SOC OperationsIncident ResponseWindows ForensicsLinux ForensicsKQL Investigations
Page cover
Edit

RootGuard

Operational Intelligence for Cyber Defence

RootGuard is a professional knowledge base for cybersecurity operations.

We built this for the people actually doing the work—SOC analysts, detection engineers, and incident responders. This is not a training course; it is a field manual. We provide the technical playbooks, detection logic, and forensic breakdowns you need to handle active threats in real-world environments.

Whether you are hunting for Active Directory compromise, analysing Windows artefacts, or tuning a SIEM, RootGuard bridges the gap between theory and the daily reality of the SOC.

Our Mission

This site exists to solve a specific problem: to make actionable, deployment-ready documentation available to defenders.

Our goal is to help raise the standard of defence by sharing tested tradecraft. We focus on high-impact areas like Identity Security, Digital Forensics, and Detection Engineering, equipping you with the resources to detect sophisticated attacks and respond faster.

Inside the Knowledge Base

Detection Engineering & KQL: Stop relying on default alerts. We provide the logic and KQL queries to detect advanced threats, with a deep focus on Active Directory attacks (Golden Ticket, Kerberoasting) and cloud identity risks.

Digital Forensics (DFIR) Deep-dive reference guides for when you need to reconstruct an incident.

  • Windows Forensics: Registry analysis, ShimCache, AmCache, and evidence of execution.

  • Malware Analysis: Static and dynamic analysis workflows to dissect malicious binaries.

  • Network Forensics: Packet capture (PCAP) analysis using Wireshark and TShark.

Incident Response Playbooks: Structured workflows for handling live incidents. From "Attack Triage" to specific scenarios like "Privilege Escalation" or "Ransomware Containment", these guides help you move from alert to remediation without missing a step.

Offensive Security for Defenders: You cannot defend what you do not understand. We break down offensive techniques—like Login Brute Forcing, Credential Stuffing, and Lateral Movement—so you can engineer better detections and harden your perimeter.

Why Use RootGuard?

  • No Fluff: Pages are focused on technical utility—commands, logs, and analysis steps.

  • Platform Agnostic: While we cover Microsoft Sentinel and Defender in depth, the principles apply to any SIEM or EDR.

  • Living Document: The threat landscape changes fast. Documentation will evolve to cover new attack vectors and defence strategies as they emerge.

Explore the Manual

Navigate the repository to find the specific procedure you need:

NextAbout the Author

Last updated