azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
11d2b17b7d223a9472728f6b6691ae7114dfdb88
claudetools/wiki/clients/ucryo.md
Mike Swanson 0413df8459 sync: auto-sync from GURU-5070 at 2026-06-02 18:44:13 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-02 18:44:13
2026-06-02 18:44:21 -07:00

14 KiB
Raw Blame History

type, name, display_name, last_compiled, compiled_by, sources, backlinks
type name display_name last_compiled compiled_by sources backlinks
client ucryo Universal Cryogenics 2026-06-02 GURU-5070/claude-main
clients/ucryo/session-logs/2026-06-02-session.md
clients/ucryo/onboarding-baselines/UC2-SERVER-20260603T004304.md
clients/ucryo/onboarding-baselines/WIN-709JUVCJ2DQ-20260603T004420.md
clients/ucryo/onboarding-baselines/DESKTOP-PMML1JC-20260603T004601.md
clients/ucryo/onboarding-baselines/KIRBY-20260603T003656.md
clients/ucryo/onboarding-baselines/GROMIT-20260603T004715.md
clients/ucryo/onboarding-baselines/HOBBES-20260603T004835.md
clients/ucryo/onboarding-baselines/HOBORG-20260603T005101.md
clients/ucryo/onboarding-baselines/LILO-20260603T005456.md
projects/gururmm

Universal Cryogenics

Industrial cryogenics company. ACG onboarded 2026-06-02. Domain: ucryo.local. Client shortname / code: UCRYO. Two Windows Server 2012 R2 Essentials hosts (one DC, one Hyper-V/Veeam backup host) plus six domain-joined Windows workstations. All 8 agents graded RED on initial diagnostic. Active security history: December 2019 TrickBot infection on the domain controller, remediated 2026-06-02 with one critical open item remaining (KRBTGT/domain credential reset confirmation).

Profile

  • Client code: UCRYO
  • Domain: ucryo.local
  • MSP360 backup contact: richard@ucryo.com
  • Key contacts: richard@ucryo.com (billing/backup contact — identity verify)
  • Management stack (ACG-deployed): GuruRMM, ScreenConnect (instance instance-kgc7jt-relay.screenconnect.com), Splashtop Streamer, Syncro

Infrastructure

Servers

Host OS Role Agent ID Notes
UC2-SERVER Windows Server 2012 R2 Essentials (build 9600) Domain Controller (AD DS, DNS, DHCP, WSUS, AD CS), File Server 64cff183-429c-44bf-aebd-55386417a494 Guest VM (Hyper-V on WIN-709JUVCJ2DQ). Drives C: (500 GB) and E: (931 GB; shares OFFICE DOCS, Projects, QB2020, UCDATA, x-files, Offsite Archive). MSP360 backup plan "Ucryo Files". IP: 172.29.0.5. SMBv1 ENABLED.
WIN-709JUVCJ2DQ Windows Server 2012 R2 Essentials (build 9600) Hyper-V + Veeam backup host (VBRCatalog, Veeam-Scripts) b7311d8a-6c5e-4aa5-9abf-79212d344009 Physical Dell PowerEdge 2950 (serial 762F0G1). UC2-SERVER is likely a guest VM on this host. Drives C:/E:/F:/M: (M: is 4.7 TB MWF-Backup). IP: 172.29.0.4. Workgroup (not domain-joined). SMBv1 ENABLED. E: critically low (4.1% free, 40.4 GB of 983.6 GB). Veeam services stopped.

