| cover | coverY |
|---|---|
.gitbook/assets/Screenshot 2025-01-10 083130.png |
0 |
This is not another beginner guide or certification checklist.
RootGuard is a battle-tested field manual for SOC analysts, detection engineers, threat hunters, and incident responders who need to act—fast and decisively—when real threats hit.
We deliver no-fluff, deployment-ready resources: precise KQL queries, forensic breakdowns, step-by-step playbooks, and analysis of attacker tradecraft you can use today to detect, contain, and eradicate threats.
- Identity Security → Master Active Directory and Entra ID attacks
- Digital Forensics & Incident Response → Reconstruct incidents with surgical precision
- Detection Engineering → Build high-fidelity alerts that actually matter
High-signal detection logic for the attacks that bypass default rules:
- Golden/Silver Ticket forgery
- Kerberoasting & AS-REP Roasting
- DCSync, Pass-the-Ticket, Overpass-the-Hash
- Cloud identity compromise (Entra ID)
Ready-to-deploy KQL queries for Microsoft Sentinel & Defender
Deep artifact analysis to prove what happened:
- Registry hives (ShimCache, AmCache, UserAssist)
- Event Logs, Prefetch, SRUM, BAM
- Evidence of execution, persistence, and lateral movement
Structured timelines and correlation playbooks
From alert to remediation — no steps missed:
- Rapid Attack Triage
- Privilege Escalation Containment
- Ransomware Response & Recovery
- Data Exfiltration Detection & Blocking
Understand the adversary to defeat them:
- Credential attacks (Brute Force, Spraying, Stuffing)
- Lateral movement (PsExec, WMI, WinRM)
- Exploitation techniques and post-exploitation tradecraft
- Static/dynamic malware dissection workflows
- PCAP analysis with Wireshark/TShark
- Behavioural indicators and hunting rules
- Actionable First — Commands, queries, logs, and exact steps
- Platform Agnostic — Core principles work everywhere; deep Microsoft ecosystem examples
- Living Resource — Continuously updated with emerging threats and community feedback
- Defender-Centric — Written from real incidents, for real defenders
- Detection Engineering → AD Attacks & KQL Triage
- Defensive Security → Windows Forensics & IR Strategies
- Offensive Security → Exploitation & Password Attacks
- Learning Hub → Core Skills & Career Development
- About the Author → (about-the-author) Meet the defender behind it all
RootGuard: Raising the defender baseline — one playbook at a time.
For authorised defensive operations only. Always adhere to legal and ethical standards.