Wednesday, December 18, 2013

Cyber Threat Protection for Executives to be Included in 2014 Business Plans

Most high profile executives can be easier targets as they are usually absent from routine security training which now exists in most firms. Over 80% of breaches or threats result from common sense security protocols not being implemented by the executive or his/her immediate staff.

These can include:
  • Not doing routine upgrades on personal machines
  • Accepting or using random memory drives
  • Not having apps verified by IT/security departments before installing on phones, tablets or computers
  • Leaving an office unlocked or making it accessible
  • Taking sensitive work home
  • Using generic email addresses (gmail, hotmail etc) for work
  • Not having the latest anti-virus or internet security software installed
  • Giving low level IT staff access to Super Admin on company servers
  • Not having a security filter installed on company emails
  • Lack of proactive cyber scanning for threat chatter or discussion relating to the executive
  • Using unverified cloud backup services
  • Not using a shredder (old school trash digging is still done by serious adversaries)
  • Using public wifi
  • Never changing passwords or using passwords which are weak
  • Not doing due diligence on vendors and giving them access
  • Randomly clicking links on “alarming emails” or alerts (designed to make you click)
(This is by no means a complete list)

Wednesday, October 16, 2013

Things You Should Never Assume When it Comes to Network Security

Things You Should Never Assume When it Comes to Network Security

  • The security systems we have are good enough.
  • Our security architecture is so complex no attacker will be able to get into our network.
  • We only REALLY need to worry about inbound firewall policies. The danger is out there! (not in the network).
  • We're up to date on patching our vulnerabilities so we are in the clear.
  • The firewall configuration is secure because it’s managed by an outside firm.
  • If no one is screaming about an outage or a virus then everything is hunky dory.
  • Network operations and application owners understand security.
  • Security is more important than business operations.
  • The security processes we have are good enough – they are written down on paper.
  • Employees will follow most if not all of the security policies.
  • It’s much more secure if we virtualize it.

Thursday, August 29, 2013

17 Security Related Phrases We Are Sick of Hearing...




  1. “What is the key to our wireless again?”
  2. “I downloaded something and now my computer is acting all weird”
  3. “Why do I need to use the VPN all the time?”
  4. “How come I have to apply updates all the time?”
  5. “At home I run macs because they don’t get viruses and malware”
  6. “Hey, can you teach me how to hack?”
  7. “Is there any way to get around me having to type my password over and over again?”
  8. “I clicked on it because it totally looked like it was from my bank”
  9. ”Should I get my CISSP?”
  10. “Is it safe to click on this self-signed cert?”
  11. “I have no idea how that pornography got on my computer?”
  12.  “The webpage said that this cloud services was 100% secure?”
  13. “I locked myself out of my account again, can you reset it?”
  14.  “I think I may have just lost a bunch of important files, what do I do?”
  15. “Can I get root access on this server?”
  16. “We will get back to you on those security-related changes you recommend”


Wednesday, May 15, 2013

3 Big Mistakes In Incident Responce - Must Read

http://www.securityorb.com/2013/05/3-big-mistakes-incident-response/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityorbcom+%28SecurityOrb.com%29#utm_source=feed&utm_medium=feed&utm_campaign=feed?utm_source=rss&utm_medium=rss&utm_campaign=3-big-mistakes-incident-response

Saturday, April 20, 2013

8 tips for a security incident handling plan



8 tips for a security incident handling plan

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response

1.    Have an incident response plan. It is, of course, the most obvious advice, however you would be amazed at the number of organisations that "haven't quite got around to it yet".
It doesn't need to be 400 pages long (nor should it be half a page most likely) but documenting your incident response plan and distributing it up front can make a massive difference when the inevitable occurs.
2.    Pre-define your incident response team and make sure it draws from multiple disciplines. A good incident response team should not just consist of IT or security people (though they undoubtedly need to be a strong core), but should also include PR, HR, Legal and executives to name just a few.

