azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
227e1a4fceaed6c43834053f2a3e2230ec6f0743
claudetools/wiki/clients/ucryo.md
Mike Swanson 0413df8459 sync: auto-sync from GURU-5070 at 2026-06-02 18:44:13 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-02 18:44:13
2026-06-02 18:44:21 -07:00

236 lines
14 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
type: client
name: ucryo
display_name: Universal Cryogenics
last_compiled: 2026-06-02
compiled_by: GURU-5070/claude-main
sources:
- clients/ucryo/session-logs/2026-06-02-session.md
- clients/ucryo/onboarding-baselines/UC2-SERVER-20260603T004304.md
- clients/ucryo/onboarding-baselines/WIN-709JUVCJ2DQ-20260603T004420.md
- clients/ucryo/onboarding-baselines/DESKTOP-PMML1JC-20260603T004601.md
- clients/ucryo/onboarding-baselines/KIRBY-20260603T003656.md
- clients/ucryo/onboarding-baselines/GROMIT-20260603T004715.md
- clients/ucryo/onboarding-baselines/HOBBES-20260603T004835.md
- clients/ucryo/onboarding-baselines/HOBORG-20260603T005101.md
- clients/ucryo/onboarding-baselines/LILO-20260603T005456.md
backlinks:
- projects/gururmm
---
# Universal Cryogenics
Industrial cryogenics company. ACG onboarded 2026-06-02. Domain: `ucryo.local`. Client shortname / code: UCRYO. Two Windows Server 2012 R2 Essentials hosts (one DC, one Hyper-V/Veeam backup host) plus six domain-joined Windows workstations. All 8 agents graded RED on initial diagnostic. Active security history: December 2019 TrickBot infection on the domain controller, remediated 2026-06-02 with one critical open item remaining (KRBTGT/domain credential reset confirmation).
---
## Profile
- **Client code:** UCRYO
- **Domain:** ucryo.local
- **MSP360 backup contact:** richard@ucryo.com
- **Key contacts:** richard@ucryo.com (billing/backup contact — identity verify)
- **Management stack (ACG-deployed):** GuruRMM, ScreenConnect (instance `instance-kgc7jt-relay.screenconnect.com`), Splashtop Streamer, Syncro
---
## Infrastructure
### Servers
| Host | OS | Role | Agent ID | Notes |
|---|---|---|---|---|
| UC2-SERVER | Windows Server 2012 R2 Essentials (build 9600) | Domain Controller (AD DS, DNS, DHCP, WSUS, AD CS), File Server | `64cff183-429c-44bf-aebd-55386417a494` | Guest VM (Hyper-V on WIN-709JUVCJ2DQ). Drives C: (500 GB) and E: (931 GB; shares OFFICE DOCS, Projects, QB2020, UCDATA, x-files, Offsite Archive). MSP360 backup plan "Ucryo Files". IP: 172.29.0.5. SMBv1 ENABLED. |
| WIN-709JUVCJ2DQ | Windows Server 2012 R2 Essentials (build 9600) | Hyper-V + Veeam backup host (VBRCatalog, Veeam-Scripts) | `b7311d8a-6c5e-4aa5-9abf-79212d344009` | Physical Dell PowerEdge 2950 (serial 762F0G1). UC2-SERVER is likely a guest VM on this host. Drives C:/E:/F:/M: (M: is 4.7 TB MWF-Backup). IP: 172.29.0.4. Workgroup (not domain-joined). SMBv1 ENABLED. E: critically low (4.1% free, 40.4 GB of 983.6 GB). Veeam services stopped. |
### Workstations
| Host | OS | Form Factor | Agent ID | Notable |
|---|---|---|---|---|
| DESKTOP-PMML1JC | Windows 11 Pro (build 26200) | Laptop (Lenovo 81Y8) | `286cf717-86ac-4985-b0a6-0254fba0dfdb` | Broken domain secure channel. 3 disk errors in 14 days. BitLocker off. OpenVPN + NordLynx present. |
| KIRBY | Windows 10 Pro (build 19045) | Laptop (Lenovo 82K8) | `82f16929-ec3c-434b-81f9-84b63e0af56d` | **BitLocker OFF on a laptop — primary critical.** Win10 22H2 EOL (2025-10-14). 4 pending patches. |
| gromit | Windows 10 Pro (build 19045) | Desktop (Lenovo 20FRS1RQ00) | `20da3f2f-6bef-4d8c-b6fa-141d47a01d52` | Win10 22H2 EOL. 9 pending patches. BitLocker off. Group Policy Client service stopped. |
| hobbes | Windows 10 Pro (build 19045) | Laptop (Dell Precision M4800) | `a336deb1-6d09-4ade-b2c3-0b258664f4bd` | Win10 22H2 EOL. BitLocker off. 1 unexpected shutdown + 1 disk error in 14 days. |
| hoborg | Windows 10 Pro (build 19045) | Laptop (Lenovo 20ENCTO1WW) | `89ee0a5d-49f2-4334-8e49-eaafa389e9ec` | Win10 22H2 EOL. BitLocker off. **Toshiba SSD SMART Warning (wear=100%) — imminent failure risk.** Dual AV: Defender + SentinelOne. |
| lilo | Windows 10 Pro (build 19045) | Laptop (Lenovo 20EQS12M00) | `5d0bdfc0-cb58-496f-b9bd-d585eb643d85` | Win10 22H2 EOL. BitLocker off. Uptime 82 days. |
All agents GuruRMM v0.6.54.
