Sent from my iPhone

On Jan 11, 2018, at 12:06 PM, Colby Schwartz <Colby.Schwartz@logrhythm.com> wrote:

Hey Q,

 

Looks like we’re missing a download: Spectre – Sysmon Install Script.ps1

 

Can you send?

 

Thank you,

 

Colby

 

From: James Carder
Sent: Thursday, January 11, 2018 10:43 AM
To: Colby Schwartz <Colby.Schwartz@logrhythm.com>; Nathaniel Quist <Nathaniel.Quist@logrhythm.com>
Cc: Seth Goldhammer <seth.goldhammer@logrhythm.com>; Ryan Sommers <ryan.sommers@logrhythm.com>; Jessica Hayt <jessica.hayt@logrhythm.com>
Subject: Re: Spectre/Meltdown AI Rules && Install Script

 

Colby,

 

I believe Q is out of the office today. I think that he and Dan Kaiser worked on this together. You can attribute to both of them or LogRhythm Labs, IMO.

 

 

<image001.png>

 

 

 

James Carder

CISO & VP, LogRhythm Labs

720.403.9038 (w) 646.275.7748 (m)

LogRhythm.com

 

<image002.png>

 

<image003.png>

 

<image004.png>

 

<image005.png>

 

From: Colby Schwartz <Colby.Schwartz@logrhythm.com>
Date: Thursday, January 11, 2018 at 8:12 AM
To: Nathaniel Quist <Nathaniel.Quist@logrhythm.com>
Cc: James Carder <James.Carder@logrhythm.com>, Seth Goldhammer <seth.goldhammer@logrhythm.com>, Ryan Sommers <ryan.sommers@logrhythm.com>, Jessica Hayt <jessica.hayt@logrhythm.com>
Subject: RE: Spectre/Meltdown AI Rules && Install Script

 

Thank you for the review Q. We’ll get that change made.

 

Who should we attribute the blog to? LogRhythm Labs or to you?

 

Thank you,

 

Colby

 

From: Nathaniel Quist
Sent: Thursday, January 11, 2018 8:11 AM
To: Colby Schwartz <Colby.Schwartz@logrhythm.com>
Cc: James Carder <James.Carder@logrhythm.com>; Seth Goldhammer <seth.goldhammer@logrhythm.com>; Ryan Sommers <ryan.sommers@logrhythm.com>; Jessica Hayt <jessica.hayt@logrhythm.com>
Subject: Re: Spectre/Meltdown AI Rules && Install Script

 

Thank you Colby!

 

The only comment I have, is that in the first paragraph you say the script is a “SmartResponse PowerShell Script”. The script is not a SmartResponse Plugin, It is simply a PowerShell script. While making it an SRP could be on the road map, it was not part of our original planning for this operation and would take additional time to make that conversation.

 

Other than that, everything looks good!

Thanks for getting this prepped!!!

Q

Sent from my iPhone


On Jan 10, 2018, at 5:13 PM, Colby Schwartz <Colby.Schwartz@logrhythm.com> wrote:

+Jess Hayt

 

Hello Team,

 

Please find the most recent version of the blog attached. Can someone take a quick look at it to make sure our changes were appropriate? We’re trying to push this tomorrow so a review in the morning would be helpful.

 

Thank you,

 

Colby

 

From: James Carder
Sent: Wednesday, January 10, 2018 9:24 AM
To: Colby Schwartz <Colby.Schwartz@logrhythm.com>; Nathaniel Quist <Nathaniel.Quist@logrhythm.com>; Seth Goldhammer <seth.goldhammer@logrhythm.com>
Cc: Ryan Sommers <ryan.sommers@logrhythm.com>
Subject: Re: Spectre/Meltdown AI Rules && Install Script

 

I believe the blog is sufficient.

 

 

<image006.png>

 

 

 

James Carder

CISO & VP, LogRhythm Labs

720.403.9038 (w) 646.275.7748 (m)

LogRhythm.com

 

<image007.png>

 

<image008.png>

 

<image009.png>

 

<image010.png>

 

From: Colby Schwartz <Colby.Schwartz@logrhythm.com>
Date: Wednesday, January 10, 2018 at 9:17 AM
To: Nathaniel Quist <Nathaniel.Quist@logrhythm.com>, Seth Goldhammer <seth.goldhammer@logrhythm.com>
Cc: James Carder <James.Carder@logrhythm.com>, Ryan Sommers <ryan.sommers@logrhythm.com>
Subject: RE: Spectre/Meltdown AI Rules && Install Script

 

Post received, we’ll start working on this today.

 

One question for the group,  do we anticipate turning this into a fully designed report (ex. https://logrhythm.com/pdfs/threat-intelligence-reports/mamba-ransomware-analysis-threat-intelligence-report.pdf?kui=yb_iRhsIJP-2ZMy4fgMeuQ)  or is the blog sufficient?

