Looks like we’re missing a download: Spectre – Sysmon Install Script.ps1
Can you send?
I believe Q is out of the office today. I think that he and Dan Kaiser worked on this together. You can attribute to both of them or LogRhythm Labs, IMO.
Thank you for the review Q. We’ll get that change made.
Who should we attribute the blog to? LogRhythm Labs or to you?
Thank you Colby!
The only comment I have, is that in the first paragraph you say the script is a “SmartResponse PowerShell Script”. The script is not a SmartResponse Plugin, It is simply a PowerShell script. While making it an SRP could be on the road map, it was not part of our original planning for this operation and would take additional time to make that conversation.
Other than that, everything looks good!
Thanks for getting this prepped!!!
Sent from my iPhone
On Jan 10, 2018, at 5:13 PM, Colby Schwartz <Colby.Schwartz@logrhythm.com> wrote:
Please find the most recent version of the blog attached. Can someone take a quick look at it to make sure our changes were appropriate? We’re trying to push this tomorrow so a review in the morning would be helpful.
I believe the blog is sufficient.
One question for the group, do we anticipate turning this into a fully designed report (ex. https://logrhythm.com/pdfs/threat-intelligence-reports/mamba-ransomware-analysis-threat-intelligence-report.pdf?kui=yb_iRhsIJP-2ZMy4fgMeuQ) or is the blog sufficient?
Seth and Colby,
I have completed the write-up and have had our own internal editing session.
I am passing the post to you for review.
Attached you will find:
- Specter-Meltdown Post_R2.docx
- Spectre – Sysmon Install Script.ps1
Since this involves an install script, I would also like to have the install script sent around to the Threat Research (and Greg since he does so much) to have the PowerShell QA’ed as well as the grammar in the blog/post content.
Manager, Threat Research
(720) 907-8315 (w) (612) 743-0968 (m)
I believe you are the only one that can add to that original post (based on what we experienced last week when I tried replying).
Q, if you’ve got something written up, I’d ask that you send that to this group to edit (unless Colby’s team can help) and then we get Seth to post. Another option would be to turn this into a blog post like we did for WannaCry and others, then Seth would only have to reference the blog in a reply on Community.
I have a question for both/either of you.
Labs already has a Community post based on Spectre (Thank you Seth for getting that uploaded). Now we have additional content we would like to add to that post, a couple AI rules and a PowerShell script.
How best can we go about getting an update to that post?
Then, thinking about the future, would it be possible to give posting/modification rights to Labs personnel to update those posts? Can we have that conversation?
Threat Intelligence Engineer
720.452.0541 (w) 303.419.5570 (m)