||||||
|
- **Attacker registered persistence device `DESKTOP-YQL6X9KX`** at 2026-07-02 17:21:00Z (Entra workplace join under this account).
|
||||||
|
- **Partial remediation already occurred 2026-07-06** (~16:33–16:40 UTC): password reset twice + StsRefreshTokenValidFrom bumped via ComputerGuru Tenant Admin; MFA info updated 16:45 UTC.
|
||||||
|
- **Rogue device was still registered and ENABLED as of 2026-07-16** — deleted this session. Sessions re-revoked.
|
||||||
|
- Mailbox itself is clean: no rules (incl. hidden), no forwarding, no delegations, no OAuth grants, no outbound abuse.
|
||||||
|
- **Tenant sweep of attacker IP: only orders@ was touched** — no other VWP users saw sign-ins from 172.245.92.208 (30d window).
|
||||||
|
|
||||||
|
## Target details
|
||||||
|
|
||||||
|
| Field | Value |
|
||||||
|
|---|---|
|
||||||
|
| UPN | Orders@valleywideplastering.com |
|
||||||
|
| Object ID | 3739c527-f156-49b7-8779-a19033564a0f |
|
||||||
|
| Account Enabled | true |
|
||||||
|
| Created | 2023-03-17T21:54:40Z |
|
||||||
|
| Last Password Change | 2026-07-06T16:39:58Z |
|
||||||
|
|
||||||
|
## Per-check findings
|
||||||
|
|
||||||
|
### 1. Inbox rules (Graph)
|
||||||
|
0 rules.
|
||||||
|
|
||||||
|
### 2. Mailbox forwarding / settings
|
||||||
|
No forwarding configured (ForwardingAddress / ForwardingSmtpAddress empty). No auto-reply anomalies.
|
||||||
|
|
||||||
|
### 3. Exchange REST (hidden rules, delegates, SendAs, Get-Mailbox)
|
||||||
|
0 hidden inbox rules. No non-SELF mailbox permissions. No non-SELF SendAs. No mailbox-level forwarding.
|
||||||
|
|
||||||
|
### 4. OAuth consents + app role assignments
|
||||||
|
0 OAuth grants, 0 app role assignments.
|
||||||
|
|
||||||
|
### 5. Authentication methods
|
||||||
|
3 methods, all outside the attack window (benign):
|
||||||
|
- passwordAuthenticationMethod
|
||||||
|
- microsoftAuthenticatorAuthenticationMethod — "iPhone 11" (user's phone)
|
||||||
|
- windowsHelloForBusinessAuthenticationMethod — created 2025-06-24T14:24:00Z (predates incident by a year)
|
||||||
|
|
||||||
|
### 6. Sign-ins (30d, interactive)
|
||||||
|
127 sign-ins. Dominant IP 4.18.160.106 (124 — office egress, Leesburg geo). Error-code mix normal (50072/50076/50079 MFA interrupts, 50140 KMSI).
|
||||||
|
|
||||||
|
- 7x 50126 (bad password) on 2026-07-06 16:35–22:16 UTC from the office IP = user retrying the OLD password during/after the 7/6 admin reset. Benign.
|
||||||
|
- **2x from 172.245.92.208 (ColoCrossing datacenter, LA geo) on 2026-07-02 17:20 UTC — Microsoft Authentication Broker → Microsoft Intune Enrollment, Chrome 150, `50199` then `0` (success). "MFA requirement satisfied by claim in the token" = token replay. CA "Require MFA for all users" = success (satisfied by stolen claim); "Block Sign-ins Outside US" notApplied (IP geolocates US).**
|
||||||
|
- The "non-US" flag in the script summary was a false positive: a 500142 redemption-continuation event from the office IP with no geo populated.
|
||||||
|
|
||||||
|
### 7. Directory audits
|
||||||
|
15 events (30d):
|
||||||
|
- 2026-07-02 17:21:01Z — "Add registered users to device" + "Add registered owner to device" via Device Registration Service (**attacker device join**).
