azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-BEAST-ROG at 2026-06-08 16:57:04

Browse Source 
Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-06-08 16:57:04
This commit is contained in:
Mike Swanson
2026-06-08 16:57:09 -07:00
parent 31260814ee
commit ef569dc84b
2 changed files with 270 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

126
clients/kittle-design/session-logs/2026-06/2026-06-08-mike-m365-full-sweep.md Normal file
View File

@@ -0,0 +1,126 @@
# Session Log — 2026-06-08 — Mike — Kittle M365 Full Security Sweep
## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-BEAST-ROG
- **Role:** admin
---
## Session Summary
Mike opened a Discord thread to check all kittlearizona.com M365 accounts for compromise. The bot loaded context from prior session logs and the wiki, surfacing the April 2026 breach check history: Alexis's confirmed compromise had been remediated, Ken's suspicious "Admin" inbox rule was unresolved, and SMTP forwarding had never been checked due to a missing Exchange Admin role on the Security Investigator SP.
A full read-only sweep was run against all 13 licensed mailboxes using the remediation-tool skill (investigator + investigator-exo tiers, certificate auth). Checks covered: SMTP forwarding, inbox rules, OAuth app consents, and MFA authentication methods for every user. Tokens were acquired fresh via get-token.sh against tenant 3d073ebe-806a-4a5e-9035-3c7c4a264fc0.
All critical April findings were confirmed resolved: Alexis's hidden inbox rule "." is gone, Ken's "Admin" rule (Capital One/Bill.com/@flystucson.com filter) is gone, and the malicious OAuth app c5df10ae (Directory.ReadWrite.All + 50+ scopes) is fully removed from the tenant. SMTP forwarding was confirmed clean across all 13 mailboxes — the first time this check ran successfully on this tenant. All OAuth grants were identified and verified legitimate (QuickBooks Desktop, Gmail, iOS Accounts, Samsung MyFiles, One Calendar, Read AI, Virtru, BMO Secure Email). No new active compromises were found.
Three MFA cleanup items remain open from April: Alexis still has a duplicate suspicious Authenticator entry (c927402a), Lori still has an old Samsung S10+ registered, and Scott has phone-only MFA with no Authenticator app enrolled. A client-facing action guide was drafted for Mike to send to Kittle, and an Entra P1 upgrade recommendation was included. A Syncro ticket (#32394) was created, billed at 1.0 hr Labor - Remote Business ($150.00), invoiced, and marked Invoiced.
---
## Key Decisions
- Classified Ken's current "Christina Micek" inbox rule as benign — it copies emails sent TO that contact to a folder, consistent with an organizational filing rule.
- Confirmed the SMTP forwarding gap from April is now filled — all 13 mailboxes are clean on forwarding.
- Identified MyFiles (appId d5e6af94) as Samsung's native file manager app based on reply URLs (com.sec.android.app.myfiles bundle) and Jason's known Samsung tablet (SM-X218U). Not flagged as suspicious.
- Gmail EAS grant on Scott explains his email client setup (using Gmail to connect to M365 via EAS) — not a threat.
- QuickBooks Desktop Mail.Send on Accounting — verified Intuit as publisher, consistent with QB sending email on behalf of the Accounting mailbox.
- Recommended Entra P1 at minimum for Ken, Alexis, and Accounting — specifically to restore sign-in log visibility lost during the April investigation (no P1 = no Identity Protection, no Conditional Access, no sign-in logs).
- Billed against a new ticket (#32394) rather than appending to the April ticket (#32207) — different work scope (sweep + guide vs. initial breach response).
---
## Problems Encountered
- MFA check script failed on first run due to `UID` being a readonly bash variable. Fixed by renaming the variable to `OID` in the loop.
- OAuth service principal list was very long (100+ entries). Identified all notable non-Microsoft SPs by running targeted GET calls on each SP ID from the grants list rather than parsing the full list.
- Ollama unavailable on BEAST during this session — Syncro comment and line item descriptions drafted directly by Claude.
---
