From f576f7d686ab6f0c7989f9cd2f2c92792306cd9d Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Fri, 29 May 2026 16:34:29 -0700 Subject: [PATCH] sync: auto-sync from GURU-BEAST-ROG at 2026-05-29 16:34:25 Author: Mike Swanson Machine: GURU-BEAST-ROG Timestamp: 2026-05-29 16:34:25 --- .../references/tenant-consent.html | 1 + .../session-logs/2026-05-29-session.md | 126 ++++++++++++++++++ wiki/clients/barbaragrygutis.md | 91 +++++++++++++ 3 files changed, 218 insertions(+) create mode 100644 clients/barbaragrygutis/session-logs/2026-05-29-session.md create mode 100644 wiki/clients/barbaragrygutis.md diff --git a/.claude/skills/remediation-tool/references/tenant-consent.html b/.claude/skills/remediation-tool/references/tenant-consent.html index 44dcd5d..4d026e8 100644 --- a/.claude/skills/remediation-tool/references/tenant-consent.html +++ b/.claude/skills/remediation-tool/references/tenant-consent.html @@ -114,6 +114,7 @@ const TENANTS = [ { name: "Tucson Mountain Motors", domain: "tucsonmountainmotors.com", id: "ffdabd05-236b-4666-a7f5-cc40ae9f9122", status: "pending" }, { name: "Valley Wide Plastering", domain: "valleywideplastering.com", id: "5c53ae9f-7071-4248-b834-8685b646450f", status: "done" }, { name: "Von's Carstar", domain: "vonscarstar.com", id: "53de51b9-a063-4f46-88ff-7c3468828ed9", status: "pending" }, + { name: "Barbara Grygutis", domain: "barbaragrygutis.com", id: "25998ddc-49e6-4234-9396-6c152ce4ea69", status: "done" }, ]; // Load done state from localStorage diff --git a/clients/barbaragrygutis/session-logs/2026-05-29-session.md b/clients/barbaragrygutis/session-logs/2026-05-29-session.md new file mode 100644 index 0000000..4366745 --- /dev/null +++ b/clients/barbaragrygutis/session-logs/2026-05-29-session.md @@ -0,0 +1,126 @@ +## User +- **User:** Mike Swanson (mike) +- **Machine:** GURU-BEAST-ROG +- **Role:** admin + +--- + +## Session Summary + +Mike requested an account status check for barbara@barbaragrygutis.com, initially assuming the account lived on Neptune Exchange / ACG-DC16. RMM agents on both servers were queried via GuruRMM (both online, site: DF Server Storage). Neither returned any AD user or Exchange mailbox — the account did not exist on ACG infrastructure. A disconnected mailbox search on Neptune also returned nothing. + +MX record lookup revealed the domain points to Microsoft 365 (barbaragrygutis-com.mail.protection.outlook.com), not Neptune. The tenant had not yet been onboarded to the ComputerGuru MSP app suite. Mike directed generating a Tenant Admin consent URL, which was sent to Barbara's Global Admin. After she consented, `onboard-tenant.sh` was run twice — the first pass created all SPs and assigned all directory roles but hit Graph replication lag on some appRoleAssignments; the second pass cleaned up all remaining permission gaps cleanly. All 5 apps are now fully onboarded (Defender skipped — no MDE license). + +With the tenant onboarded, the Security Investigator app was used to pull Barbara's account status and sign-in logs. The account is enabled, cloud-only, with a password unchanged since December 2021. Sign-in logs revealed an active credential spray attack: 100+ blocked attempts over May 27-29 from Tor exit nodes, Linode VPS infrastructure, Hurricane Electric tunnels, and European proxy nodes — all blocked by Microsoft malicious IP detection (error 50053). Zero successful sign-ins were found in the 30-day log window. No mail forwarding and no inbox rules were identified. Critically, the tenant has no Conditional Access policies at all. + +MFA detail check showed one registered device: Microsoft Authenticator on an iPhone 13 Pro Max (app version 6.8.1, SoftwareTokenActivated). No backup phone number registered. The `createdDateTime` field on the Authenticator registration was null, so the registration date cannot be confirmed. Mike elected not to take remediation action at this time. + +A wiki article was created at `wiki/clients/barbaragrygutis.md` and a Syncro ticket (#32349) was opened under Barbara Grygutis Sculpture LLC (customer ID 133348) documenting the findings and pending remediation steps. + +--- + +## Key Decisions + +- Used RMM agents on ACG-DC16 and NEPTUNE (both enrolled in GuruRMM, site: DF Server Storage) rather than WinRM after WinRM timed out on both external and internal IPs for Neptune. +- Onboarded the tenant before querying account status — the Security Investigator app required consent to pull sign-in