|
||||||
|
- 2026-07-06 16:33 + 16:39 UTC — two password resets + StsRefreshTokenValidFrom updates via ComputerGuru Tenant Admin / User Manager (prior remediation).
|
||||||
|
- 2026-07-06 16:45 UTC — Azure MFA StrongAuthenticationService "Update user" (MFA info re-registration after reset).
|
||||||
|
|
||||||
|
### 8. Risky users / risk detections
|
||||||
|
riskyUser endpoint returned 403 Forbidden — Security Investigator consent on this tenant is PARTIAL (missing User.Read.All, Sites.Read.All; IdentityRiskyUser likely part of the stale grant). riskDetections returned 0. Sign-in risk fields on the attack events are "hidden" (license/scope).
|
||||||
|
|
||||||
|
### 9. Sent items (recent 25)
|
||||||
|
Normal business traffic (orders to suppliers, internal scheduling). No blast patterns, no unusual externals.
|
||||||
|
|
||||||
|
### 10. Deleted items (recent 25)
|
||||||
|
Normal. No deleted security alerts or MFA notifications.
|
||||||
|
|
||||||
|
## Suspicious items
|
||||||
|
|
||||||
|
- AiTM token replay from 172.245.92.208 (ColoCrossing hosting) on 2026-07-02 17:20 UTC.
|
||||||
|
- Attacker-registered Entra device `DESKTOP-YQL6X9KX` (deviceId 850e5a7e-c7bb-4d65-9bc4-740e11a61ebc, objectId 575e7b36-8ec1-46df-b66b-c0228ca93c64), registered 2026-07-02 17:21:00Z, still enabled 14 days later. Never signed in after registration.
|
||||||
|
|
||||||
|
## Gaps — checks not completed
|
||||||
|
|
||||||
|
- Identity Protection riskyUser: 403 (partial Investigator consent). Fix: re-consent
|
||||||
|
`https://login.microsoftonline.com/5c53ae9f-7071-4248-b834-8685b646450f/adminconsent?client_id=bfbc12a4-f0dd-4e12-b06d-997e7271e10c`
|
||||||
|
- Consent audit grade AMBER: investigator (missing User.Read.All, Sites.Read.All), exchange-op (missing Mail.ReadWrite, MailboxSettings.ReadWrite), user-manager (missing Directory.ReadWrite.All). Re-consent links in consent-audit output.
|
||||||
|
|
||||||
|
## Next actions
|
||||||
|
|
||||||
|
1. [DONE this session] Delete rogue device — see below.
|
||||||
|
2. [DONE this session] Re-revoke sessions.
|
||||||
|
3. Re-consent the three AMBER apps on this tenant (any Global Admin, links above) — ACG.
|
||||||
|
4. Consider phishing-resistant MFA / token-protection CA for this tenant; the "Block Sign-ins Outside US" policy did not stop a US-datacenter AiTM proxy. — ACG, discuss with Mike.
|
||||||
|
5. User awareness: orders@ operator was almost certainly phished ~Jul 2; worth a heads-up to the client contact.
|
||||||
|
|
||||||
|
## Remediation actions
|
||||||
|
|
||||||
|
| Time (UTC) | Action | Tier | Result |
|
||||||
|
|---|---|---|---|
|
||||||
|
| 2026-07-16 ~17:0x | `DELETE /v1.0/devices/575e7b36-8ec1-46df-b66b-c0228ca93c64` (DESKTOP-YQL6X9KX) | tenant-admin | HTTP 204; verified — only legit device ORDERSTY remains registered to user |
|
||||||
|
| 2026-07-16 ~17:0x | `POST /v1.0/users/3739c527-f156-49b7-8779-a19033564a0f/revokeSignInSessions` | user-manager | HTTP 200, value=true |
|
||||||
|
|
||||||
|
Tenant-wide sign-in sweep for 172.245.92.208 (30d): only the two orders@ events on 2026-07-02. No lateral spread.
