azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-BEAST-ROG at 2026-05-29 16:34:25

Browse Source 
Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-05-29 16:34:25
This commit is contained in:
Mike Swanson
2026-05-29 16:34:29 -07:00
parent 9e08eb5964
commit f576f7d686
3 changed files with 218 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.claude/skills/remediation-tool/references/tenant-consent.html
View File

@@ -114,6 +114,7 @@ const TENANTS = [
{ name: "Tucson Mountain Motors", domain: "tucsonmountainmotors.com", id: "ffdabd05-236b-4666-a7f5-cc40ae9f9122", status: "pending" }, { name: "Tucson Mountain Motors", domain: "tucsonmountainmotors.com", id: "ffdabd05-236b-4666-a7f5-cc40ae9f9122", status: "pending" },
{ name: "Valley Wide Plastering", domain: "valleywideplastering.com", id: "5c53ae9f-7071-4248-b834-8685b646450f", status: "done" }, { name: "Valley Wide Plastering", domain: "valleywideplastering.com", id: "5c53ae9f-7071-4248-b834-8685b646450f", status: "done" },
{ name: "Von's Carstar", domain: "vonscarstar.com", id: "53de51b9-a063-4f46-88ff-7c3468828ed9", status: "pending" }, { name: "Von's Carstar", domain: "vonscarstar.com", id: "53de51b9-a063-4f46-88ff-7c3468828ed9", status: "pending" },
{ name: "Barbara Grygutis", domain: "barbaragrygutis.com", id: "25998ddc-49e6-4234-9396-6c152ce4ea69", status: "done" },
]; ];
// Load done state from localStorage // Load done state from localStorage

126
clients/barbaragrygutis/session-logs/2026-05-29-session.md Normal file
View File