---
## GuruRMM Onboarding
Onboarded 2026-06-02. Single site "Main".
| Field | Value |
|---|---|
| client_id | `f954f150-3605-4ef7-82e7-6b942883cb00` |
| site_id | `345e59d2-ca30-4b9c-b703-c19915b47753` |
| site_code | `LIGHT-WOLF-2305` |
| Installer page | `https://rmm.azcomputerguru.com/install/LIGHT-WOLF-2305` |
| MSI URL | `https://rmm.azcomputerguru.com/api/sites/345e59d2-ca30-4b9c-b703-c19915b47753/installer` |
| Vault | `clients/ucryo/gururmm-site-main.sops.yaml` (fields: client_id, site_id, site_code, api_key, installer_url, msi_url) |
---
## [WARNING] Security History — 2019 TrickBot Incident
**This section must be reviewed before any domain-level changes.**
### Background
In December 2019, TrickBot infected UC2-SERVER (the domain controller). A hidden SYSTEM scheduled task named "System Health Application" (boot trigger + every 12 minutes, RunLevel HighestAvailable) launched a module loader from the SYSTEM profile. The launcher EXE was already gone by the time of discovery; the task had been failing every run since with error `0x80070002` (FILE_NOT_FOUND). The TrickBot module folder remained intact under the SYSTEM profile:
`C:\Windows\system32\config\systemprofile\AppData\Roaming\syshealth\`
Modules present: `injectDll64`, `pwgrab64`, `psfin64`, `importDll64`, `tabDll64`, `mwormDll64`, `mshareDll64`, `networkDll64`, `NewBCtestnDll64`, plus `dinj`/`dpost`/`sinj` config files and `settings.ini`.
WIN-709JUVCJ2DQ was swept clean — no TrickBot artifacts found.
### Remediation (2026-06-02)
All cleanup was done read-only first, then gated on explicit client confirmation before any writes (DC-safety protocol):
1. Quarantined the module folder: `C:\Quarantine\syshealth-trickbot-20260602-170235\`
2. Deleted the scheduled task "System Health Application"
3. Removed the original folder `...syshealth\`
Quarantine copy is preserved at `C:\Quarantine\syshealth-trickbot-20260602-170235\` as an IR record.
No active C2 traffic was expected — the launcher had been gone for years and the task was failing continuously.
**No free Ryuk decryptor exists.** A reported "crypto" folder of encrypted data could not be located on either server; client concluded it was misremembered.
### [OPEN — CRITICAL] KRBTGT / Domain Credential Reset
**pwgrab64 (credential theft module) ran on a domain controller in 2019.** This means domain credentials, service account passwords, and the KRBTGT hash were potentially exposed at that time. Standard post-DC-compromise IR requires:
- Double-rotation of the KRBTGT password (with a DC replication interval between rotations)
- Reset of all domain user passwords and service account passwords
**Status: UNCONFIRMED.** Whether a post-incident credential/KRBTGT reset was performed in 2019 or afterward has not been verified with the client. Until confirmed, the residual risk is an unrotated KRBTGT on a domain that had a credential-theft module running with SYSTEM privileges on the DC.
**Action required:** Ask the client or review any 2019/2020 IT records. If the reset was never done, execute it during a scheduled maintenance window.
