azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f7cc0cf2575e736fa1b8c7e1dde1bed29dc7c521
claudetools/clients/barbaragrygutis/session-logs/2026-05-29-session.md
Mike Swanson 36fd44a8c8 sync: auto-sync from GURU-BEAST-ROG at 2026-05-29 16:40:02 
Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-05-29 16:40:02
2026-05-29 16:40:12 -07:00

8.8 KiB
Raw Blame History

User

  • User: Mike Swanson (mike)
  • Machine: GURU-BEAST-ROG
  • Role: admin

Session Summary

Mike requested an account status check for barbara@barbaragrygutis.com, initially assuming the account lived on Neptune Exchange / ACG-DC16. RMM agents on both servers were queried via GuruRMM (both online, site: DF Server Storage). Neither returned any AD user or Exchange mailbox — the account did not exist on ACG infrastructure. A disconnected mailbox search on Neptune also returned nothing.

MX record lookup revealed the domain points to Microsoft 365 (barbaragrygutis-com.mail.protection.outlook.com), not Neptune. The tenant had not yet been onboarded to the ComputerGuru MSP app suite. Mike directed generating a Tenant Admin consent URL, which was sent to Barbara's Global Admin. After she consented, onboard-tenant.sh was run twice — the first pass created all SPs and assigned all directory roles but hit Graph replication lag on some appRoleAssignments; the second pass cleaned up all remaining permission gaps cleanly. All 5 apps are now fully onboarded (Defender skipped — no MDE license).

With the tenant onboarded, the Security Investigator app was used to pull Barbara's account status and sign-in logs. The account is enabled, cloud-only, with a password unchanged since December 2021. Sign-in logs revealed an active credential spray attack: 100+ blocked attempts over May 27-29 from Tor exit nodes, Linode VPS infrastructure, Hurricane Electric tunnels, and European proxy nodes — all blocked by Microsoft malicious IP detection (error 50053). Zero successful sign-ins were found in the 30-day log window. No mail forwarding and no inbox rules were identified. Critically, the tenant has no Conditional Access policies at all.

MFA detail check showed one registered device: Microsoft Authenticator on an iPhone 13 Pro Max (app version 6.8.1, SoftwareTokenActivated). No backup phone number registered. The createdDateTime field on the Authenticator registration was null, so the registration date cannot be confirmed. Mike elected not to take remediation action at this time.

A wiki article was created at wiki/clients/barbaragrygutis.md and a Syncro ticket (#32349) was opened under Barbara Grygutis Sculpture LLC (customer ID 133348) documenting the findings and pending remediation steps.

Key Decisions

  • Used RMM agents on ACG-DC16 and NEPTUNE (both enrolled in GuruRMM, site: DF Server Storage) rather than WinRM after WinRM timed out on both external and internal IPs for Neptune.
  • Onboarded the tenant before querying account status — the Security Investigator app required consent to pull sign-in logs and auth methods.
  • Re-ran onboard-tenant.sh a second time to backfill 4 appRoleAssignments that failed on first pass due to Graph SP replication delay (5-second sleep insufficient for a fresh tenant).
  • No remediation taken (password reset, session revocation, CA policies) per Mike's direction — ticket opened for follow-up instead.
  • Tenant added to tenant-consent.html consent dashboard and immediately marked done after successful onboarding.
  • Session log placed under clients/barbaragrygutis/ (new client directory) to match wiki slug structure.

Problems Encountered

  • WinRM timeout on Neptune: Both external (67.206.163.124) and internal (172.16.3.11) IPs timed out on port 5985. Resolved by switching to GuruRMM RMM agents on both machines.
  • pywinrm not installed: Module not found on system Python and discord-bot venv. Installed via py -m pip install pywinrm — moot once RMM approach was used.
  • Graph replication lag on first onboard-tenant.sh run: 4 appRoleAssignment grants failed with "Resource does not exist" immediately after SP creation. Resolved by re-running the script after a short interval; all grants succeeded on the second pass (idempotent).
  • Empty jq output on initial sign-in queries: Filter queries using $filter=userId eq '...' returned empty output due to shell variable interpolation issue in the heredoc. Resolved by switching to URL-encoded query strings in the curl URL directly.
  • Sign-in log query initially returned no results: First attempts at querying auditLogs/signIns returned empty — turned out to be a jq parse failure (control characters in response). Resolved by switching to curl -w "\nHTTP:%{http_code}" and processing raw JSON directly.

