SUMMARY.md

Table of contents

Welcome

• RootGuard
  • About the Author
    • Professional Profile

Resources Hub

• Blogs
  • Articles: Operational Analysis & Security
    • Importance of a Security Operations Center (SOC)
  • Posts: Field Notes
    • Roadmap: Becoming a Cyber Specialist
    • Starting a Career in Cybersecurity
    • Landing First Cyber Analyst Role
    • Beyond the Perimeter: Hybrid Blue Team Roadmap
    • SOC Prep Interview Questions
    • SOC Analysts Roadmap
    • Becoming A SOC Analyst
    • Key Windows Event-IDs to Monitor
• Tool Arsenal
  • Cerberus: PowerShell DFIR Investigation Toolkit
  • Chimera: PowerShell Incident Response Toolkit

Knowledge Base

• Junior Analyst Skills
  • Splunk Use Cases
  • KQL Use Cases
    • Reconnaissance (TA0043)
    • Initial Access (TA0001)
    • Execution (TA0002)
    • Persistence (TA0003)
    • Privilege Escalation (TA0004)
    • Defence Evasion (TA0005)
    • Credential Access (TA0006)
    • Discovery (TA0007)
    • Lateral Movement (TA0008)
    • Collection (TA0009)
    • Command and Control (TA0011)
    • Exfiltration (TA0010)
    • Impact (TA0040)
  • Investigating Common Attacks
    • Domain Dominance Attacks - Detection & Analysis
    • Investigating a Suspected AD FS Distributed Key Management (DKM) Attack
    • Authentication From Suspicious DeviceName
    • Identifying Interactive or RemoteInteractive Session From Service Account
    • Identifying Split or Part Archive File Transfers
    • Detect Potential Cleartext Credentials in Command Line
    • Detecting Command Line Interpreters Launched via Scheduled Tasks
    • Detecting Files Containing Potentially Sensitive Data
    • Detecting DeviceNetworkEvents From Windows Processes and Domains by TLD
    • Detecting Silent cmd.exe Execution With Redirected STDERR & STDOUT
    • Detecting Low Prevalence DLL Loaded From Process In User Downloads Directory
    • Detecting Virtual Drive Mounted From Archive
    • Identify Execution of Script From User's Downloads Folder
    • Identify Potential RDP Tunneled Sessions
    • Identify Instances of PowerShell Invoke-WebRequest, IWR or Net.WebClient
    • Identify Processes Launched by PowerShell Remoting (WSMProvHost.exe)
    • Detect DeviceNetworkEvents for LOLBAS with Download or Upload Functions
    • Detect Execution of PSEXESVC via Remote Systems
    • Identify Suspicious String in Service Creation ImagePath
    • Identify File with Double Extensions
    • Detect Potential Cleartext Credentials in Commandline
    • Detect When Large Number of Files Downloaded From OneDrive or SharePoint
    • Identify and Investigate Phishing Attacks with KQL
  • PowerShell for SecOps
    • Powershell Remoting
    • Reconnaissance Discovery
    • Initial Access Discovery
    • Execution Discovery
    • Persistence Discovery
    • Privilege Escalation Discovery
    • Defence Evasion Discovery
    • Credential Access Discovery
    • Discovery
    • Lateral Movement Discovery
    • Collection Discovery
    • Command & Control (C2) Discovery
    • Exfiltration Discovery
    • Impact Discovery
  • Packet Analysis (pcap)
    • Tcpdump
    • Tcpdump (Intermediate)
    • Tshark
    • Ngrep
  • Investigating Suspicious Emails Using KQL
• MITRE-Aligned Threat Dectection
  • Reconnaissance (TA0043) Techniques
  • Resource Development (TA0042) Techniques
  • Initial Access (TA0001) Techniques
  • Command Execution (TA0002) Techniques
  • Persistence (TA0003) Techniques
  • Privilege Escalation (TA0004) Techniques
  • Defence Evasion (TA0005) Techniques
  • Credential Access (TA0006) Techniques
  • Discovery (TA0007) Techniques
  • Lateral Movement (TA0008) Techniques
  • Collection (TA0009) Techniques
  • Command and Control (C2) (TA0011) Techniques
  • Exfiltration (TA0010) Techniques
  • Impact (TA0040) Techniques
• Tools How-To
  • Linux Find Commands
  • Volatility v3 Memory Forensics
  • Nmap Scanning
  • SQLMap
  • Netcat: Attack & Detection Techniques
  • PowerShell Attack & Detection Techniques