---
## Backup
### MSP360 "Ucryo Files" Plan (UC2-SERVER)
| Field | Value |
|---|---|
| Plan name | "Ucryo Files" |
| Plan ID | `5a44fc46-ca94-4095-a645-889eaf754389` |
| Account | richard@ucryo.com |
| Target | Backblaze B2 (api001.backblazeb2.com) |
| Vault | `msp-tools/msp360-api.sops.yaml` (shared MSP360 API creds) |
**Backblaze TLS failure — fixed 2026-06-02.**
UC2-SERVER (Windows Server 2012 R2) was failing TLS negotiation to Backblaze. Root cause: the 64-bit .NET TLS registry keys were unset, which on legacy OS (2012 R2 / Win7-8 era) prevents .NET from negotiating TLS 1.2. First secure-channel error logged 2025-10-15; escalated to hard-failing by 2026-06-02.
Fix applied to UC2-SERVER:
- `HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319``SchUseStrongCrypto=1`, `SystemDefaultTlsVersions=1` (DWORD)
- `HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319` — same two keys
- Restarted "Online Backup Service" and "Online Backup Service Remote Management"
Post-fix verification: `cbb plan -r "Ucryo Files"` returned "Plan is started"; zero secure-channel errors in 5-minute window; scanned 474.9 GB, uploaded 2.15 GB.
**Note:** This fix is legacy-OS-specific. Do NOT apply it fleet-wide — modern OS (Server 2016/2019/2022, Win10/11) already negotiates TLS 1.2 by default; the missing keys are benign on those platforms.
WIN-709JUVCJ2DQ has Veeam installed. All four primary Veeam services (VeeamBackupSvc, VeeamCatalogSvc, VeeamCloudSvc, VeeamMountSvc) were stopped at baseline time. Confirm Veeam job status and why services are stopped. (verify)
---
## Diagnostic Baselines — 2026-06-02
Baselines collected UTC 2026-06-03T00:35 00:54 (sequential run after a parallel run caused agent interruptions under concurrent load). Raw JSON snapshots are immutable at `clients/ucryo/onboarding-baselines/`.
### Per-Host Summary
| Host | Grade | Criticals | Warnings | Standout Findings |
|---|---|---|---|---|
| UC2-SERVER | RED | 1 | 5 | CRITICAL: SMBv1 enabled (WannaCry/EternalBlue vector). Defender cmdlet unavailable (Server 2012 R2). RDP enabled. 3 stopped auto-start services (AD CS, IIS, ShellHWDetection). 36.5-day uptime, reboot pending. BitLocker unavailable (verify). 12 local admins. EOL OS (build 9600 not in map). |
| WIN-709JUVCJ2DQ | RED | 2 | 4 | CRITICAL: SMBv1 enabled. **CRITICAL: E: drive at 4.1% free (40.4 GB of 983.6 GB) — urgent.** Defender unavailable. RDP enabled. Veeam services stopped. Not domain-joined (WORKGROUP). 36.5-day uptime. EOL OS. |
| DESKTOP-PMML1JC | RED | 3 | 3 | CRITICAL: BitLocker off (laptop). CRITICAL: 3 disk errors in 14 days. CRITICAL: Domain secure channel broken. 2 pending patches. |
| KIRBY | RED | 2 | 4 | CRITICAL: **BitLocker OFF (laptop — highest data-at-rest risk).** CRITICAL: Win10 22H2 EOL (2025-10-14). 4 pending patches. RDP enabled. Reboot pending, 35-day uptime. |
| gromit | RED | 1 | 5 | CRITICAL: Win10 22H2 EOL. BitLocker off (desktop). 9 pending patches. RDP enabled. Group Policy Client stopped. |
| hobbes | RED | 2 | 5 | CRITICAL: BitLocker off (laptop). CRITICAL: Win10 22H2 EOL. Unexpected shutdown + disk error in 14 days. RDP enabled. |
| hoborg | RED | 3 | 5 | CRITICAL: BitLocker off (laptop). CRITICAL: Win10 22H2 EOL. **CRITICAL: Toshiba SSD SMART Warning (wear=100%) — replace immediately.** Dual AV (Defender + SentinelOne — possible conflict). RDP enabled. |
| lilo | RED | 2 | 5 | CRITICAL: BitLocker off (laptop). CRITICAL: Win10 22H2 EOL. 82-day uptime. RDP enabled. Group Policy Client + TPM Provisioning stopped. |
### Fleet-Wide Patterns
- All 8 hosts graded RED.
- SMBv1 enabled on both servers (WannaCry/EternalBlue vector — disable before enabling any internet-facing services).
