Tool Arsenal
Operational Tooling for the Modern Defender
Automate. Hunt. Eradicate.
Manual forensics doesn't scale. RootGuard Operational Tooling bridges the gap between detection and remediation, providing battle-tested tools to accelerate triage, automate evidence collection, and execute deep-dive investigations.
This is not a script dump. This is a curated armoury of frameworks designed to function in hostile environments without deployment friction.
The Arsenal
🛡️ Custodian-HT
Comprehensive Threat Hunting & DFIR Suite
The flagship framework for high-intensity incident response. Custodian-HT is a modular ecosystem that automates the entire lifecycle of a hunt—from artifact collection to analysis and reporting.
Capabilities:
Unified Analysis: Integrates KAPE, Hayabusa, Chainsaw, and YARA into a single workflow.
Remote Warfare: Execute hunts across Windows (WinRM/PSExec) and Linux (SSH) fleets.
Automated Intelligence: Built-in OSINT lookups (VirusTotal, AbuseIPDB) and Patch Tuesday vulnerability analysis.
Loki-RS Scanner: Rapid IOC scanning across distributed endpoints.
🦁 Chimera
Rapid Triage & Acquisition Framework
Speed is the only metric that matters during a breakout. Chimera is a lightweight, agent-less triage engine designed to deploy, acquire, and vanish.
Capabilities:
Agentless Architecture: "Zip & Ship" deployment via PowerShell and SSH. Zero footprint left behind.
Hybrid Targeting: Native support for both Windows (VSS, EZTools) and Linux ("The Goat" engine).
Precision Forensics: Targeted extraction of ShimCache, AmCache, and browser history (Chrome/Edge/Brave).
Volatile Data: Streamlined RAM capture using AVML with on-the-fly compression.
🐕 Cerberus
Deep-Dive Investigation Toolkit
When the alert is confirmed, Cerberus goes deep. This toolkit focuses on "Live Response" forensics, reconstructing the adversary's actions with granular precision.
Capabilities:
Smart Memory Capture: Auto-detection of Secure Boot to select the correct acquisition method (Magnet vs. DumpIt).
Live Response Mode: Generates instant HTML reports on active processes, network connections, and user sessions.
Browser Forensics: Automated parsing of web history using Hindsight.
Volatility Integration: Built-in support for immediate memory analysis without leaving the framework.
Which Tool Do You Need?
Scenario
Recommended Weapon
Why?
"I need to hunt for a specific threat across the entire network."
Custodian-HT
Built for scale, integrated analysis, and heavy-duty hunting (Hayabusa/Chainsaw).
"I need to grab artifacts from a suspect endpoint immediately."
Chimera
Lightweight, fast, and requires no agent installation. Perfect for initial triage.
"I need to analyse a compromised host and get a memory dump."
Cerberus
Specialized for deep investigation, live response reporting, and memory forensics.
Deployment & Safety
All tools in the RootGuard Arsenal are designed for authorised defensive use only.
Open Source: Auditable code transparently hosted on GitHub.
Modular: Use only what you need.
Operational Security: Scripts are designed to minimise noise and clean up after execution.
Always adhere to your organisation's legal and operational guidelines.
Last updated