Workstations

Host OS Form Factor Agent ID Notable
DESKTOP-PMML1JC Windows 11 Pro (build 26200) Laptop (Lenovo 81Y8) 286cf717-86ac-4985-b0a6-0254fba0dfdb Broken domain secure channel. 3 disk errors in 14 days. BitLocker off. OpenVPN + NordLynx present.
KIRBY Windows 10 Pro (build 19045) Laptop (Lenovo 82K8) 82f16929-ec3c-434b-81f9-84b63e0af56d BitLocker OFF on a laptop — primary critical. Win10 22H2 EOL (2025-10-14). 4 pending patches.
gromit Windows 10 Pro (build 19045) Desktop (Lenovo 20FRS1RQ00) 20da3f2f-6bef-4d8c-b6fa-141d47a01d52 Win10 22H2 EOL. 9 pending patches. BitLocker off. Group Policy Client service stopped.
hobbes Windows 10 Pro (build 19045) Laptop (Dell Precision M4800) a336deb1-6d09-4ade-b2c3-0b258664f4bd Win10 22H2 EOL. BitLocker off. 1 unexpected shutdown + 1 disk error in 14 days.
hoborg Windows 10 Pro (build 19045) Laptop (Lenovo 20ENCTO1WW) 89ee0a5d-49f2-4334-8e49-eaafa389e9ec Win10 22H2 EOL. BitLocker off. Toshiba SSD SMART Warning (wear=100%) — imminent failure risk. Dual AV: Defender + SentinelOne.
lilo Windows 10 Pro (build 19045) Laptop (Lenovo 20EQS12M00) 5d0bdfc0-cb58-496f-b9bd-d585eb643d85 Win10 22H2 EOL. BitLocker off. Uptime 82 days.

All agents GuruRMM v0.6.54.

GuruRMM Onboarding

Onboarded 2026-06-02. Single site "Main".

Field Value
client_id f954f150-3605-4ef7-82e7-6b942883cb00
site_id 345e59d2-ca30-4b9c-b703-c19915b47753
site_code LIGHT-WOLF-2305
Installer page https://rmm.azcomputerguru.com/install/LIGHT-WOLF-2305
MSI URL https://rmm.azcomputerguru.com/api/sites/345e59d2-ca30-4b9c-b703-c19915b47753/installer
Vault clients/ucryo/gururmm-site-main.sops.yaml (fields: client_id, site_id, site_code, api_key, installer_url, msi_url)

[WARNING] Security History — 2019 TrickBot Incident

This section must be reviewed before any domain-level changes.

Background

In December 2019, TrickBot infected UC2-SERVER (the domain controller). A hidden SYSTEM scheduled task named "System Health Application" (boot trigger + every 12 minutes, RunLevel HighestAvailable) launched a module loader from the SYSTEM profile. The launcher EXE was already gone by the time of discovery; the task had been failing every run since with error 0x80070002 (FILE_NOT_FOUND). The TrickBot module folder remained intact under the SYSTEM profile:

C:\Windows\system32\config\systemprofile\AppData\Roaming\syshealth\

Modules present: injectDll64, pwgrab64, psfin64, importDll64, tabDll64, mwormDll64, mshareDll64, networkDll64, NewBCtestnDll64, plus dinj/dpost/sinj config files and settings.ini.

WIN-709JUVCJ2DQ was swept clean — no TrickBot artifacts found.

Remediation (2026-06-02)

All cleanup was done read-only first, then gated on explicit client confirmation before any writes (DC-safety protocol):

  1. Quarantined the module folder: C:\Quarantine\syshealth-trickbot-20260602-170235\
  2. Deleted the scheduled task "System Health Application"
  3. Removed the original folder ...syshealth\

Quarantine copy is preserved at C:\Quarantine\syshealth-trickbot-20260602-170235\ as an IR record.

No active C2 traffic was expected — the launcher had been gone for years and the task was failing continuously.

No free Ryuk decryptor exists. A reported "crypto" folder of encrypted data could not be located on either server; client concluded it was misremembered.

[OPEN — CRITICAL] KRBTGT / Domain Credential Reset

pwgrab64 (credential theft module) ran on a domain controller in 2019. This means domain credentials, service account passwords, and the KRBTGT hash were potentially exposed at that time. Standard post-DC-compromise IR requires:

  • Double-rotation of the KRBTGT password (with a DC replication interval between rotations)
  • Reset of all domain user passwords and service account passwords

Status: UNCONFIRMED. Whether a post-incident credential/KRBTGT reset was performed in 2019 or afterward has not been verified with the client. Until confirmed, the residual risk is an unrotated KRBTGT on a domain that had a credential-theft module running with SYSTEM privileges on the DC.

Action required: Ask the client or review any 2019/2020 IT records. If the reset was never done, execute it during a scheduled maintenance window.