Team people. Image from Shutterstock 

For instance, not involving the PR team could result in external communications that are more damaging than the breach in the first place.
Make sure each member of the team is briefed on their involvement and expectations. Watch that list of team members, however. It gets old quickly as people leave, go on vacation or just forget what they signed up for.
3.    Define your approach: watch and learn or contain and recover. We have seen great examples of this in the news recently. When an incident occurs and is verified - for instance a hacker compromising one of your web servers - you need to make the call on whether to recover as quickly as possible or to watch the attacker and learn.
You need to make this policy decision upfront because it requires good preparation, executive support and a skilled team to manage the risk. Most organisations will (and should) focus on containing the damage and recovering business systems.
Detailed forensics and observing the attackers is often too great a business expense for many firms, but don't give up entirely on capturing evidence - you never know when you may need it later.
If you are a target likely to come under persistent long term attacks from adversaries (perhaps a nation state, a competitor or a hacking gang that you have riled somehow) learning more about your adversary to help build future defences can make a lot of sense.
You should not venture down this path unless you have the resources (people, duplicate systems, network infrastructure for suitable containment) to execute it successfully and it absolutely requires executive buy-in or you will find yourself out of a job very quickly if it goes wrong.
Make this decision up front, discuss the risk attitude of the business and alter your incident response process appropriately. Of course, you won't watch and learn on every attack, so identify the two paths and when you will use them.
4.    Pre-distribute call cards. Another common mistake is to depend upon your normal communication infrastructure in the event of an incident.
Imagine that the LAN stops working, no-one knows anyone else's number and email doesn't work. It will be pretty tough to handle an incident in that situation.
Decide up front communication methods, choose a call bridge or similar and then distribute details to each of the stakeholders.
5.    Forensic and incident response data capture. This goes wrong a lot. During and after security incidents, pressure can be high and there is a tendency to rush, which - of course - means mistakes are made.

Magnifying glass on files. Image from Shutterstock
You need to ensure that you have comprehensively captured the right data and logs without taking up hours you don't have - it's not a trivial balance.
In particular, define how you will capture notes (I like a lined, dated paper notebook which is easy for courts to get their heads around) and evidence.
Do you run Volatility to capture memory? Do you power off the machine and take an image of the disk to capture as much as you can before the attack shuts down? Decide in which instances you will follow each path and build a toolkit ready to go.
6.    Get your users on-side. Incident response is not just an 'IT thing'. Make sure your incident response links up with your organisation's acceptable use policy and security awareness program.
You want your users to know how to tell you if they think an incident is occurring. In particular, system administrators, application owners and data owners should know how to contact you if they spot something unusual. The incident response process can then be spun up (or spun down if it's a false alarm) quickly. Don't just write the policy and leave it on the intranet somewhere.
7.    Know how to report crimes and engage law enforcement. Certain types of incident may require you to report to law enforcement but often when such an opportunity arises no-one knows exactly how to do it.
From having your web server hacked to the theft of credit card details or IP it pays to understand the process and requirements in advance. Check out Naked Security's quick guides on reporting computer crimes and find out who your representative is before you need them.
8.    Practice makes perfect. The process can be documented but when it comes time to use it the bridge is enabled and no one connects or knows what to do. Stage an incident and have your team dial in and work through the mock scenario.

Wednesday, April 10, 2013

Industrial Control System Standard of Practice


Industrial Control System Standard of Practice


All.Net presents our standards of practice decision framework for securing industrial control systems. These decisions provide an overarching basis and many specifics surrounding what we currently view as a reasonable and prudent approach to addressing information protection for industrial control systems. While there may be many other approaches that might also meet the need, we hope that these will provide guidance and discussion within the community, and we use them as a starting point in our practice to help guide consistent quality and performance within our own team and in customer engagements.

This content is part of a process used by our affiliated companies as developed over many years. We identify these issues, characterize the environment, and apply these decision points by interacting with clients and applying our expertise to help form overall architecture and its component parts. Typically, decisions are reviewed both internally and externally in an iterative fashion so that as we discover things that require changes, those changes ripple through the overall standard to keep it up to date and relevant.

In many cases, this standard of practice is used starting with an as-is review, identifying a desired future state, doing what, by then, is a relatively straight forward gap analysis, and then characterizing a workable transition plan for the organization. In our more agile approach, we undertake only an initial and periodic as-is and future state analysis, understanding that the reduced time and cost in assessment leads to more resources available for acting on the results, and that planning is less certain and less permanent when we are moving at a faster pace.