@@ -0,0 +1,126 @@
## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-BEAST-ROG
- **Role:** admin
---
## Session Summary
Mike requested an account status check for barbara@barbaragrygutis.com, initially assuming the account lived on Neptune Exchange / ACG-DC16. RMM agents on both servers were queried via GuruRMM (both online, site: DF Server Storage). Neither returned any AD user or Exchange mailbox — the account did not exist on ACG infrastructure. A disconnected mailbox search on Neptune also returned nothing.
MX record lookup revealed the domain points to Microsoft 365 (barbaragrygutis-com.mail.protection.outlook.com), not Neptune. The tenant had not yet been onboarded to the ComputerGuru MSP app suite. Mike directed generating a Tenant Admin consent URL, which was sent to Barbara's Global Admin. After she consented, `onboard-tenant.sh` was run twice — the first pass created all SPs and assigned all directory roles but hit Graph replication lag on some appRoleAssignments; the second pass cleaned up all remaining permission gaps cleanly. All 5 apps are now fully onboarded (Defender skipped — no MDE license).
With the tenant onboarded, the Security Investigator app was used to pull Barbara's account status and sign-in logs. The account is enabled, cloud-only, with a password unchanged since December 2021. Sign-in logs revealed an active credential spray attack: 100+ blocked attempts over May 27-29 from Tor exit nodes, Linode VPS infrastructure, Hurricane Electric tunnels, and European proxy nodes — all blocked by Microsoft malicious IP detection (error 50053). Zero successful sign-ins were found in the 30-day log window. No mail forwarding and no inbox rules were identified. Critically, the tenant has no Conditional Access policies at all.
MFA detail check showed one registered device: Microsoft Authenticator on an iPhone 13 Pro Max (app version 6.8.1, SoftwareTokenActivated). No backup phone number registered. The `createdDateTime` field on the Authenticator registration was null, so the registration date cannot be confirmed. Mike elected not to take remediation action at this time.
A wiki article was created at `wiki/clients/barbaragrygutis.md` and a Syncro ticket (#32349) was opened under Barbara Grygutis Sculpture LLC (customer ID 133348) documenting the findings and pending remediation steps.
---
## Key Decisions
- Used RMM agents on ACG-DC16 and NEPTUNE (both enrolled in GuruRMM, site: DF Server Storage) rather than WinRM after WinRM timed out on both external and internal IPs for Neptune.
- Onboarded the tenant before querying account status — the Security Investigator app required consent to pull sign-in logs and auth methods.
- Re-ran `onboard-tenant.sh` a second time to backfill 4 appRoleAssignments that failed on first pass due to Graph SP replication delay (5-second sleep insufficient for a fresh tenant).
- No remediation taken (password reset, session revocation, CA policies) per Mike's direction — ticket opened for follow-up instead.
- Tenant added to `tenant-consent.html` consent dashboard and immediately marked done after successful onboarding.
- Session log placed under `clients/barbaragrygutis/` (new client directory) to match wiki slug structure.
---
## Problems Encountered
- **WinRM timeout on Neptune:** Both external (67.206.163.124) and internal (172.16.3.11) IPs timed out on port 5985. Resolved by switching to GuruRMM RMM agents on both machines.
- **`pywinrm` not installed:** Module not found on system Python and discord-bot venv. Installed via `py -m pip install pywinrm` — moot once RMM approach was used.
- **Graph replication lag on first onboard-tenant.sh run:** 4 appRoleAssignment grants failed with "Resource does not exist" immediately after SP creation. Resolved by re-running the script after a short interval; all grants succeeded on the second pass (idempotent).
- **Empty jq output on initial sign-in queries:** Filter queries using `$filter=userId eq '...'` returned empty output due to shell variable interpolation issue in the heredoc. Resolved by switching to URL-encoded query strings in the curl URL directly.
- **Sign-in log query initially returned no results:** First attempts at querying `auditLogs/signIns` returned empty — turned out to be a `jq` parse failure (control characters in response). Resolved by switching to `curl -w "\nHTTP:%{http_code}"` and processing raw JSON directly.
---
## Configuration Changes
- **Created:** `wiki/clients/barbaragrygutis.md` — new client wiki article
- **Modified:** `.claude/skills/remediation-tool/references/tenant-consent.html` — added Barbara Grygutis entry, status set to `done`
- **Created:** `clients/barbaragrygutis/session-logs/2026-05-29-session.md` — this file
---
## Credentials & Secrets
No new credentials created. Vault paths accessed:
- `infrastructure/gururmm-server.sops.yaml` — GuruRMM API credentials (for RMM agent dispatch)
- `clients/dataforth/neptune-exchange.sops.yaml` — Neptune Exchange credentials (attempted WinRM, unused)
MSP app credentials used (read from vault at token acquisition time):
- `msp-tools/computerguru-security-investigator.sops.yaml`
- `msp-tools/computerguru-tenant-admin.sops.yaml`
---
## Infrastructure & Servers
| Host | Role | Notes |
|---|---|---|
| NEPTUNE | Exchange Server 2016 | ACG-hosted, site: DF Server Storage. GuruRMM agent enrolled. WinRM not accessible externally or on 172.16.3.11 |
| ACG-DC16 | Windows DC | ACG domain controller, site: DF Server Storage. GuruRMM agent enrolled. No AD account found for barbara@ |
| barbaragrygutis.com M365 | Tenant | Tenant ID: `25998ddc-49e6-4234-9396-6c152ce4ea69`. MX: barbaragrygutis-com.mail.protection.outlook.com |
---
## Commands & Outputs
```bash
# MX check
nslookup -type=MX barbaragrygutis.com 8.8.8.8
# Result: barbaragrygutis-com.mail.protection.outlook.com (M365)
# Tenant ID resolution
bash .claude/skills/remediation-tool/scripts/resolve-tenant.sh barbaragrygutis.com
# Result: 25998ddc-49e6-4234-9396-6c152ce4ea69
# Onboarding (run twice — second pass clean)
bash .claude/skills/remediation-tool/scripts/onboard-tenant.sh barbaragrygutis.com
# Result: [SUCCESS] Onboarding complete
# RMM commands dispatched:
# - ACG-DC16: Get-ADUser search by mail + UPN → no user found
# - NEPTUNE: Get-Mailbox + Get-Recipient wildcard search → no mailbox found
# - NEPTUNE: Get-MailboxStatistics disconnected mailboxes → zero disconnected mailboxes
```
**Sign-in attack summary (from Graph API):**
- 100 attempts in 30-day window, earliest 2026-05-27T15:15:28Z, latest 2026-05-29T17:41:50Z
- All errorCode 50053 (blocked: malicious IP)
- 100 unique IPs across Tor, Linode, Hurricane Electric, Limestone Networks, European proxy ranges
- Apps: Microsoft Azure CLI, Microsoft Online Services, OfficeHome, One Outlook Web
---
## Pending / Incomplete Tasks
- [ ] Confirm Barbara still controls the iPhone 13 Pro Max with Authenticator registered on account
- [ ] Force password reset (password is 4.5 years old and account is under active attack)
- [ ] Deploy CA policy: Require MFA for all users
- [ ] Deploy CA policy: Block legacy authentication
- [ ] Consider geo-restriction CA policy (all legitimate use expected to be US)
- [ ] Investigate auto-reply status — currently active/scheduled, may confirm account liveness to attackers
- [ ] Investigate Syncro duplicate: customer ID 641406 (grygutisstudios@dokotacom.net) — possible secondary contact or stale record
---
## Reference Information
- **Syncro ticket:** #32349 — https://computerguru.syncromsp.com/tickets/111566564
- **Syncro customer:** Barbara Grygutis Sculpture LLC — ID 133348
- **M365 tenant ID:** 25998ddc-49e6-4234-9396-6c152ce4ea69
- **Barbara's user object ID (Entra):** 11b4966e-1e5d-47f4-ad27-57d4713fab61
- **MFA device:** Authenticator ID 8f0e1723-18f6-40d4-8cc1-c4795840bba9 (iPhone 13 Pro Max)
- **Consent dashboard:** `.claude/skills/remediation-tool/references/tenant-consent.html`
- **Wiki article:** `wiki/clients/barbaragrygutis.md`
- **GuruRMM commands dispatched:**
- ACG-DC16 cmd: f1ebd858-1186-4317-ac78-62696067047b
- NEPTUNE mailbox cmd: a60781c7-cdc2-42a9-9c4b-370f9cc9f015
- NEPTUNE disconnected cmd: 3d997d11-a288-413a-ac14-c89091de2b4a

