azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-BEAST-ROG at 2026-06-08 16:57:04

Browse Source 
Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-06-08 16:57:04
This commit is contained in:
Mike Swanson
2026-06-08 16:57:09 -07:00
parent 31260814ee
commit ef569dc84b
2 changed files with 270 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

144
clients/kittle-design/reports/2026-06-08-full-sweep.md Normal file
View File

@@ -0,0 +1,144 @@
# Kittle Design & Construction — Full M365 Sweep
**Date:** 2026-06-08
**Tenant:** kittlearizona.com (3d073ebe-806a-4a5e-9035-3c7c4a264fc0)
**Performed by:** ComputerGuru Security Investigator (read-only)
**Scope:** All 13 licensed mailboxes — inbox rules, SMTP forwarding, OAuth consents, MFA methods
---
## Summary
All critical findings from the 2026-04-23 breach check are confirmed resolved. No new active compromises found. Three legacy MFA cleanup items remain open (carried over from April).
---
## SMTP Forwarding — All Clean [OK]
This check was skipped in April (Exchange Admin role was missing on Security Investigator SP at that time). Now confirmed:
| Mailbox | ForwardingAddress | ForwardingSmtpAddress | Status |
|---|---|---|---|
| Accounting | none | none | [OK] |
| Admin | none | none | [OK] |
| Alexis | none | none | [OK] |
| Brandon | none | none | [OK] |
| Hayden | none | none | [OK] |
| Jason | none | none | [OK] |
| Joshua | none | none | [OK] |
| Ken | none | none | [OK] |
| Lori | none | none | [OK] |
| Marco | none | none | [OK] |
| Neal | none | none | [OK] |
| Scott | none | none | [OK] |
| Wrex | none | none | [OK] |
---
## Inbox Rules
| Mailbox | Rules Found | Status |
|---|---|---|
| Accounting | None | [OK] |
| Admin | None | [OK] |
| Alexis | None | [OK] — hidden rule "." confirmed deleted |
| Brandon | None | [OK] |
| Hayden | None | [OK] |
| Jason | None | [OK] |
| Joshua | None | [OK] |
| Ken | "Christina Micek" (copy-to-folder on emails sent TO Christina) | [OK] — benign org rule |
| Lori | None | [OK] |
| Marco | None | [OK] |
| Neal | None | [OK] |
| Scott | None | [OK] |
| Wrex | None | [OK] |
**Ken's prior "Admin" rule (Capital One/Bill.com/@flystucson.com filter) — CONFIRMED GONE [RESOLVED]**
---
## OAuth App Consents — No Suspicious Grants
| App | Publisher | Grant Type | Scope | Verdict |
|---|---|---|---|---|
| iOS Accounts | Apple Inc. (verified) | AllPrincipals | EAS.AccessAsUser.All, EWS.AccessAsUser.All | [OK] — standard iOS native mail |
| SharePoint Online Web Client Extensibility | Microsoft | AllPrincipals | Files.ReadWrite.All, Sites.FullControl.All, etc. | [OK] — Microsoft SP |
| Microsoft Teams | Microsoft | AllPrincipals | standard Teams scopes | [OK] |
| ComputerGuru AI Remediation | Arizona Computer Guru LLC (verified) | AllPrincipals | User.Read | [OK] — our app |
| QuickBooks Desktop | Intuit (verified) | Accounting only | Mail.Send | [OK] — QB uses it to send email |
| Gmail | Google LLC (verified) | Scott only | EAS.AccessAsUser.All, offline_access | [OK] — Scott using Gmail as email client |
| MyFiles (Samsung) | Samsung (unverified) | Jason only | Files.ReadWrite, User.Read | [OK] — Samsung My Files app (SM-X218U tablet) |
| One Calendar | Code Spark (verified) | Wrex only | Calendars.ReadWrite, Contacts.Read | [OK] — calendar sync app |
| Read AI | Unverified | Marco only | User.Read, email, offline_access | [OK] — meeting notes AI, low scope |
| Virtru | Unverified | AllPrincipals | User.Read only | [INFO] — email encryption, no mail access |
| BMO Secure Email (Echoworx) | Echoworx (verified) | AllPrincipals | User.Read only | [OK] — secure email portal |
**Old malicious app c5df10ae (Directory.ReadWrite.All, Mail.Send, 50+ scopes) — CONFIRMED GONE [RESOLVED]**
---