Tuesday, April 9, 2013

A peek inside the ‘Zerokit/0kit/ring0 bundle’ bootkit




Features: 
- Start of *.exe, *.dll (*.dll is in a pre-alpha stage) and shellcodes in a context of the chosen process. 
- Start of files from a disk and from the memory* (start from memory is in a pre-alpha stage). 
- Start of files with specified privileges: CurrentUser and NT SYSTEM/AUTHORITY. 
- Granting the protected storehouse** for off-site (your) ring3-solutions for permanent existence in the system without need of crypt. 
- Survivability of the bundle, down to a reinstallation of the system. 
- All the components are stored outside of a file system and are invisible to OS. 
- Intuitively clear interface of admin-panel. 
- Protection against the abstraction of Admin Panel. 
- Impossibility of detection of the bundle in the working system by any of known AV/rootkit scanner, owing to the use of author’s technologies of concealment. The unique opportunity of detection exists only at loading with livecd or scanning of a disk from the other computer. Thus the opportunity of detection is also extremely improbable, as own algorithms of a mutation are used.
* Start of a file from the memory allows to bypass all modern proactive protection and AV-scanners, that is, there is no necessity to crypt a file. 
** Protected storehouse is the original ciphered file system in which the certain quantity of files which will be started from the memory at each start of the OS can be stored.


The bundle consists of: 
- Bootkit. It is responsible for the start of the basic modules at a stage of loading of OS. 
- Driver. It is responsible for all infrastructure and implements componential business-logic on the basis of so-called mod (functional unit). That is, the driver is not a legacy driver (monolithic), and consists of the set of mods that allows to operate the bundle with maximum of flexibility, and to protect (hard to reverse), update and expand it. 
- Dropper. At the current moment it brake out all machines with the patches till January, 8th, 2011, except for XP x32/x64 where reloading is initiated. If the systems distinct from XP have latest updates reloading is initiated as well. 
- User friendly Admin Panel.
Also I will give support to clients within the subscription fee. I provide them with: 
- Development of new functionality and 
- Development of new exploits for the dropper. 
- Perfection of algorithms of concealment and penetration of the system.
High scalability of zerokit allow to develop additional mods and to complicate business-logic of all infrastructure.
Zer0kit have flexible update subsystem and can live in system as long as possible. Also zerokit has considered and provable logic to prevent the lost of bots.
Supported OSes: 
– Windows XP SP1-SP3 (x32, x64) 
– Windows Vista SP1-SP2 (x32, x64) 
– Windows 7 SP0-SP1 (x32, x64)


Tuesday, March 26, 2013

SIEM- Used Cases

I was trying to creates a list of used cases to be deployed across any type of SIEM in any line of business- 
Below is a brief list..... Let me know your inputs. 


Wednesday, March 20, 2013

Mandiant APT1 Report Appendix F Update: SSL Certificate Hashes

Mandiant APT1 Report Appendix F Update: SSL Certificate Hashes:
The following are MD5 and SHA1 hashes for the DER encoded SSL certificates released in Appendix  F of the recent Mandiant APT1 report. We are releasing these to aid network detection of APT1 SSL-encrypted malware traffic.