 

Thank you,

 

Colby

 

From: Nathaniel Quist
Sent: Tuesday, January 9, 2018 4:55 PM
To: Seth Goldhammer <
seth.goldhammer@logrhythm.com>; Colby Schwartz <Colby.Schwartz@logrhythm.com>
Cc: James Carder <
James.Carder@logrhythm.com>; Ryan Sommers <ryan.sommers@logrhythm.com>
Subject: Re: Spectre/Meltdown AI Rules && Install Script

 

Seth and Colby,

 

I have completed the write-up and have had our own internal editing session.

 

I am passing the post to you for review.

 

Attached you will find:

  • Specter-Meltdown Post_R2.docx
  • Spectre – Sysmon Install Script.ps1
  • AIEngineRule_Spectre-Registry_RIM.airx
  • AIEngineRule_Spectre-Registry_Sysmon.airx

 

Thanks,

 

<image001.png>

 

 

 

Nathaniel Quist

Threat Intelligence Engineer

720.452.0541 (w)   303.419.5570 (m)

LogRhythm.com

 

<image002.png>

 

<image003.png>

 

<image004.png>

 

<image005.png>

 

/(bb|[^b]{2})/

 

From: Ryan Sommers <ryan.sommers@logrhythm.com>
Date: Tuesday, January 9, 2018 at 1:39 PM
To: James Carder <
James.Carder@logrhythm.com>, Nathaniel Quist <Nathaniel.Quist@logrhythm.com>, Seth Goldhammer <seth.goldhammer@logrhythm.com>, Colby Schwartz <Colby.Schwartz@logrhythm.com>
Subject: Re: Spectre/Meltdown AI Rules && Install Script

 

Since this involves an install script, I would also like to have the install script sent around to the Threat Research (and Greg since he does so much) to have the PowerShell QA’ed as well as the grammar in the blog/post content.

 

R

 

 

<image011.png>

 

 

 

Ryan Sommers

Manager, Threat Research

(720) 907-8315 (w)   (612) 743-0968 (m)

ryan.sommers@logrhythm.com

LogRhythm.com

 

<image012.png>

 

<image013.png>

 

<image014.png>

 

<image015.png>

 

 

From: James Carder <James.Carder@logrhythm.com>
Date: Tuesday, January 9, 2018 at 12:36
To: Nathaniel Quist <
Nathaniel.Quist@logrhythm.com>, Seth Goldhammer <seth.goldhammer@logrhythm.com>, Colby Schwartz <Colby.Schwartz@logrhythm.com>
Cc: Ryan Sommers <
ryan.sommers@logrhythm.com>
Subject: Re: Spectre/Meltdown AI Rules && Install Script

 

Seth,

 

I believe you are the only one that can add to that original post (based on what we experienced last week when I tried replying).

 

Q, if you’ve got something written up, I’d ask that you send that to this group to edit (unless Colby’s team can help) and then we get Seth to post. Another option would be to turn this into a blog post like we did for WannaCry and others, then Seth would only have to reference the blog in a reply on Community.

 

Thoughts?

 

 

<image016.png>

 

 

 

James Carder

CISO & VP, LogRhythm Labs

720.403.9038 (w) 646.275.7748 (m)

LogRhythm.com

 

<image017.png>

 

<image018.png>

 

<image019.png>

 

<image020.png>

 

From: Nathaniel Quist <Nathaniel.Quist@logrhythm.com>
Date: Tuesday, January 9, 2018 at 12:10 PM
To: Seth Goldhammer <
seth.goldhammer@logrhythm.com>, Colby Schwartz <Colby.Schwartz@logrhythm.com>
Cc: James Carder <
James.Carder@logrhythm.com>, Ryan Sommers <ryan.sommers@logrhythm.com>
Subject: Spectre/Meltdown AI Rules && Install Script

 

Hello Gentlemen,

 

I have a question for both/either of you.

Labs already has a Community post based on Spectre (Thank you Seth for getting that uploaded). Now we have additional content we would like to add to that post, a couple AI rules and a PowerShell script.

 

How best can we go about getting an update to that post?

 

Then, thinking about the future, would it be possible to give posting/modification rights to Labs personnel to update those posts? Can we have that conversation?

 

Thank you,

 

 

<image016.png>

 

 

 

Nathaniel Quist

Threat Intelligence Engineer

720.452.0541 (w)   303.419.5570 (m)

LogRhythm.com

 

<image017.png>

 

<image018.png>

 

<image019.png>

 

<image020.png>

 

/(bb|[^b]{2})/

<Spectre-Meltdown Post_R2-JDedits-CSedits.docx>