|
||||||
|
|
||||||
|
## Data artifacts
|
||||||
|
|
||||||
|
Raw JSON saved at `/tmp/remediation-tool/5c53ae9f-7071-4248-b834-8685b646450f/user-breach/Orders_valleywideplastering_com/` — files:
|
||||||
|
- 00_user.json, 01_inbox_rules_graph.json, 02_mailbox_settings.json, 03a_InboxRule_hidden.json, 03b_MailboxPermission.json, 03c_RecipientPermission.json, 03d_Mailbox.json, 04a_oauth_grants.json, 04b_app_role_assignments.json, 05_auth_methods.json, 06_signins.json, 07_dir_audits.json, 08a_risky_user.json, 08b_risk_detections.json, 09_sent.json, 10_deleted.json
|
||||||
@@ -0,0 +1,75 @@
|
|||||||
|
# VWP — Orders@ Breach Check + Remediation, Syncro #32557 + Billing
|
||||||
|
|
||||||
|
## User
|
||||||
|
- **Executed by:** ClaudeTools Discord Bot (GURU-BEAST-ROG)
|
||||||
|
- **Requested by:** Winter Williams (@winterguru, via Discord) - tech
|
||||||
|
- **Role:** automation (acting on the requester's behalf)
|
||||||
|
|
||||||
|
## Session Summary
|
||||||
|
|
||||||
|
Winter requested a security check on Orders@valleywideplastering.com via Discord (#tech-department, thread 1527356833902362654). Ran the remediation-tool workflow: consent audit (grade AMBER — three apps with partial grants), then full user-breach-check via Security Investigator + Investigator-EXO tiers.
|
||||||
|
|
||||||
|
Found a confirmed AiTM token-theft compromise from 2026-07-02 17:20 UTC: interactive sign-in from datacenter IP 172.245.92.208 (ColoCrossing) to Microsoft Intune Enrollment via Authentication Broker, with "MFA requirement satisfied by claim in the token" (replayed stolen session token — CA MFA passed on the stolen claim). 40 seconds later the attacker registered Entra device DESKTOP-YQL6X9KX to the account (persistence). The "Block Sign-ins Outside US" CA policy did not fire because the proxy IP geolocates to Los Angeles. Directory audits showed a prior partial remediation on 2026-07-06 (~16:33-16:40 UTC): two password resets + StsRefreshTokenValidFrom bumps via ComputerGuru Tenant Admin, MFA info updated 16:45. The mailbox itself was clean: 0 inbox rules (incl. hidden), no forwarding, no non-SELF delegations/SendAs, 0 OAuth grants, sent/deleted items normal. Auth methods all predate the incident (Authenticator iPhone 11; WHfB from 2025-06-24).
|
||||||
|
|
||||||
|
The rogue device DESKTOP-YQL6X9KX was still registered and ENABLED 14 days later. With Winter's explicit YES: deleted the device via tenant-admin tier (HTTP 204, verified only legit device ORDERSTY remains) and re-revoked all sessions via user-manager tier (HTTP 200). Tenant-wide sign-in sweep for 172.245.92.208 (30d): only orders@ was touched — no lateral spread. Full report written to clients/valleywide/reports/2026-07-16-orders-breach-check.md.
|
||||||
|
|
||||||
|
Created Syncro ticket #32557 for Valley Wide Plastering Inc (customer 31694734) via /syncro with Winter's API key (attribution), status Resolved, priority 1 High, assigned Winter (1737), Initial Issue comment customer-emailed at Winter's direction (Do Not Email = no). Billed 0.5 hrs Labor - Remote Business (product 1190473, $150/hr): VWP is prepaid — block went 16.25 → 15.75 hrs, invoice #68050 total $0.00 with note "Block hours remaining: 15.75.", ticket marked Invoiced. Bot alerts posted to #bot-alerts for both writes.
|
||||||
|
|
||||||
|
## Key Decisions
|
||||||
|
|
||||||
|
- Used investigator/investigator-exo tiers for all reads; escalated to tenant-admin only for the device DELETE and user-manager for the session revoke (minimum privilege).
|
||||||
|
- Deleted (not just disabled) the rogue device after Winter's explicit YES — it had never signed in since registration and had no legitimate claim.
|
||||||
|
- Re-revoked sessions after device deletion even though a 7/6 revoke existed (belt-and-suspenders — device registration postdated nothing, but revoke is free).