SIGNATURES MD5 SHA1
ALPHA 6b4475ce9f9c5c4b9d2e7edc8bdbf849 b054e26ef827fbbf5829f84a9bdbb697a5b042fc
AOL 9588bf142248bb8ddda05567f159b1a7 7bc0cc2cf7c3a996c32dbe7e938993f7087105b4
AOL 455f8979143415b9eed0e0d6fc153c1c 7855c132af1390413d4e4ff4ead321f8802d8243
AOL 80c982508b78d4b5bf1d64a181d477f9 f3e3c590d7126bd227733e9d8313d2575c421243
AOL 98153da6e11ee7c6132345ac8b716679 d4d4e896ce7d73b573f0a0006080a246aec61fe7
AOL 8d9ef1704857fcefc6f476abc3690597 bcdf4809c1886ac95478bbafde246d0603934298
AOL 3d3d57b3c4ceea9985f4e00daef40239 6b4855df8afc8d57a671fe5ed628f6d88852a922
AOL 62e1450f0ce0d80d1148ca25d805537b d50fdc82c328319ac60f256d3119b8708cd5717b
AOL 428584cbf6c150f794e1eb505f0ae03c 70b48d5177eebe9c762e9a37ecabebfd10e1b7e9
AOL d50189fd73a18bd9af3b5a7208c3a353 3a6a299b764500ce1b6e58a32a257139d61a3543
AOL 2dece470908e49b7dfc067a7371b0f83 bf4f90e0029b2263af1141963ddf2a0c71a6b5fb
AOL 039d81836dfb02f5299a7053f8908207 b21139583dec0dae344cca530690ec1f344acc79
EMAIL 0189e307c3abe5dd56937eeb06badaea    21971ffef58baf6f638df2f7e2cceb4c58b173c8
IBM 22da947f2df649c802ed496b2ccf4bc1 04ecff66973c92a1c348666d5a4738557cce0cfc
IBM 38e7c187b6dbbc329ad70d23c92f51ef f97d1a703aec44d0f53a3a294e33acda43a49de1
IBM e179aa7e3e1a3dbb3f56ee9ecc1b23a8 c0d32301a7c96ecb0bc8e381ec19e6b4eaf5d2fe
LAME 773ec2b9047beb82497e499c1be2c2fd 1b27a897cda019da2c3a6dc838761871e8bf5b5d
MOON-NIGHT 2d3c66e46930fe1d959f28c8a45f0282 d515996e8696612dc78fc6db39006466fc6550df
NONAME 0ef1386ec78e966beb4e6a199ca5abf0 8f79315659e59c79f1301ef4aee67b18ae2d9f1c
NS 9619fa9d77e7e1daddf677085ed6e27e a57a84975e31e376e3512da7b05ad06ef6441f53
SERVER (PEM) 249d75f0d70818204f9130be59c95cad b3db37a0edde97b3c3c15da5f2d81d27af82f583
SUR 71cdf4068e9ea76c853bec4701700da6 6d8f1454f6392361fb2464b744d4fc09eee5fcfd
VIRTUALLYTHERE    bc1fc00b050d812eac595e802b363fa7 b66e230f404b2cc1c033ccacda5d0a14b74a2752
WEBMAIL cc9893cdc79c15127ff52ee0ee85a771 4acbadb86a91834493dde276736cdf8f7ef5d497
YAHOO 596f3e7660e0a5bd79c33f7a50c17565 86a48093d9b577955c4c9bd19e30536aae5543d4

Wednesday, February 20, 2013

Exposing One of China's Cyber Espionage Units


Analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China's cyber threat actors. The scale and impact of APT1's operations compelled us to write this report. In an attempt to bolster defenses against APT1 operations Mandiant is also releasing more than 3,000 indicators as part of the appendix to this report, which can be used with our free tools and our commercial products to search for signs of APT attack activity.
Highlights of the report include:
·         APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.
·         APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations.
·         APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries.
·         APT1 maintains an extensive infrastructure of computer systems around the world.
·         In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language.
·         The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators.
·         In an effort to underscore that there are actual individuals behind the keyboard, Mandiant is revealing three personas that are associated with APT1 activity.
·         Mandiant is releasing more than 3,000 indicators to bolster defenses against APT1 operations.


Mandiant_APT1_Report.pdf
MD5: 936FEB234F60CFBF6916BA61FBAB2781
SHA-1: 3974687624EB85CDCF1FC9CCFB68EEA052971E84
Mandiant_APT1_Report_Appendix.zip
MD5: FD103F16BBBB28162C23BE3A47371AA9
SHA-1: ABF9D09A991E56393D18433644FF0DBA907A9154



Tuesday, January 22, 2013

1-15 January 2013 Cyber Attacks Timeline

So here we are with the first Cyber Attacks Timeline for 2013 covering the first half of January.

1-15 January 2013 Cyber Attacks Timeline

Thursday, January 17, 2013

UPCOMING: Cisco Linksys Remote Preauth 0day Root Exploit



Story behind the vulnerability...

Months ago, we've contacted Cisco about a remote preauth (root access) vulnerability in default installation of their Linksys routers that we've discovered. We gave them detailed vulnerability description along with the PoC exploit for the vulnerability.

They said that this vulnerability was already fixed in latest firmware release... Well, not this particular vulnerability, since latest official Linksys firmware - 4.30.14, and all previous versions are still vulnerable.

Exploit shown in this video has been tested on Cisco Linksys WRT54GL, but other Linksys versions/models are probably also affected.

Cisco Linksys is a very popular router with more than 70,000,000 routers sold. That's why we think that this vulnerability deserves attention.


According to our vulnerability disclosure policy, the vulnerability details will be disclosed in following 2 weeks on http://www.defensecode.com/ , BugTraq and Full Disclosure.
Due to the severity of this vulnerability, once again we would like to urge Cisco to fix this vulnerability.