## Configuration Changes
- `clients/kittle-design/reports/2026-06-08-full-sweep.md` — created (full sweep report with all findings)
- `clients/kittle-design/session-logs/2026-06/2026-06-08-mike-m365-full-sweep.md` — created (this log)
---
## Credentials & Secrets
- No new credentials discovered or created.
- Tokens acquired via `get-token.sh` for tenant 3d073ebe-806a-4a5e-9035-3c7c4a264fc0:
- investigator tier (Graph read) — cached at `/tmp/remediation-tool/3d073ebe.../investigator.jwt`
- investigator-exo tier (Exchange read) — cached at `/tmp/remediation-tool/3d073ebe.../investigator-exo.jwt`
- Vault paths accessed: `msp-tools/computerguru-security-investigator.sops.yaml`
---
## Infrastructure & Servers
- **Tenant:** kittlearizona.com | ID: `3d073ebe-806a-4a5e-9035-3c7c4a264fc0`
- **Entra P1/P2:** NOT licensed — sign-in logs and Identity Protection unavailable
- **Exchange Admin role on Security Investigator SP:** Confirmed present (was missing in April)
- **SP Object IDs in tenant:**
- Security Investigator: `26e16c7a-0ac8-4f85-bdd7-992611bbd271`
- Exchange Operator: `775ec856-f032-4dcf-a499-ccf7f9bce07b`
- User Manager: `ea0277ab-497c-45f7-b88a-e2d53f54a4c7`
- Tenant Admin: `0caa0dde-3f8d-4d46-ab26-aa0d38add0b5`
- ComputerGuru AI Remediation: `2fd24cfa-8533-460f-9cbb-53cc4a32d3f5`
---
## Commands & Outputs
```bash
# Token acquisition
bash .claude/skills/remediation-tool/scripts/get-token.sh 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 investigator
bash .claude/skills/remediation-tool/scripts/get-token.sh 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 investigator-exo
# User list — 14 users returned (13 licensed + sysadmin)
GET /users?$select=id,displayName,userPrincipalName,assignedLicenses,accountEnabled
# Inbox rules — all clean except Ken (benign "Christina Micek" copy rule)
# Exchange REST: POST /adminapi/beta/{tenant}/InvokeCommand Get-InboxRule per mailbox
# SMTP forwarding — all 13 mailboxes: ForwardingAddress=none, ForwardingSmtpAddress=none, DeliverToMailboxAndForward=false
# Exchange REST: POST /adminapi/beta/{tenant}/InvokeCommand Get-Mailbox per mailbox
# Old malicious app check — confirmed absent
GET /servicePrincipals?$filter=appId eq 'c5df10ae-2aa7-4283-86ef-1884c267a9ac'
# Result: count=0
# OAuth grants — notable findings:
# - 654bae70 = QuickBooks Desktop (Intuit), Mail.Send on Accounting
# - d375a540 = Gmail (Google), EAS on Scott
# - f90fe4d2 = Samsung MyFiles, Files.ReadWrite on Jason
# - ccedcb63 = One Calendar (Code Spark), Calendars.ReadWrite on Wrex
# - 55a9597c = Read AI, User.Read on Marco
```
---
## Pending / Incomplete Tasks
| Priority | Item | Owner |
|---|---|---|
| P1 | Ask Alexis: count Authenticator entries in app. If only one kittlearizona.com account, remove `c927402a-75c6-4a55-840a-86d1eea43a9b`. Also remove software OATH token `7d1425ca-27d0-444d-9c36-6b3780c77059` if unused. | Mike |
| P2 | Confirm with Lori: is current phone Samsung Z Flip (SM-F766U)? If yes, remove old SM-G975U entry `da5454c7-eaa8-4b67-9cb8-61ed1486d012`. | Mike |
| P3 | Enroll Scott in Microsoft Authenticator (phone-only MFA at +1 5202884444 is weak) | Mike |
| P3 | Send client-facing MFA action guide + Entra P1 recommendation to Ken/Kimberly | Mike |
| P4 | Quote Entra P1 add-on for Kittle — recommend minimum coverage for Ken, Alexis, Accounting | Mike |
---
## Reference Information
- **Syncro ticket:** #32394 (ID: 112389608) — https://computerguru.syncromsp.com/tickets/112389608
- **Prior ticket:** #32207 (April 2026 breach check)
- **Sweep report:** `clients/kittle-design/reports/2026-06-08-full-sweep.md`
- **Wiki:** `wiki/clients/kittle-design.md` — needs recompile to reflect resolved findings and new open items
- **Tenant ID:** `3d073ebe-806a-4a5e-9035-3c7c4a264fc0`
- **Alexis user object ID:** `74a1eae1-c0dd-4544-a98f-3a18f809785a`
- **Suspicious Authenticator to remove:** `c927402a-75c6-4a55-840a-86d1eea43a9b` (Alexis, "iPhone 12 Pro Max")
- **Lori old Authenticator to remove:** `da5454c7-eaa8-4b67-9cb8-61ed1486d012` (SM-G975U)
- **Alexis OATH token to review:** `7d1425ca-27d0-444d-9c36-6b3780c77059`
- **Scott phone MFA:** +1 5202884444 (only MFA method)