|
||||||
|
- Judged the script's "non-US: 1" flag a false positive (a 500142 event from the office IP with no geo populated); the real finding was the US-datacenter IP that geo checks cannot catch.
|
||||||
|
- Judged the 7x 50126 failures on 7/6 benign: office-IP retries of the old password during the admin reset window.
|
||||||
|
- Initial Issue comment posted with do_not_email: false at Winter's explicit instruction (customer gets notified).
|
||||||
|
- Billed with the delivery-channel product (1190473 remote) per prepaid rules — NOT 9269129; verified block decrement post-invoice.
|
||||||
|
|
||||||
|
## Problems Encountered
|
||||||
|
|
||||||
|
- riskyUser endpoint returned 403 — Security Investigator consent on this tenant is PARTIAL (missing User.Read.All, Sites.Read.All). Documented re-consent URL in the report; not blocking.
|
||||||
|
- Consent audit AMBER: investigator, exchange-op, user-manager all have stale partial grants. Re-consent links in the report's Gaps section.
|
||||||
|
|
||||||
|
## Configuration Changes
|
||||||
|
|
||||||
|
- Created: `clients/valleywide/reports/2026-07-16-orders-breach-check.md` (full breach report)
|
||||||
|
- Created: this session log
|
||||||
|
- M365 tenant (5c53ae9f-7071-4248-b834-8685b646450f): deleted Entra device object 575e7b36-8ec1-46df-b66b-c0228ca93c64 (DESKTOP-YQL6X9KX, deviceId 850e5a7e-c7bb-4d65-9bc4-740e11a61ebc); revoked sign-in sessions for user 3739c527-f156-49b7-8779-a19033564a0f
|
||||||
|
|
||||||
|
## Credentials & Secrets
|
||||||
|
|
||||||
|
- None created or discovered. Vault paths used (app certs auto-resolved by get-token.sh): msp-tools/computerguru-security-investigator.sops.yaml, msp-tools/computerguru-exchange-operator.sops.yaml (via investigator-exo), msp-tools/computerguru-user-manager.sops.yaml, msp-tools/computerguru-tenant-admin.sops.yaml; msp-tools/syncro-winter (Syncro attribution).
|
||||||
|
|
||||||
|
## Infrastructure & Servers
|
||||||
|
|
||||||
|
- Tenant: valleywideplastering.com = 5c53ae9f-7071-4248-b834-8685b646450f
|
||||||
|
- Target user: Orders@valleywideplastering.com = 3739c527-f156-49b7-8779-a19033564a0f
|
||||||
|
- Attacker IP: 172.245.92.208 (ColoCrossing datacenter, geolocates Los Angeles)
|
||||||
|
- Office egress IP: 4.18.160.106 (geolocates Leesburg; 124/127 sign-ins)
|
||||||
|
- Legit device: ORDERSTY (registered 2025-04-08); rogue device: DESKTOP-YQL6X9KX (registered 2026-07-02 17:21:00Z, deleted 2026-07-16)
|
||||||
|
- Syncro customer: Valley Wide Plastering Inc (VWP) = 31694734, prepaid block
|
||||||
|
|
||||||
|
## Commands & Outputs
|
||||||
|
|
||||||
|
- `bash scripts/consent-audit.sh valleywideplastering.com` → GRADE: AMBER (investigator, exchange-op, user-manager partial)
|
||||||
|
- `bash scripts/user-breach-check.sh valleywideplastering.com Orders@valleywideplastering.com` → artifacts at /tmp/remediation-tool/5c53ae9f-7071-4248-b834-8685b646450f/user-breach/Orders_valleywideplastering_com/
|
||||||
|
- `DELETE /v1.0/devices/575e7b36-8ec1-46df-b66b-c0228ca93c64` (tenant-admin) → HTTP 204
|
||||||
|
- `POST /v1.0/users/3739c527-f156-49b7-8779-a19033564a0f/revokeSignInSessions` (user-manager) → HTTP 200 value=true
|
||||||
|
- `GET /auditLogs/signIns?$filter=ipAddress eq '172.245.92.208'` → only the two orders@ events on 2026-07-02
|
||||||
|
- Syncro: POST /tickets → id 113912233 (#32557); comment 424044507 (Initial Issue), comment 424044987 (Resolution); line item 43297806 (0.5h @ $150); POST /invoices → 1651071811 (#68050, $0.00); PUT invoice note; PUT status Invoiced
|
||||||
|
|
||||||
|
## Pending / Incomplete Tasks
|
||||||
|
|
||||||
|
- Re-consent the three AMBER apps on the VWP tenant (any Global Admin; URLs in the report Gaps section) — enables Identity Protection risk reads.