Detection Engineering

• Threat Detection
  • AD Detections & Mitigations
    • Kerberoasting
    • Authentication Server Response (AS-REP) Roasting
    • Password Spraying
    • MachineAccountQuota Compromise
    • Unconstrained Delegation
    • Password in Group Policy Preferences (GPP) Compromise
    • Active Directory Certificate Services (AD CS) Compromise
    • Golden Certificate
    • DCSync
    • Dumping ntds.dit
    • Golden Ticket
    • Silver Ticket
    • Golden Security Assertion Markup Language (SAML)
    • Microsoft Entra Connect Compromise
    • One-way Domain Trust Bypass
    • Security Identifier (SID) History Compromise
    • Skeleton Key
    • Active Directory Security Controls
    • Active Directory Events for Detecting Compromise
  • Attack Triage Playbooks (KQL Triage)
    • Windows Malware Detection Playbook
    • Linux Host Intrusion Detection Playbook (CLI)
    • Linux Intrusion Detection Playbook
    • Large-Scale Compromise Detection Playbook
    • Ransomware Detection Playbook
    • Phishing Email Compromise Detection Playbook
    • Scam Detection Playbook
    • Customer Phishing Detection Playbook
    • Insider Abuse Detection Playbook
    • Information Leakage Detection Playbook
    • Social Engineering Detection Playbook
    • Malicious Network Behaviour Detection Playbook
    • Windows Intrusion Detection Playbook
    • Vulnerability Detection Playbook
    • Business Email Compromise Detection Playbook
    • Hunting APT TTPs and LOLBAS Operations - Playbook
  • Process Execution (KQL Triage)
  • Threat Hunting
    • Hunting Ransomware Indicators
    • Hunting With KQL
      • Detecting Malware Infection (MITRE ATT&CK: T1566, T1059)
      • Discovery Activities (MITRE ATT&CK: T1016, T1083, T1046)
      • Credential Theft (MITRE ATT&CK: T1003, T1078)
      • Lateral Movement (MITRE ATT&CK: T1076, T1021)
      • Data Theft (MITRE ATT&CK: T1041, T1071)
      • Detecting CommandLine Executions (MITRE ATT&CK: T1059)
      • Windows Security Logs (Identity and Logon Activities)
    • Hunting With Splunk