The vulnerability is demonstrated in the following video:

http://www.youtube.com/watch?v=cv-MbL7KFKE&hd=1

Facebook Malware campaign

We're seeing a massive campaign of malware distribution through Facebook look-a-like pages that started just before the new year.
Malicious page distributing malware
T

hese pages are using the free DNS and hosting provider .tk. This provider has been used for many spam and malware campaigns in the past. Here are some of the domains used:
janejcfprofile.tk
natalieclolyu.tk
rosemaryrloveyouur.tk
sabrinadjoyys.tk
catherineufcitisfun.tk
rosemaryiiqsuper.tk
laurenaensweety.tk
carlyqwowdv.tk

So far, we've seen several hundred of such sites. They prompt the user to download a file with various names, such as:
YouWhoreGIF.exe
YouNiceJPG.exe
IamNiceBMP.exe
IamNicePNG.exe
YouFunnyJPEG.exe
IamLolBMP.exe
and may more





Only 1 AV vendor detects them as malicious at this time!




Looking at the source code, all the .tk domains load their content from another website through an IFRAME, with content from:
liwwh.eqeki.com
ngdy.hrdhm.org
lsmxz.totyn.net
cnpz.nukoq.com
...

These pages then redirect to a third URL on 208.131.138.217, hosting the malicious executable:
208.131.138.217/132.html
208.131.138.217/208.html

The malicious file is generated by http://208.131.138.217/imagedl.php.




As usual, do not run files downloaded on random Internet pages.

Wednesday, January 9, 2013

Infrastructure Services 2013: Promote your value; Prevent their pain!

To understand
Follow the what comes out of the dumper with the name "Customer Needs".



Tuesday, January 8, 2013

The Scrap Value of a Hacked PC

Computer users often dismiss Internet security best practices because they find them inconvenient, or because they think the rules don't apply to them. Many cling to the misguided belief that because they don't bank or shop online, that bad guys won't target them. The next time you hear this claim, please refer the misguided person to this blog post, which attempts to examine some of the more common -- yet often overlooked -- ways that cybecrcooks can put your PC to criminal use



This guy makes and markets dozens of account checking tools that are used to test the validity and status of many popular online stores and services, including Amazon, American Express, eBay, Facebook, iTunes, PayPal and Skype, to name a few.

Friday, January 4, 2013

Incident Response Checklist Actions


Incident Response Checklist Actions


A "mock" Incident Response Checklist using WMIC and a few other tools and attempt to answer the questions forensically so I am prepared when a real-world incident occurs (again).

1. Name of System and the Current Time:

C:\>hostname
WIN-xxxxxxxxx7

C:\>whoami
win-xxxxxxxxxx7\my name

C:\>echo %DATE% %TIME%
Fri 01/20/2012 20:52:34.28

C:\>wmic timezone list brief
Bias  Caption            SettingID
540   (UTC+09:00) Seoul

2. IP Address of the targeted system: 

C:\>ipconfig /allcompartments /all

Windows IP Configuration

===============================================================
Network Information for Compartment 1 (ACTIVE)
===============================================================
   Host Name . . . . . . . . . . . . : WIN-xxxxxxxxx7
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-00-00-00-00-00
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.151(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

3. Serial number of the system (this is going to be a bit off since I am on a Vmware instance):

C:\>wmic csproduct get name
Name
VMware Virtual Platform

C:\>wmic bios get serialnumber
SerialNumber
VMware-00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00

4. OS of the targeted system:

C:\>systeminfo | findstr /B /C:"OS Name" /C:"OS Version" - CREDIT
OS Name:                   Microsoft Windows 7 Ultimate
OS Version:                6.1.7601 Service Pack 1 Build 7601

C:\>ver
Microsoft Windows [Version 6.1.7601]

5. MAC Address of the system NIC:

C:\>wmic nicconfig get description,IPAddress,MACaddress

Description                               IPAddress          MACAddress
Intel(R) PRO/1000 MT Network Connection   {"192.168.1.151"}  00:00:00:00:00:00
RAS Async Adapter                                            00:00:00:00:00:00
Bluetooth Device (Personal Area Network)
----cut out some output----

6. How long has the system been online:

C:\>uptime.exe

\\WIN-xxxxxxxxxx7 has been up for: 0 day(s), 0 hour(s), 34 minute(s), 37 second(s)

7. Date and/or Level of Latest Patch:

C:\>wmic qfe get Hotfixid or if you wanted a bit more detail with dates C:\>wmic qfe list
HotFixID
KB971033
KB2305420
KB2393802
KB2425227
----cut out most of the output----

8. System Hardware:

C:\>wmic computersystem get manufacturer (assuming this would say, "Dell" if I was on a physical machine)

Manufacturer
VMware, Inc.