91
wiki/clients/barbaragrygutis.md Normal file
View File

@@ -0,0 +1,91 @@
---
type: client
name: barbaragrygutis
display_name: Barbara Grygutis Sculpture LLC
last_compiled: 2026-05-29
compiled_by: GURU-BEAST-ROG/discord-bot
sources:
- session-logs/2026-05-29-barbara-grygutis-m365-review.md
backlinks: []
---
# Barbara Grygutis Sculpture LLC
Artist / sculptor. ACG-hosted client. M365 tenant onboarded to ComputerGuru MSP app suite 2026-05-29.
---
## Profile
- **Primary email:** barbara@barbaragrygutis.com
- **Syncro customer ID:** 133348
- **Also in Syncro:** ID 641406 (email: grygutisstudios@dokotacom.net) — possible duplicate or secondary contact
---
## M365 / Identity
- **Domain:** barbaragrygutis.com
- **Tenant ID:** 25998ddc-49e6-4234-9396-6c152ce4ea69
- **MX:** barbaragrygutis-com.mail.protection.outlook.com (M365, NOT Neptune Exchange)
- **Licenses:** Exchange Online Plan 2, Power Automate Free
- **Account created:** 2021-12-22
- **Cloud-only:** Yes (no on-prem sync)
### MSP App Onboarding
Onboarded 2026-05-29. All 5 ComputerGuru tiered apps consented and directory roles assigned:
| App | Role Assigned |
|---|---|
| Security Investigator | Exchange Administrator |
| Exchange Operator | Exchange Administrator |
| Tenant Admin | Conditional Access Administrator |
| User Manager | User Administrator, Authentication Administrator |
| Defender Add-on | Skipped (no MDE license) |
---
## User Account: Barbara Grygutis
| Field | Value |
|---|---|
| UPN | Barbara@barbaragrygutis.com |
| Account enabled | Yes |
| User type | Member |
| Password last changed | 2021-12-24 (~4.5 years ago) |
| MFA device | iPhone 13 Pro Max (Microsoft Authenticator 6.8.1) |
| MFA phone | None registered |
| OAuth grants | EAS.AccessAsUser.All (Exchange ActiveSync — normal) |
---
## Security Status (as of 2026-05-29)
- **[WARNING] Active credential spray attack:** 100+ blocked attempts May 27-29, all blocked (error 50053 — malicious IP)
- **Attack infrastructure:** Tor exit nodes (185.220.101.x), Linode VPS (2600:3c02/3c03), Hurricane Electric tunnels, European proxy nodes (Germany)
- **Apps targeted:** Azure CLI, OfficeHome, Microsoft Online Services, One Outlook Web
- **Zero successful sign-ins** in 30-day log window
- **No mail forwarding configured**
- **No inbox rules found**
- **[CRITICAL] No Conditional Access policies on tenant** — no MFA enforcement, no legacy auth block
- **Auto-reply active** (scheduled) — may confirm account liveness to attackers
### Recommended Actions (pending)
- [ ] Confirm Barbara still controls the iPhone 13 Pro Max with Authenticator
- [ ] Force password reset
- [ ] Deploy CA: Require MFA for all users
- [ ] Deploy CA: Block legacy authentication
- [ ] Consider geo-restriction (US-only) given attack pattern
---
## History
| Date | Event |
|---|---|
| 2021-12-22 | Account created in M365 |
| 2021-12-24 | Password set (last change) |
| 2026-05-27 | Credential spray attack begins |
| 2026-05-29 | ACG onboarded tenant to MSP app suite; security review performed |