- Win10 22H2 EOL on all 6 workstations (EOL 2025-10-14, no further security patches).
- BitLocker absent on all 5 laptops (KIRBY, DESKTOP-PMML1JC, hobbes, hoborg, lilo) and the DESKTOP-PMML1JC. Servers have BitLocker status UNKNOWN (cmdlet unavailable on 2012 R2).
- RDP enabled on all 8 hosts — confirm firewall restriction to internal/VPN only.
- No LAPS on servers. LAPS registry key present on workstations.
- No backup agent on any workstation.
---
## Open Items / Follow-ups
| Priority | Item | Notes |
|---|---|---|
| CRITICAL | Confirm 2019 KRBTGT/domain credential reset | pwgrab64 ran on the DC — if reset never done, this is the primary residual risk. |
| HIGH | hoborg SSD replacement | Toshiba SMART Warning, wear=100%. Data backup first. |
| HIGH | WIN-709JUVCJ2DQ E: drive space | 4.1% free (40.4 GB). Identify what is consuming the volume and free/expand. |
| HIGH | Disable SMBv1 on UC2-SERVER and WIN-709JUVCJ2DQ | WannaCry/EternalBlue vector. `Set-SmbServerConfiguration -EnableSMB1Protocol $false` + remove feature. |
| HIGH | BitLocker on all 5 laptops | KIRBY highest priority (domain-joined laptop, unencrypted, mobile). Escrow recovery keys. |
| HIGH | Win10 22H2 EOL on 6 workstations | Feature update or OS upgrade required (EOL 2025-10-14). |
| MEDIUM | DESKTOP-PMML1JC domain secure channel | Run `Test-ComputerSecureChannel -Repair` or rejoin. |
| MEDIUM | Veeam services stopped on WIN-709JUVCJ2Dq | VeeamBackupSvc/CatalogSvc/CloudSvc/MountSvc all stopped — confirm Veeam job health. |
| MEDIUM | RDP exposure review — all 8 hosts | Confirm RDP is restricted to VPN or specific source IPs; not exposed to internet. |
| MEDIUM | hoborg dual AV (Defender + SentinelOne) | Verify intended AV; remove one to prevent conflicts. |
| LOW | UC2-SERVER stopped services | AD CS, IIS Admin, ShellHWDetection stopped — review if these should be running. |
| LOW | LAPS not deployed on servers | Deploy Windows LAPS or legacy AdmPwd to UC2-SERVER and WIN-709JUVCJ2DQ. |
---
## Reference
### IDs and URLs
| Resource | Value |
|---|---|
| GuruRMM client_id | `f954f150-3605-4ef7-82e7-6b942883cb00` |
| GuruRMM site_id (Main) | `345e59d2-ca30-4b9c-b703-c19915b47753` |
| GuruRMM site_code | `LIGHT-WOLF-2305` |
| Installer page | `https://rmm.azcomputerguru.com/install/LIGHT-WOLF-2305` |
| MSP360 plan ID | `5a44fc46-ca94-4095-a645-889eaf754389` |
| MSP360 API base | `https://api.mspbackups.com` |
| ScreenConnect instance | `instance-kgc7jt-relay.screenconnect.com` (port 443) |
| ScreenConnect instance GUID | `s=9f3db089-eb29-441d-a9d2-2c441bde8c78` |
### Vault Paths
| Secret | Vault Path |
|---|---|
| GuruRMM enrollment key (site Main) | `clients/ucryo/gururmm-site-main.sops.yaml` |
| MSP360 API credentials | `msp-tools/msp360-api.sops.yaml` |
### Diagnostic Baseline Files
`clients/ucryo/onboarding-baselines/` — 8 immutable `.json` + `.md` pairs, timestamped 20260603T00xxxx UTC.
---
## Compilation Notes
**Session logs read:** `clients/ucryo/session-logs/2026-06-02-session.md` (onboarding session, primary source). All 8 diagnostic baseline files read in full.
**First wiki article for this client.** Onboarded 2026-06-02.
**Open items flagged as unverified (verify):**
- KRBTGT/domain credential reset — not confirmed with client; must verify
- Veeam job health on WIN-709JUVCJ2DQ — services stopped, backup status unknown
- Key contacts beyond richard@ucryo.com — not yet documented
## Backlinks
- [[projects/gururmm]] — 8 agents enrolled under site LIGHT-WOLF-2305
Reference in New Issue View Git Blame Copy Permalink