azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
baff14451d6900f46a179fcbfdbc82964e7fdde5
claudetools/wiki/clients/kittle-design.md
Mike Swanson f4fb131529 wiki: seed remaining clients and projects (batch 3) 
Adds 11 client articles and 5 project articles:

Clients: kittle, khalsa, anaise, azcomputerguru.com, bg-builders,
evs, furrier, horseshoe-management, kittle-design, scileppi-law,
western-tire

Projects: discord-bot, radio-show, msp-pricing, wrightstown-smarthome,
wrightstown-solar

Updates wiki/index.md with all new entries, cross-references, and
removes seeded client:birthbiologic from compilation queue.

Critical findings surfaced:
- Kittle: WS2025 EVAL license, no backups, 3 plaintext creds in Syncro
- Western Tire: SSL cert *.westerntire.com expires 2026-05-30
- Kittle Design: active compromise (Ken inbox rule unresolved)
- Horseshoe Mgmt: plaintext creds for 5+ users in Syncro notes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-24 19:59:40 -07:00

119 lines
5.9 KiB
Markdown
Raw Blame History

---
type: client
name: kittle-design
display_name: Kittle Design & Construction
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/kittle-design/session-logs/2026-04-24-session.md
---
# Kittle Design & Construction
## Overview
- **Business type:** Design & construction firm
- **M365 tenant:** kittlearizona.com
- **Billing model:** Time and materials [unverified — one ticket observed]
- **Billing rate:** Unknown (Labor - Remote Business, product_id 1190473)
- **Contract status:** Unknown
- **Syncro ticket:** #32207
## Contacts
| Name | UPN | Notes |
|---|---|---|
| Alexis | alexis@kittlearizona.com | Confirmed compromise — hidden inbox rule, duplicate Authenticator, password reset issued |
| Ken | Ken@kittlearizona.com | Suspicious inbox rule "Admin" (Capital One/Bill.com) — status unconfirmed as of session end |
| Lori | Lori@kittlearizona.com | Two Authenticator entries (different Samsung models — likely phone upgrade) |
| Scott | scott@kittlearizona.com | Phone-only MFA, no Authenticator enrolled |
## Infrastructure
- **On-premises servers/workstations:** Not documented.
- **Entra P1/P2:** NOT licensed — sign-in logs and Identity Protection unavailable.
- Token cache location (local): `/tmp/remediation-tool/3d073ebe-806a-4a5e-9035-3c7c4a264fc0/`
## Network
*(not documented)*
## Cloud / M365
| Property | Value |
|---|---|
| Tenant domain | kittlearizona.com |
| Tenant ID | 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 |
| Entra P1/P2 | No — sign-in logs unavailable |
| Exchange Admin role | Assigned to Security Investigator SP (manually) |
### Service Principals (Remediation Tool)
| App | SP Object ID | Role |
|---|---|---|
| Security Investigator | 26e16c7a-0ac8-4f85-bdd7-992611bbd271 | Exchange Administrator |
| Exchange Operator | 775ec856-f032-4dcf-a499-ccf7f9bce07b | Exchange Administrator |
| User Manager | ea0277ab-497c-45f7-b88a-e2d53f54a4c7 | User Administrator + Authentication Administrator |
| Tenant Admin | 0caa0dde-3f8d-4d46-ab26-aa0d38add0b5 | *(role not documented)* |
> [WARNING] Alexis's temp password `KittleGwiNUK#2026` was in the session log. This is a force-change-on-login temp password issued 2026-04-23 — it should already be changed. Do not use. Store any active credentials in vault only.
### Alexis — Compromise Details
- **Hidden inbox rule "."** — was routing Howmet-related emails to Conversation History folder. Deleted.
- **Emails recovered** (moved back to inbox, HTTP 201):
- "RE: Kittle Visit to review open projects and Billing discrepancies" — Erick.Martinez1@howmet.com (2025-03-04)
- "RE: HOWMET FASTENING SYSTEMS, PURCHASE ORDER: 221422333" — Miguel.Angulo@howmet.com (2025-03-04)
- "FW: Please ignore. | Petra" — Buy.PayHowmet@howmet.com (2025-02-28)
- **Duplicate Authenticator entries** — two entries, same device name "iPhone 12 Pro Max" but different app versions. Suspicious entry ID: `c927402a-75c6-4a55-840a-86d1eea43a9b` (app version 6.8.40). Pending removal after confirmation from Alexis.
- **Sessions revoked** — revokeSignInSessions returned true.
- **Password reset** — temp password issued, force-change enforced.
- **User object ID:** `74a1eae1-c0dd-4544-a98f-3a18f809785a`
- **Exchange identity:** `alexis\2866869517449953281`
### OAuth Consents Revoked
**c5df10ae-2aa7-4283-86ef-1884c267a9ac** (AllPrincipals — 7 grants deleted):
- Had Directory.ReadWrite.All, RoleManagement, Mail.Send, 50+ scopes — extremely broad.
**9b504397-914d-4af2-b6d9-9081e80da54e** (IMAP legacy auth — 1 grant deleted):
- IMAP.AccessAsUser.All, openid, offline_access — consented by unknown user.
## GuruRMM
*(not documented)*
## Active Projects / Open Items
| Priority | Action | Owner |
|---|---|---|
| P1 | Ask Alexis: count Authenticator entries on phone. If only one, remove suspicious entry `c927402a` | Mike |
| P1 | Ask Ken: does he recognize the "Admin" inbox rule (Capital One, Bill.com, @flystucson.com)? If no → escalate (password reset, session revocation, rule deletion, check Bill.com/Capital One transactions) | Mike |
| P2 | Verify Alexis received temp password `KittleGwiNUK#2026` and has changed it | Mike |
| P3 | Remove Lori's old Authenticator (SM-G975U Samsung S10+) after confirming current phone | Mike |
| P3 | Enroll Scott in Microsoft Authenticator (currently phone-only MFA) | Mike |
| P3 | Invoice ticket #32207 (1.0 hr Labor - Remote Business, product_id 1190473) | Mike |
## Key Events / History
### 2026-04-23/24 — Full M365 breach check and remediation
Full report: `clients/kittle-design/reports/2026-04-23-breach-check.md`
- Onboarded Exchange Operator and Tenant Admin apps (consent + role assignment).
- Exchange Administrator role was NOT assigned to Security Investigator at time of initial breach check — assigned manually during remediation. SMTP forwarding check was therefore incomplete during the breach check phase.
- Two high-severity findings: Alexis's hidden inbox rule and duplicate Authenticator.
- One unresolved finding: Ken's "Admin" rule — awaiting his response.
- Seven OAuth grants deleted from the AllPrincipals consent (c5df10ae) — very broad scopes including Directory.ReadWrite.All.
## Anti-Patterns / Warnings
- [WARNING] Ken's inbox rule "Admin" (filtering Capital One, Bill.com, @flystucson.com) is unresolved. If Ken cannot explain it, treat as active compromise: password reset, session revocation, rule deletion, check financial accounts immediately.
- [WARNING] SMTP forwarding check was NOT completed — Exchange Admin role was missing on Security Investigator during initial sweep. Re-run SMTP forwarding check on all mailboxes.
- [WARNING] Kittle has NO Entra P1/P2 — sign-in log queries and Identity Protection risky user signals are unavailable. Rely on Exchange audit logs and consent audits only.
- Do not use the AllPrincipals consent app ID c5df10ae for anything — it was a malicious/overbroad app and all its grants have been revoked.
## Backlinks
- *(no related wiki articles yet)*
Reference in New Issue View Git Blame Copy Permalink