## MFA Authentication Methods
| User | Authenticator | Phone | Software OATH | Status |
|---|---|---|---|---|
| Accounting | SM-F731U1 | — | — | [OK] |
| Admin (Kimberly) | moto g power 5G | — | — | [OK] |
| Alexis | iPhone 12 Pro Max (x2) | +1 5206280921 | Yes (7d1425ca) | [WARNING] see below |
| Brandon | SM-F741U | — | — | [OK] |
| Hayden | iPhone 12 Pro Max | — | — | [OK] |
| Jason | SM-X218U | — | — | [OK] |
| Joshua | iPad Pro 11" (2nd gen) | — | — | [OK] |
| Ken | iPhone 12 Pro Max | — | — | [OK] |
| Lori | SM-G975U + SM-F766U | — | — | [WARNING] see below |
| Marco | iPhone 14 | — | — | [OK] |
| Neal | iPhone 16 Pro | — | — | [OK] |
| Scott | — | +1 5202884444 | — | [WARNING] no Authenticator app |
| Wrex | iPhone 14 | +1 5209122806 | — | [OK] |
### MFA Open Items
**[WARNING] Alexis — suspicious Authenticator still present:**
- Entry `c927402a-75c6-4a55-840a-86d1eea43a9b` — "iPhone 12 Pro Max", deviceTag: SoftwareTokenActivated
- Entry `7365a870-4809-4fdc-9e9b-dcd76eddb8ef` — "iPhone 12 Pro Max", deviceTag: SoftwareTokenActivated
- Both entries identical display names, both SoftwareTokenActivated. One is legitimate; one should be removed.
- Action: Ask Alexis how many Authenticator entries she sees in her Microsoft Authenticator app. If she sees only one kittlearizona.com account, remove `c927402a`.
- Alexis also has a software OATH token (7d1425ca) — if she doesn't use a hardware TOTP key, remove this too.
**[WARNING] Lori — old Samsung device still registered:**
- SM-G975U (Samsung S10+) — old phone
- SM-F766U (Samsung Z Flip) — current phone (presumably)
- Action: Confirm with Lori which is her current phone, then remove the old entry.
**[WARNING] Scott — phone-only MFA:**
- Only MFA method is SMS/call to +1 5202884444
- No Microsoft Authenticator enrolled
- SMS MFA is significantly weaker than app-based MFA
- Action: Enroll Scott in Microsoft Authenticator
---
## Resolved Findings (from 2026-04-23)
| Finding | Status |
|---|---|
| Alexis hidden inbox rule "." (routing Howmet emails) | [RESOLVED] — confirmed gone |
| Ken "Admin" inbox rule (Capital One/Bill.com/@flystucson.com) | [RESOLVED] — confirmed gone |
| Malicious OAuth app c5df10ae (Directory.ReadWrite.All + 50 scopes) | [RESOLVED] — confirmed gone |
| IMAP legacy auth grant 9b504397 | [RESOLVED] — confirmed gone |
| SMTP forwarding check (was incomplete in April) | [RESOLVED] — all clean, confirmed 2026-06-08 |
---
## Outstanding Items
| Priority | Item | Owner |
|---|---|---|
| P1 | Ask Alexis: count Authenticator entries on phone. If only one, remove `c927402a`. Also remove software OATH token if unused. | Mike |
| P2 | Ask Lori: confirm current phone is the Z Flip (SM-F766U), then remove SM-G975U entry | Mike |
| P3 | Enroll Scott in Microsoft Authenticator (replace phone-only MFA) | Mike |
| P3 | Invoice ticket #32207 (1.0 hr Labor - Remote Business) | Mike |
---
## Vault Paths Accessed
- `msp-tools/computerguru-security-investigator.sops.yaml` (investigator + investigator-exo tiers)

126
clients/kittle-design/session-logs/2026-06/2026-06-08-mike-m365-full-sweep.md Normal file
View File

@@ -0,0 +1,126 @@
# Session Log — 2026-06-08 — Mike — Kittle M365 Full Security Sweep
## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-BEAST-ROG
- **Role:** admin
---
## Session Summary
Mike opened a Discord thread to check all kittlearizona.com M365 accounts for compromise. The bot loaded context from prior session logs and the wiki, surfacing the April 2026 breach check history: Alexis's confirmed compromise had been remediated, Ken's suspicious "Admin" inbox rule was unresolved, and SMTP forwarding had never been checked due to a missing Exchange Admin role on the Security Investigator SP.