|
||||||
|
- Discuss phishing-resistant MFA / token-protection CA for VWP with Mike — geo-block CA did not stop the US-datacenter AiTM proxy.
|
||||||
|
- Client user awareness: orders@ operator was likely phished ~Jul 2.
|
||||||
|
|
||||||
|
## Reference Information
|
||||||
|
|
||||||
|
- Report: clients/valleywide/reports/2026-07-16-orders-breach-check.md
|
||||||
|
- Syncro ticket: #32557 → https://computerguru.syncromsp.com/tickets/113912233
|
||||||
|
- Syncro invoice: #68050 (id 1651071811), $0.00, applied 0.5 prepay hrs; block 16.25 → 15.75
|
||||||
|
- Discord thread: 1527356833902362654 (#tech-department)
|
||||||
|
- Bot alerts: message_ids 1527360784940798073 (ticket create), 1527361632278286386 (billing)
|
||||||
|
- Raw artifacts: /tmp/remediation-tool/5c53ae9f-7071-4248-b834-8685b646450f/user-breach/Orders_valleywideplastering_com/
|
||||||
|
- Prior related log: clients/valleywide/reports/2026-06-29-offboarding-teresa-carpio.md
|
||||||
@@ -22,6 +22,9 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
|
|||||||
2026-07-15 | Howard-Home | msp360/backups | [correction] assumed LAB-SVR (Len's Auto) is a live machine needing attention; correct is LAB-SVR was RETIRED and replaced by LAB-SERVER — repeated correction from Howard
|
2026-07-15 | Howard-Home | msp360/backups | [correction] assumed LAB-SVR (Len's Auto) is a live machine needing attention; correct is LAB-SVR was RETIRED and replaced by LAB-SERVER — repeated correction from Howard
|
||||||
|
|
||||||
2026-07-15 | Howard-Home | cascades-verification | [correction] reported Synology-to-server sync as 'overstated/partial' from stale wiki (6/18 note); correct is: shared-folder syncs to the server ARE set up — Howard confirmed. Wiki Team Folder [PENDING] lines are stale
|
2026-07-15 | Howard-Home | cascades-verification | [correction] reported Synology-to-server sync as 'overstated/partial' from stale wiki (6/18 note); correct is: shared-folder syncs to the server ARE set up — Howard confirmed. Wiki Team Folder [PENDING] lines are stale
|
||||||
|
2026-07-15 | GURU-BEAST-ROG | discord-bot/attachments | attachment save failing: .attachments/<thread> dir touched but image.png never written (2 attempts, thread 1527062493246263478) [ctx: user=winter]
|
||||||
|
|
||||||
|
2026-07-15 | GURU-BEAST-ROG | screenconnect/bash | [friction] printf interpreted in Windows path as vertical tab, mangled SC command; fix: build cmd with echo single-quoted lines not printf format escapes
|
||||||
|
|
||||||
2026-07-15 | Howard-Home | prairie-schooner/cutover | [correction] assumed a separate USG gateway existed at .136 and was removed at cutover; correct is the .136 device WAS the USW-Lite-16-PoE switch (kept + adopted into UDM Pro) - only the SonicWall was removed
|
2026-07-15 | Howard-Home | prairie-schooner/cutover | [correction] assumed a separate USG gateway existed at .136 and was removed at cutover; correct is the .136 device WAS the USW-Lite-16-PoE switch (kept + adopted into UDM Pro) - only the SonicWall was removed
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user