| cover | coverY | coverHeight | layout | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
.gitbook/assets/RootGuardLandingPage.png |
0 |
236 |
|
Practical. Field-Tested. Enterprise-Ready.
RootGuard serves as a comprehensive field manual for SOC analysts, detection engineers, and incident responders operating in high-threat environments. Moving beyond theoretical certification checklists, this repository focuses on immediate operational utility for active defence scenarios.
We provide high-density, deployment-ready resources: precision KQL queries, forensic artifact breakdowns, and structured playbooks designed to detect, contain, and eradicate sophisticated threats.
- Identity Security: Mitigation strategies for Active Directory and Entra ID vectors.
- Digital Forensics & IR: Methodologies for surgical breach reconstruction.
- Detection Engineering: Development of high-fidelity alerting logic.
High-signal logic for detecting evasion techniques.
- Identity Forgery: Golden/Silver Ticket analysis.
- Credential Attacks: Kerberoasting, AS-REP Roasting, and DCSync detection.
- Lateral Movement: Pass-the-Ticket and Overpass-the-Hash validation.
- Cloud Security: Entra ID compromise and privilege escalation monitoring.
- Scope: Deployable queries optimised for Microsoft Sentinel & Defender.
Deep-dive artifact analysis for evidence verification.
- Execution Evidence: Registry analysis (ShimCache, AmCache, UserAssist).
- Timeline Reconstruction: Event Logs, Prefetch, SRUM, and BAM data.
- Attack Patterns: Correlating persistence mechanisms and lateral movement.
- Output: Structured timelines and correlation playbooks.
Lifecycle management from detection to recovery.
- Triage: Rapid assessment protocols.
- Containment: Privilege escalation isolation.
- Recovery: Ransomware response procedures.
- Data Protection: Exfiltration detection and blocking at the wire.
Adversary tradecraft analysis for proactive hardening.
- Access Vectors: Credential stuffing, spraying, and brute-force patterns.
- Lateral Movement: Analysis of PsExec, WMI, and WinRM traffic.
- Exploitation: Post-exploitation techniques and "living-off-the-land" binaries.
Artifact dissection and traffic analysis.
- Static and dynamic malware analysis workflows.
- PCAP investigation using Wireshark and TShark.
- IOC extraction and behavioural hunting rule generation.
| Feature | Operational Value |
| Actionable Utility | Prioritises exact commands, queries, log samples, and execution steps over theory. |
| Platform Agnostic | Core principles apply universally, supported by deep integration with the Microsoft ecosystem. |
| Living Intelligence | Continuously updated based on emerging threats and operational feedback. |
| Defender Centric | Derived from active incident response engagements and real-world breach data. |
- Detection Engineering: AD Attacks & KQL Triage
- Defensive Security: Windows Forensics & IR Strategies
- Offensive Security: Exploitation & Password Attacks
- Learning Hub: Core Skills & Career Development
- About the Author: Operational Background
RootGuard: Elevating the defensive baseline.
Authorised for defensive operations only. Ensure compliance with all applicable legal frameworks and ethical standards.