Backup

MSP360 "Ucryo Files" Plan (UC2-SERVER)

Field Value
Plan name "Ucryo Files"
Plan ID 5a44fc46-ca94-4095-a645-889eaf754389
Account richard@ucryo.com
Target Backblaze B2 (api001.backblazeb2.com)
Vault msp-tools/msp360-api.sops.yaml (shared MSP360 API creds)

Backblaze TLS failure — fixed 2026-06-02.

UC2-SERVER (Windows Server 2012 R2) was failing TLS negotiation to Backblaze. Root cause: the 64-bit .NET TLS registry keys were unset, which on legacy OS (2012 R2 / Win7-8 era) prevents .NET from negotiating TLS 1.2. First secure-channel error logged 2025-10-15; escalated to hard-failing by 2026-06-02.

Fix applied to UC2-SERVER:

  • HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319SchUseStrongCrypto=1, SystemDefaultTlsVersions=1 (DWORD)
  • HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319 — same two keys
  • Restarted "Online Backup Service" and "Online Backup Service Remote Management"

Post-fix verification: cbb plan -r "Ucryo Files" returned "Plan is started"; zero secure-channel errors in 5-minute window; scanned 474.9 GB, uploaded 2.15 GB.

Note: This fix is legacy-OS-specific. Do NOT apply it fleet-wide — modern OS (Server 2016/2019/2022, Win10/11) already negotiates TLS 1.2 by default; the missing keys are benign on those platforms.

WIN-709JUVCJ2DQ has Veeam installed. All four primary Veeam services (VeeamBackupSvc, VeeamCatalogSvc, VeeamCloudSvc, VeeamMountSvc) were stopped at baseline time. Confirm Veeam job status and why services are stopped. (verify)

Diagnostic Baselines — 2026-06-02

Baselines collected UTC 2026-06-03T00:35 00:54 (sequential run after a parallel run caused agent interruptions under concurrent load). Raw JSON snapshots are immutable at clients/ucryo/onboarding-baselines/.

Per-Host Summary

Host Grade Criticals Warnings Standout Findings
UC2-SERVER RED 1 5 CRITICAL: SMBv1 enabled (WannaCry/EternalBlue vector). Defender cmdlet unavailable (Server 2012 R2). RDP enabled. 3 stopped auto-start services (AD CS, IIS, ShellHWDetection). 36.5-day uptime, reboot pending. BitLocker unavailable (verify). 12 local admins. EOL OS (build 9600 not in map).
WIN-709JUVCJ2DQ RED 2 4 CRITICAL: SMBv1 enabled. CRITICAL: E: drive at 4.1% free (40.4 GB of 983.6 GB) — urgent. Defender unavailable. RDP enabled. Veeam services stopped. Not domain-joined (WORKGROUP). 36.5-day uptime. EOL OS.
DESKTOP-PMML1JC RED 3 3 CRITICAL: BitLocker off (laptop). CRITICAL: 3 disk errors in 14 days. CRITICAL: Domain secure channel broken. 2 pending patches.
KIRBY RED 2 4 CRITICAL: BitLocker OFF (laptop — highest data-at-rest risk). CRITICAL: Win10 22H2 EOL (2025-10-14). 4 pending patches. RDP enabled. Reboot pending, 35-day uptime.
gromit RED 1 5 CRITICAL: Win10 22H2 EOL. BitLocker off (desktop). 9 pending patches. RDP enabled. Group Policy Client stopped.
hobbes RED 2 5 CRITICAL: BitLocker off (laptop). CRITICAL: Win10 22H2 EOL. Unexpected shutdown + disk error in 14 days. RDP enabled.
hoborg RED 3 5 CRITICAL: BitLocker off (laptop). CRITICAL: Win10 22H2 EOL. CRITICAL: Toshiba SSD SMART Warning (wear=100%) — replace immediately. Dual AV (Defender + SentinelOne — possible conflict). RDP enabled.
lilo RED 2 5 CRITICAL: BitLocker off (laptop). CRITICAL: Win10 22H2 EOL. 82-day uptime. RDP enabled. Group Policy Client + TPM Provisioning stopped.