A full read-only sweep was run against all 13 licensed mailboxes using the remediation-tool skill (investigator + investigator-exo tiers, certificate auth). Checks covered: SMTP forwarding, inbox rules, OAuth app consents, and MFA authentication methods for every user. Tokens were acquired fresh via get-token.sh against tenant 3d073ebe-806a-4a5e-9035-3c7c4a264fc0.
All critical April findings were confirmed resolved: Alexis's hidden inbox rule "." is gone, Ken's "Admin" rule (Capital One/Bill.com/@flystucson.com filter) is gone, and the malicious OAuth app c5df10ae (Directory.ReadWrite.All + 50+ scopes) is fully removed from the tenant. SMTP forwarding was confirmed clean across all 13 mailboxes — the first time this check ran successfully on this tenant. All OAuth grants were identified and verified legitimate (QuickBooks Desktop, Gmail, iOS Accounts, Samsung MyFiles, One Calendar, Read AI, Virtru, BMO Secure Email). No new active compromises were found.
Three MFA cleanup items remain open from April: Alexis still has a duplicate suspicious Authenticator entry (c927402a), Lori still has an old Samsung S10+ registered, and Scott has phone-only MFA with no Authenticator app enrolled. A client-facing action guide was drafted for Mike to send to Kittle, and an Entra P1 upgrade recommendation was included. A Syncro ticket (#32394) was created, billed at 1.0 hr Labor - Remote Business ($150.00), invoiced, and marked Invoiced.
---
## Key Decisions
- Classified Ken's current "Christina Micek" inbox rule as benign — it copies emails sent TO that contact to a folder, consistent with an organizational filing rule.
- Confirmed the SMTP forwarding gap from April is now filled — all 13 mailboxes are clean on forwarding.
- Identified MyFiles (appId d5e6af94) as Samsung's native file manager app based on reply URLs (com.sec.android.app.myfiles bundle) and Jason's known Samsung tablet (SM-X218U). Not flagged as suspicious.
- Gmail EAS grant on Scott explains his email client setup (using Gmail to connect to M365 via EAS) — not a threat.
- QuickBooks Desktop Mail.Send on Accounting — verified Intuit as publisher, consistent with QB sending email on behalf of the Accounting mailbox.
- Recommended Entra P1 at minimum for Ken, Alexis, and Accounting — specifically to restore sign-in log visibility lost during the April investigation (no P1 = no Identity Protection, no Conditional Access, no sign-in logs).
- Billed against a new ticket (#32394) rather than appending to the April ticket (#32207) — different work scope (sweep + guide vs. initial breach response).
---
## Problems Encountered
- MFA check script failed on first run due to `UID` being a readonly bash variable. Fixed by renaming the variable to `OID` in the loop.
- OAuth service principal list was very long (100+ entries). Identified all notable non-Microsoft SPs by running targeted GET calls on each SP ID from the grants list rather than parsing the full list.
- Ollama unavailable on BEAST during this session — Syncro comment and line item descriptions drafted directly by Claude.
---
## Configuration Changes
- `clients/kittle-design/reports/2026-06-08-full-sweep.md` — created (full sweep report with all findings)
- `clients/kittle-design/session-logs/2026-06/2026-06-08-mike-m365-full-sweep.md` — created (this log)
---
## Credentials & Secrets
- No new credentials discovered or created.