9. Software Installed on the System: I prefer wmic product list the best because it pulls install dates.

C:\>wmic product list

C:\>reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

10. Is there Anti-virus installed on the machine? If so, what brand and what are the latest anti-virus dat file updates? Were there any alerts?

I'm going to consider this one somewhat answered based off some of the information we already gathered from above, specifically: wmic get product list and running reg query against the Uninstall key. Other than that one could always look in the Uninstall Programs list to see if something is installed, or quite possibly look at the bottom right hand corner of the box and see if you see the "Shield" or another product logo. You could also see what's currently running as well. Some of the anti-virus vendors have unique process names.

11. Do you have EFS running on the system?

C:\>cipher /y

EFS certificate thumbprint for computer WIN-xxxxxxxxxx7:
  0000 0000 0000 0000 0000 0000 0000 0000 0000 0000

C:\>cipher /s:"New Folder"

Listing C:\New Folder\
New files added to this directory will be encrypted.

E Meh.txt
E Foo.txt

E = Encrypted

12. Is there a firewall protecting the system? If so, do you have logs?

C:\>copy %windir%\System32\Logfiles\Firewall\*.log <output_directory>
C:\>netsh firewall show state
C:\>netsh firewall show config
C:\>netsh dump 

Try these yourself. Too much information to paste here.

13. Is there any volatile network data?

C:\>route print
===========================================================================
Interface List
 10...00 00 00 00 00 00 ......Intel(R) PRO/1000 MT Network Connection
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.143     10
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link     192.168.1.143    266
    192.168.1.143  255.255.255.255         On-link     192.168.1.143    266
    192.168.1.255  255.255.255.255         On-link     192.168.1.143    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.1.143    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.1.143    266
===========================================================================

Persistent Routes:
  None
------cut more output-------

C:\>arp -A

Interface: 192.168.1.143 --- 0xa
  Internet Address      Physical Address      Type
  192.168.1.1           00-00-00-00-00-00     dynamic
  192.168.1.255         ff-ff-ff-ff-ff-ff     static
  224.0.0.22            00-00-00-00-00-00     static
  224.0.0.252           00-00-00-00-00-00     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static

C:\>netstat -ano

Active Connections
  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       684
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       392
-----cut out most of the output-----

C:\>net start
These Windows services are started:
   Application Information
   Background Intelligent Transfer Service
   Base Filtering Engine
   Bluetooth Support Service
   COM+ Event System
-----cut out most of the output-----

C:\>net user and C:\>wmic useraccount list
User accounts for \\WIN-xxxxxxxxxx7
---------------------------------------------------------------
Administrator            Guest                    My Name
The command completed successfully.

C:\>net use
New connections will be remembered.
Status       Local     Remote                    Network
---------------------------------------------------------------------
Z:        \\vmware-host\Shared Folders VMware Shared Folders
The command completed successfully.

C:\>type %windir%\System32\drivers\etc\hosts
# localhost name resolution is handled within DNS itself.
#       127.0.0.1       localhost
#       ::1             localhost

C:\>type %windir%\System32\drivers\etc\networks
# For example:
#
#    loopback     127
#    campus       284.122.107
#    london       284.122.108
loopback                 127

14. Are there event logs?

C:\>wmic nteventlog get name - Use this output to create the next command

C:\>copy %windir%\System32\Winevt\Logs\*.evtx <output_directory>

Those were all of the questions asked on the incident response checklist I found online. My work one is much more detailed, but I don't have permission to release all of its contents nor will I get permission. I suggest all of you go through the "actionable" items so you're not surprised when an incident DOES occur (not IF).

Other "general questions" to ask in no particular order are:

Point of contact information.
What is the system used for?
What kind of information is stored on this system (Classified, PII, etc.)?
Is it public facing, or is it an internal system?
Is it a server or workstation?

Other Commands and Tools to run to collect information:

wmic process list status
wmic process list memory
wmic job list brief
wmic startup list brief
wmic ntdomain list brief
wmic service list config
handle.exe /accepteula
gplist
listdlls.exe
logonsessions.exe /accepteula
pslist.exe /accepteula
psloggedon.exe /accepteula
tasklist
tcpvcon.exe -a /accepteula