Configuration Changes

  • Created: wiki/clients/barbaragrygutis.md — new client wiki article
  • Modified: .claude/skills/remediation-tool/references/tenant-consent.html — added Barbara Grygutis entry, status set to done
  • Created: clients/barbaragrygutis/session-logs/2026-05-29-session.md — this file

Credentials & Secrets

No new credentials created. Vault paths accessed:

  • infrastructure/gururmm-server.sops.yaml — GuruRMM API credentials (for RMM agent dispatch)
  • clients/dataforth/neptune-exchange.sops.yaml — Neptune Exchange credentials (attempted WinRM, unused)

MSP app credentials used (read from vault at token acquisition time):

  • msp-tools/computerguru-security-investigator.sops.yaml
  • msp-tools/computerguru-tenant-admin.sops.yaml

Infrastructure & Servers

Host Role Notes
NEPTUNE Exchange Server 2016 ACG-hosted, site: DF Server Storage. GuruRMM agent enrolled. WinRM not accessible externally or on 172.16.3.11
ACG-DC16 Windows DC ACG domain controller, site: DF Server Storage. GuruRMM agent enrolled. No AD account found for barbara@
barbaragrygutis.com M365 Tenant Tenant ID: 25998ddc-49e6-4234-9396-6c152ce4ea69. MX: barbaragrygutis-com.mail.protection.outlook.com

Commands & Outputs

# MX check
nslookup -type=MX barbaragrygutis.com 8.8.8.8
# Result: barbaragrygutis-com.mail.protection.outlook.com (M365)

# Tenant ID resolution
bash .claude/skills/remediation-tool/scripts/resolve-tenant.sh barbaragrygutis.com
# Result: 25998ddc-49e6-4234-9396-6c152ce4ea69

# Onboarding (run twice — second pass clean)
bash .claude/skills/remediation-tool/scripts/onboard-tenant.sh barbaragrygutis.com
# Result: [SUCCESS] Onboarding complete

# RMM commands dispatched:
# - ACG-DC16: Get-ADUser search by mail + UPN → no user found
# - NEPTUNE: Get-Mailbox + Get-Recipient wildcard search → no mailbox found
# - NEPTUNE: Get-MailboxStatistics disconnected mailboxes → zero disconnected mailboxes

Sign-in attack summary (from Graph API):

  • 100 attempts in 30-day window, earliest 2026-05-27T15:15:28Z, latest 2026-05-29T17:41:50Z
  • All errorCode 50053 (blocked: malicious IP)
  • 100 unique IPs across Tor, Linode, Hurricane Electric, Limestone Networks, European proxy ranges
  • Apps: Microsoft Azure CLI, Microsoft Online Services, OfficeHome, One Outlook Web

Pending / Incomplete Tasks

  • Confirm Barbara still controls the iPhone 13 Pro Max with Authenticator registered on account
  • Force password reset (password is 4.5 years old and account is under active attack)
  • Deploy CA policy: Require MFA for all users
  • Deploy CA policy: Block legacy authentication
  • Consider geo-restriction CA policy (all legitimate use expected to be US)
  • Investigate auto-reply status — currently active/scheduled, may confirm account liveness to attackers
  • Investigate Syncro duplicate: customer ID 641406 (grygutisstudios@dokotacom.net) — possible secondary contact or stale record

Update: 16:40 PT — Security Defaults check

Checked identitySecurityDefaultsEnforcementPolicy on the barbaragrygutis.com tenant.

Security Defaults: ENABLED

Baseline protections active: MFA enforced for all users (14-day grace on new sign-ins), legacy authentication blocked, privileged action protection. This explains why the credential spray is being blocked at the Microsoft layer. Security Defaults and custom CA policies are mutually exclusive — if granular CA is added in future, Security Defaults must be disabled first and replaced with equivalent policies.

Decision: leave account untouched until Barbara confirms she still has the iPhone 13 Pro Max with Authenticator registered. Security Defaults provide adequate baseline protection in the interim.

Reference Information

  • Syncro ticket: #32349 — https://computerguru.syncromsp.com/tickets/111566564
  • Syncro customer: Barbara Grygutis Sculpture LLC — ID 133348
  • M365 tenant ID: 25998ddc-49e6-4234-9396-6c152ce4ea69
  • Barbara's user object ID (Entra): 11b4966e-1e5d-47f4-ad27-57d4713fab61
  • MFA device: Authenticator ID 8f0e1723-18f6-40d4-8cc1-c4795840bba9 (iPhone 13 Pro Max)
  • Consent dashboard: .claude/skills/remediation-tool/references/tenant-consent.html
  • Wiki article: wiki/clients/barbaragrygutis.md
  • GuruRMM commands dispatched:
    • ACG-DC16 cmd: f1ebd858-1186-4317-ac78-62696067047b
    • NEPTUNE mailbox cmd: a60781c7-cdc2-42a9-9c4b-370f9cc9f015
    • NEPTUNE disconnected cmd: 3d997d11-a288-413a-ac14-c89091de2b4a
Reference in New Issue View Git Blame Copy Permalink