Defensive Security

• DFIR
  • Initial Triage & Response
    • Evidence Collection
      • Acquire Triage Image Using KAPE
      • Acquire Triage Data Using Velociraptor
      • Acquire Triage Data Using Powershell
      • Acquire Triage Memory Image
      • Acquire Image Using FTK
      • AXIOM Cyber Data Collection
    • Device Isolation
    • Windows Registry Forensics – SOC Analyst Cheatsheet
    • Application Execution Forensics – SOC Analyst Cheatsheet
    • File & Folder Knowledge Forensics - SOC Analyst Cheatsheet
    • Network Activity Forensics - SOC Analyst Cheatsheet
    • Windows Event Log Forensics - SOC Analyst Cheatsheet
    • USB & External Device Forensics - SOC Analyst Cheatsheet
    • Evidence of Execution Forensics – SOCb Analyst Cheatsheet
  • Window Forensics
    • Account Usage Investigation Workflow & Cheatsheet
    • Windows Forensic Artifacts – Investigation Workflow & Cheatsheet
    • Enhanced Windows Event Log Investigation Guide
    • User Activity Tracking with KQL
    • Program Execution Artifacts Investigation Guide
    • File and Folder Access Investigation Guide
    • File Download and Browser Activity Investigation Guide
    • Browser Forensics – DFIR Workflow & Cheatsheet
    • Deleted Files & File Knowledge—DFIR Workflow & Cheatsheet
    • USB Device & External Storage - DFIR Workflow & Cheatsheet
    • Account Usage Investigation with KQL Cheatsheet
  • Linux Forensics
    • Commandline Basics
    • Host Compromise Assessment
    • DFIR Workflow Cheatsheet
    • Linux Intrusion Analysis
    • Linux Log Analysis & Attack Detection
  • Runbooks
    • Identity Attack Investigation Runbook
    • Malware Attack Investigation Runbook
    • Unauthorised Access & Privilege Escalation Investigation Runbook
    • Lateral Movement Investigation Runbook
    • Business Email Compromise (BEC) Investigation Runbook
    • Data Exfiltration Investigation Runbook
    • Ransomware Investigation & Response Runbook
  • Playbooks
    • PowerShell
      • PowerShell for Junior SOC Analysts
      • PowerShell Mastery for Senior SOC Analysts
      • PowerShell for Detection and Analysis
      • PowerShell Intrusion Analysis
      • The PowerShell Operator’s Guide
      • The Ultimate Blue Team/DFIR Powershell
    • Velociraptor
      • Velociraptor Intrusion Analysis
      • Windows AD Attack Investigation – Velociraptor Cheatsheet
    • Zimmerman Tools
      • Zimmerman Tools Intrusion Analysis
      • KAPE Artifacts Analysis
    • Volatility Vol3
      • Memory Analysis (Vol 3)
      • Memory Forensics (Volatility 3)
    • Magnet AXIOM Cyber
      • Axiom Cyber Examiner
    • KQL - Defender & Sentinel
      • MDO (Office)
      • MDI (Identity)
      • MDE (Endpoint)
      • Windows AD Attack Investigation – Defender & Sentinel KQL Cheat Sheet
  • Malware Analysis
    • Cheatsheet

Offensive Security

• Hacking
  • Pre-Engagement
  • Recon, Enum & Attack Planning
    • Network Enumeration With Nmap
      • Nmap Scanning Basics
      • Initial Enumeration
      • NMAP Protocol Scanning and Enumeration
      • Network Enumeration
    • Footprinting
      • Footprinting (Scan-Enum) Full
    • Information Gathering - Web Edition
      • Information Gathering Workflow
    • File Transfer
    • Shells & Payloads
  • Exploitation & Lateral Movement
    • Full Active Directory (AD) Enumeration
    • Active Directory Pentesting Workflow & Cheatsheet
    • Attacking Common Services
      • DNS
      • FTP
      • RDP
      • SMB
      • SMTP
      • SQL
    • Password Attacks
      • Password Attacks Workflow
      • Password Attack Methodology & Workflow
    • Living-Off-the-Land Binaries (LOLBins) for AD enumeration
    • Sql Injection Pentesting Workflow
  • Post-Exploitation
    • Living Off the Land: Windows Post-Exploitation
    • Living Off the Land: Windows Post-Exploitation—With Tactical Context & Usage Guide
  • Pentesting Cheatsheet
    • Enumeration Checklist
    • From Discovery to Enumeration
    • Penetration Testing Cheatsheet
    • Pentesting Cheatsheet (HTB)
    • Powershell Tips and Use Cases
    • Powershell Basic Training Workflow
    • 70+ Essential Linux Commands
    • 70+ Essential Powershell Commands
    • 70+ Essential Windows CMD Commands
    • PowerShell Red & Purple Team Cheatsheet
• Attacking Active Directory (AD)

AI Security

• AI Security & Governance
• Prompt Engineering
  • Security OPerations Prompt Library
  • Core SOC Prompt Playbooks
  • DFIR Prompt Templates

Resources