Fleet-Wide Patterns

  • All 8 hosts graded RED.
  • SMBv1 enabled on both servers (WannaCry/EternalBlue vector — disable before enabling any internet-facing services).
  • Win10 22H2 EOL on all 6 workstations (EOL 2025-10-14, no further security patches).
  • BitLocker absent on all 5 laptops (KIRBY, DESKTOP-PMML1JC, hobbes, hoborg, lilo) and the DESKTOP-PMML1JC. Servers have BitLocker status UNKNOWN (cmdlet unavailable on 2012 R2).
  • RDP enabled on all 8 hosts — confirm firewall restriction to internal/VPN only.
  • No LAPS on servers. LAPS registry key present on workstations.
  • No backup agent on any workstation.

Open Items / Follow-ups

Priority Item Notes
CRITICAL Confirm 2019 KRBTGT/domain credential reset pwgrab64 ran on the DC — if reset never done, this is the primary residual risk.
HIGH hoborg SSD replacement Toshiba SMART Warning, wear=100%. Data backup first.
HIGH WIN-709JUVCJ2DQ E: drive space 4.1% free (40.4 GB). Identify what is consuming the volume and free/expand.
HIGH Disable SMBv1 on UC2-SERVER and WIN-709JUVCJ2DQ WannaCry/EternalBlue vector. Set-SmbServerConfiguration -EnableSMB1Protocol $false + remove feature.
HIGH BitLocker on all 5 laptops KIRBY highest priority (domain-joined laptop, unencrypted, mobile). Escrow recovery keys.
HIGH Win10 22H2 EOL on 6 workstations Feature update or OS upgrade required (EOL 2025-10-14).
MEDIUM DESKTOP-PMML1JC domain secure channel Run Test-ComputerSecureChannel -Repair or rejoin.
MEDIUM Veeam services stopped on WIN-709JUVCJ2Dq VeeamBackupSvc/CatalogSvc/CloudSvc/MountSvc all stopped — confirm Veeam job health.
MEDIUM RDP exposure review — all 8 hosts Confirm RDP is restricted to VPN or specific source IPs; not exposed to internet.
MEDIUM hoborg dual AV (Defender + SentinelOne) Verify intended AV; remove one to prevent conflicts.
LOW UC2-SERVER stopped services AD CS, IIS Admin, ShellHWDetection stopped — review if these should be running.
LOW LAPS not deployed on servers Deploy Windows LAPS or legacy AdmPwd to UC2-SERVER and WIN-709JUVCJ2DQ.

Reference

IDs and URLs

Resource Value
GuruRMM client_id f954f150-3605-4ef7-82e7-6b942883cb00
GuruRMM site_id (Main) 345e59d2-ca30-4b9c-b703-c19915b47753
GuruRMM site_code LIGHT-WOLF-2305
Installer page https://rmm.azcomputerguru.com/install/LIGHT-WOLF-2305
MSP360 plan ID 5a44fc46-ca94-4095-a645-889eaf754389
MSP360 API base https://api.mspbackups.com
ScreenConnect instance instance-kgc7jt-relay.screenconnect.com (port 443)
ScreenConnect instance GUID s=9f3db089-eb29-441d-a9d2-2c441bde8c78

Vault Paths

Secret Vault Path
GuruRMM enrollment key (site Main) clients/ucryo/gururmm-site-main.sops.yaml
MSP360 API credentials msp-tools/msp360-api.sops.yaml

Diagnostic Baseline Files

clients/ucryo/onboarding-baselines/ — 8 immutable .json + .md pairs, timestamped 20260603T00xxxx UTC.

Compilation Notes

Session logs read: clients/ucryo/session-logs/2026-06-02-session.md (onboarding session, primary source). All 8 diagnostic baseline files read in full.

First wiki article for this client. Onboarded 2026-06-02.

Open items flagged as unverified (verify):

  • KRBTGT/domain credential reset — not confirmed with client; must verify
  • Veeam job health on WIN-709JUVCJ2DQ — services stopped, backup status unknown
  • Key contacts beyond richard@ucryo.com — not yet documented

Backlinks

Reference in New Issue View Git Blame Copy Permalink