- Tokens acquired via `get-token.sh` for tenant 3d073ebe-806a-4a5e-9035-3c7c4a264fc0:
- investigator tier (Graph read) — cached at `/tmp/remediation-tool/3d073ebe.../investigator.jwt`
- investigator-exo tier (Exchange read) — cached at `/tmp/remediation-tool/3d073ebe.../investigator-exo.jwt`
- Vault paths accessed: `msp-tools/computerguru-security-investigator.sops.yaml`
---
## Infrastructure & Servers
- **Tenant:** kittlearizona.com | ID: `3d073ebe-806a-4a5e-9035-3c7c4a264fc0`
- **Entra P1/P2:** NOT licensed — sign-in logs and Identity Protection unavailable
- **Exchange Admin role on Security Investigator SP:** Confirmed present (was missing in April)
- **SP Object IDs in tenant:**
- Security Investigator: `26e16c7a-0ac8-4f85-bdd7-992611bbd271`
- Exchange Operator: `775ec856-f032-4dcf-a499-ccf7f9bce07b`
- User Manager: `ea0277ab-497c-45f7-b88a-e2d53f54a4c7`
- Tenant Admin: `0caa0dde-3f8d-4d46-ab26-aa0d38add0b5`
- ComputerGuru AI Remediation: `2fd24cfa-8533-460f-9cbb-53cc4a32d3f5`
---
## Commands & Outputs
```bash
# Token acquisition
bash .claude/skills/remediation-tool/scripts/get-token.sh 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 investigator
bash .claude/skills/remediation-tool/scripts/get-token.sh 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 investigator-exo
# User list — 14 users returned (13 licensed + sysadmin)
GET /users?$select=id,displayName,userPrincipalName,assignedLicenses,accountEnabled
# Inbox rules — all clean except Ken (benign "Christina Micek" copy rule)
# Exchange REST: POST /adminapi/beta/{tenant}/InvokeCommand Get-InboxRule per mailbox
# SMTP forwarding — all 13 mailboxes: ForwardingAddress=none, ForwardingSmtpAddress=none, DeliverToMailboxAndForward=false
# Exchange REST: POST /adminapi/beta/{tenant}/InvokeCommand Get-Mailbox per mailbox
# Old malicious app check — confirmed absent
GET /servicePrincipals?$filter=appId eq 'c5df10ae-2aa7-4283-86ef-1884c267a9ac'
# Result: count=0
# OAuth grants — notable findings:
# - 654bae70 = QuickBooks Desktop (Intuit), Mail.Send on Accounting
# - d375a540 = Gmail (Google), EAS on Scott
# - f90fe4d2 = Samsung MyFiles, Files.ReadWrite on Jason
# - ccedcb63 = One Calendar (Code Spark), Calendars.ReadWrite on Wrex
# - 55a9597c = Read AI, User.Read on Marco
```
---
## Pending / Incomplete Tasks
| Priority | Item | Owner |
|---|---|---|
| P1 | Ask Alexis: count Authenticator entries in app. If only one kittlearizona.com account, remove `c927402a-75c6-4a55-840a-86d1eea43a9b`. Also remove software OATH token `7d1425ca-27d0-444d-9c36-6b3780c77059` if unused. | Mike |
| P2 | Confirm with Lori: is current phone Samsung Z Flip (SM-F766U)? If yes, remove old SM-G975U entry `da5454c7-eaa8-4b67-9cb8-61ed1486d012`. | Mike |
| P3 | Enroll Scott in Microsoft Authenticator (phone-only MFA at +1 5202884444 is weak) | Mike |
| P3 | Send client-facing MFA action guide + Entra P1 recommendation to Ken/Kimberly | Mike |
| P4 | Quote Entra P1 add-on for Kittle — recommend minimum coverage for Ken, Alexis, Accounting | Mike |
---
## Reference Information
- **Syncro ticket:** #32394 (ID: 112389608) — https://computerguru.syncromsp.com/tickets/112389608
- **Prior ticket:** #32207 (April 2026 breach check)
- **Sweep report:** `clients/kittle-design/reports/2026-06-08-full-sweep.md`
- **Wiki:** `wiki/clients/kittle-design.md` — needs recompile to reflect resolved findings and new open items
- **Tenant ID:** `3d073ebe-806a-4a5e-9035-3c7c4a264fc0`
- **Alexis user object ID:** `74a1eae1-c0dd-4544-a98f-3a18f809785a`
- **Suspicious Authenticator to remove:** `c927402a-75c6-4a55-840a-86d1eea43a9b` (Alexis, "iPhone 12 Pro Max")
- **Lori old Authenticator to remove:** `da5454c7-eaa8-4b67-9cb8-61ed1486d012` (SM-G975U)
- **Alexis OATH token to review:** `7d1425ca-27d0-444d-9c36-6b3780c77059`
- **Scott phone MFA:** +1 5202884444 (only MFA method)