logs and auth methods. +- Re-ran `onboard-tenant.sh` a second time to backfill 4 appRoleAssignments that failed on first pass due to Graph SP replication delay (5-second sleep insufficient for a fresh tenant). +- No remediation taken (password reset, session revocation, CA policies) per Mike's direction — ticket opened for follow-up instead. +- Tenant added to `tenant-consent.html` consent dashboard and immediately marked done after successful onboarding. +- Session log placed under `clients/barbaragrygutis/` (new client directory) to match wiki slug structure. + +--- + +## Problems Encountered + +- **WinRM timeout on Neptune:** Both external (67.206.163.124) and internal (172.16.3.11) IPs timed out on port 5985. Resolved by switching to GuruRMM RMM agents on both machines. +- **`pywinrm` not installed:** Module not found on system Python and discord-bot venv. Installed via `py -m pip install pywinrm` — moot once RMM approach was used. +- **Graph replication lag on first onboard-tenant.sh run:** 4 appRoleAssignment grants failed with "Resource does not exist" immediately after SP creation. Resolved by re-running the script after a short interval; all grants succeeded on the second pass (idempotent). +- **Empty jq output on initial sign-in queries:** Filter queries using `$filter=userId eq '...'` returned empty output due to shell variable interpolation issue in the heredoc. Resolved by switching to URL-encoded query strings in the curl URL directly. +- **Sign-in log query initially returned no results:** First attempts at querying `auditLogs/signIns` returned empty — turned out to be a `jq` parse failure (control characters in response). Resolved by switching to `curl -w "\nHTTP:%{http_code}"` and processing raw JSON directly. + +--- + +## Configuration Changes + +- **Created:** `wiki/clients/barbaragrygutis.md` — new client wiki article +- **Modified:** `.claude/skills/remediation-tool/references/tenant-consent.html` — added Barbara Grygutis entry, status set to `done` +- **Created:** `clients/barbaragrygutis/session-logs/2026-05-29-session.md` — this file + +--- + +## Credentials & Secrets + +No new credentials created. Vault paths accessed: +- `infrastructure/gururmm-server.sops.yaml` — GuruRMM API credentials (for RMM agent dispatch) +- `clients/dataforth/neptune-exchange.sops.yaml` — Neptune Exchange credentials (attempted WinRM, unused) + +MSP app credentials used (read from vault at token acquisition time): +- `msp-tools/computerguru-security-investigator.sops.yaml` +- `msp-tools/computerguru-tenant-admin.sops.yaml` + +--- + +## Infrastructure & Servers + +| Host | Role | Notes | +|---|---|---| +| NEPTUNE | Exchange Server 2016 | ACG-hosted, site: DF Server Storage. GuruRMM agent enrolled. WinRM not accessible externally or on 172.16.3.11 | +| ACG-DC16 | Windows DC | ACG domain controller, site: DF Server Storage. GuruRMM agent enrolled. No AD account found for barbara@ | +| barbaragrygutis.com M365 | Tenant | Tenant ID: `25998ddc-49e6-4234-9396-6c152ce4ea69`. MX: barbaragrygutis-com.mail.protection.outlook.com | + +--- + +## Commands & Outputs + +```bash +# MX check +nslookup -type=MX barbaragrygutis.com 8.8.8.8 +# Result: barbaragrygutis-com.mail.protection.outlook.com (M365) + +# Tenant ID resolution +bash .claude/skills/remediation-tool/scripts/resolve-tenant.sh barbaragrygutis.com +# Result: 25998ddc-49e6-4234-9396-6c152ce4ea69 + +# Onboarding (run twice — second pass clean) +bash .claude/skills/remediation-tool/scripts/onboard-tenant.sh barbaragrygutis.com +# Result: [SUCCESS] Onboarding complete + +# RMM commands dispatched: +# - ACG-DC16: Get-ADUser search by mail + UPN → no user found +# - NEPTUNE: Get-Mailbox + Get-Recipient wildcard search → no mailbox found +# - NEPTUNE: Get-MailboxStatistics disconnected mailboxes → zero disconnected mailboxes +``` + +**Sign-in attack summary (from Graph API):** +- 100 attempts in 30-day window, earliest 2026-05-27T15:15:28Z, latest 2026-05-29T17:41:50Z +- All errorCode 50053 (blocked: malicious IP) +- 100 unique IPs across Tor, Linode, Hurricane Electric, Limestone Networks, European proxy ranges +- Apps: Microsoft Azure CLI, Microsoft Online Services, OfficeHome, One Outlook Web + +--- + +## Pending / Incomplete Tasks + +- [ ] Confirm Barbara still controls the iPhone 13 Pro Max with Authenticator registered on account +- [ ] Force password reset (password is 4.5 years old and account is under active attack) +- [ ] Deploy CA policy: Require MFA for all users +- [ ] Deploy CA policy: Block legacy authentication +- [ ] Consider geo-restriction CA policy (all legitimate use expected to be US) +- [ ] Investigate auto-reply status — currently active/scheduled, may confirm account liveness to attackers +- [ ] Investigate Syncro duplicate: customer ID 641406 (grygutisstudios@dokotacom.net) — possible secondary contact or stale record + +--- + +## Reference Information + +- **Syncro ticket:** #32349 — https://computerguru.syncromsp.com/tickets/111566564 +- **Syncro customer:** Barbara Grygutis Sculpture LLC — ID 133348 +- **M365 tenant ID:** 25998ddc-49e6-4234-9396-6c152ce4ea69 +- **Barbara's user object ID (Entra):** 11b4966e-1e5d-47f4-ad27-57d4713fab61 +- **MFA device:** Authenticator ID 8f0e1723-18f6-40d4-8cc1-c4795840bba9 (iPhone 13 Pro Max) +- **Consent dashboard:** `.claude/skills/remediation-tool/references/tenant-consent.html` +- **Wiki article:** `wiki/clients/barbaragrygutis.md` +- **GuruRMM commands dispatched:** + - ACG-DC16 cmd: f1ebd858-1186-4317-ac78-62696067047b + - NEPTUNE mailbox cmd: a60781c7-cdc2-42a9-9c4b-370f9cc9f015 + - NEPTUNE disconnected cmd: 3d997d11-a288-413a-ac14-c89091de2b4a diff --git a/wiki/clients/barbaragrygutis.md b/wiki/clients/barbaragrygutis.md new file mode 100644 index 0000000..6419ff2 --- /dev/null +++ b/wiki/clients/barbaragrygutis.md @@ -0,0 +1,91 @@ +--- +type: client +name: barbaragrygutis +display_name: Barbara Grygutis Sculpture LLC +last_compiled: 2026-05-29 +compiled_by: GURU-BEAST-ROG/discord-bot +sources: + - session-logs/2026-05-29-barbara-grygutis-m365-review.md +backlinks: [] +--- + +# Barbara Grygutis Sculpture LLC + +Artist / sculptor. ACG-hosted client. M365 tenant onboarded to ComputerGuru MSP app suite 2026-05-29. + +--- + +## Profile + +- **Primary email:** barbara@barbaragrygutis.com +- **Syncro customer ID:** 133348 +- **Also in Syncro:** ID 641406 (email: grygutisstudios@dokotacom.net) — possible duplicate or secondary contact + +--- + +## M365 / Identity + +- **Domain:** barbaragrygutis.com +- **Tenant ID:** 25998ddc-49e6-4234-9396-6c152ce4ea69 +- **MX:** barbaragrygutis-com.mail.protection.outlook.com (M365, NOT Neptune Exchange) +- **Licenses:** Exchange Online Plan 2, Power Automate Free +- **Account created:** 2021-12-22 +- **Cloud-only:** Yes (no on-prem sync) + +### MSP App Onboarding + +Onboarded 2026-05-29. All 5 ComputerGuru tiered apps consented and directory roles assigned: + +| App | Role Assigned | +|---|---| +| Security Investigator | Exchange Administrator | +| Exchange Operator | Exchange Administrator | +| Tenant Admin | Conditional Access Administrator | +| User Manager | User Administrator, Authentication Administrator | +| Defender Add-on | Skipped (no MDE license) | + +--- + +## User Account: Barbara Grygutis + +| Field | Value | +|---|---| +| UPN | Barbara@barbaragrygutis.com | +| Account enabled | Yes | +| User type | Member | +| Password last changed | 2021-12-24 (~4.5 years ago) | +| MFA device | iPhone 13 Pro Max (Microsoft Authenticator 6.8.1) | +| MFA phone | None registered | +| OAuth grants | EAS.AccessAsUser.All (Exchange ActiveSync — normal) | + +--- + +## Security Status (as of 2026-05-29) + +- **[WARNING] Active credential spray attack:** 100+ blocked attempts May 27-29, all blocked (error 50053 — malicious IP) +- **Attack infrastructure:** Tor exit nodes (185.220.101.x), Linode VPS (2600:3c02/3c03), Hurricane Electric tunnels, European proxy nodes (Germany) +- **Apps targeted:** Azure CLI, OfficeHome, Microsoft Online Services, One Outlook Web +- **Zero successful sign-ins** in 30-day log window +- **No mail forwarding configured** +- **No inbox rules found** +- **[CRITICAL] No Conditional Access policies on tenant** — no MFA enforcement, no legacy auth block +- **Auto-reply active** (scheduled) — may confirm account liveness to attackers + +### Recommended Actions (pending) + +- [ ] Confirm Barbara still controls the iPhone 13 Pro Max with Authenticator +- [ ] Force password reset +- [ ] Deploy CA: Require MFA for all users +- [ ] Deploy CA: Block legacy authentication +- [ ] Consider geo-restriction (US-only) given attack pattern + +--- + +## History + +| Date | Event | +|---|---| +| 2021-12-22 | Account created in M365 | +| 2021-12-24 | Password set (last change) | +| 2026-05-27 | Credential spray attack begins | +| 2026-05-29 | ACG onboarded tenant to MSP app suite; security review performed |