Guerrilla

2.46.5

Agentless, read-only security assessment and continuous monitoring for PowerShell 7 across three theaters: on-premises Active Directory (211 checks across 15 categories including transitive Tier-0 attack-path analysis, certificate-services ESC1-ESC16, NTLM-relay preconditions, telemetry posture, and adversary tradecraft indicators), the Entra ID / Azure / Intune / M36
Agentless, read-only security assessment and continuous monitoring for PowerShell 7 across three theaters: on-premises Active Directory (211 checks across 15 categories including transitive Tier-0 attack-path analysis, certificate-services ESC1-ESC16, NTLM-relay preconditions, telemetry posture, and adversary tradecraft indicators), the Entra ID / Azure / Intune / M365 identity plane (257 checks including a full 44-control EIDSCA baseline, conditional access, PIM, application and OAuth governance, Exchange Online, SharePoint, Teams, Defender, and entitlement-management hygiene), and Google Workspace (158 checks aligned to the CISA SCuBA baselines). 626 checks total, each mapped to NIST 800-53, MITRE ATT&CK, CIS, EIDSCA, and CISA SCuBA where applicable and carrying a CISA Zero Trust pillar and weight, and each verdict validated by a golden-fixture test (1,754 fixtures). Continuous monitoring covers Entra ID sign-in risk, AD baseline drift, and M365 audit logs. Alerting via SendGrid, Mailgun, Twilio SMS, Teams, Slack, generic webhooks, PagerDuty, Pushover, Syslog (CEF/LEEF), and Windows Event Log.
Show more

Minimum PowerShell version

7.0

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name Guerrilla

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name Guerrilla

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

(c) 2026 Jim Tyler. All rights reserved.

Package Details

Author(s)

  • Jim Tyler Microsoft MVP

Tags

GoogleWorkspace ActiveDirectory EntraID AzureAD Intune M365 Security CompromiseAssessment IncidentResponse ThreatDetection ADSecurity CloudSecurity NTLMRelay TierZero GUI WPF Guerrilla

Functions

Invoke-Recon Invoke-Surveillance Invoke-Watchtower Invoke-Wiretap Invoke-Lookout Get-DeadDrop Send-Signal Send-SignalSendGrid Send-SignalMailgun Send-SignalTwilio Send-SignalTeams Send-SignalSlack Send-SignalWebhook Send-SignalPagerDuty Send-SignalPushover Send-SignalSyslog Send-SignalEventLog Send-SignalDigest Set-Safehouse Test-Safehouse Get-Safehouse Register-Patrol Unregister-Patrol Get-Patrol Update-ThreatIntel Invoke-ReconDemo Invoke-Fortification Invoke-Reconnaissance Invoke-Infiltration Invoke-Campaign Get-GuerrillaScore Get-GuerrillaMaturity Get-QuickWins Get-ComplianceCrosswalk Test-GuerrillaConditionalAccess Export-BudgetJustification Export-ExecutiveSummary Export-TechnicalReport Export-RemediationPlaybook Export-RemediationScripts Set-RiskAcceptance Get-RiskAcceptance Get-TrendReport Export-ReportPdf Export-Dashboard Export-BloodHoundData Export-GuerrillaJUnit Get-GuerrillaCIGate Show-Guerrilla Get-ZeroTrustScore

Dependencies

This module has no dependencies.

Release Notes

Guerrilla (formerly PSGuerrilla, renamed 2026-07-08). v2.46.5: Eight Google Workspace SCuBA configuration controls, each verified against the CISA ScubaGoggles Rego before it was written. EMAIL-030 (GWS.GMAIL.11.1) warns on automatic email forwarding; EMAIL-031 (GMAIL.15.1) on enhanced pre-delivery message scanning disabled; DRIVE-017 (DRIVEDOCS.1.8) on default file access not private to owner; ADMIN-019 (COMMONCONTROLS.15.2) on data processing outside the storage region; AUTH-018 (COMMONCONTROLS.8.2) on account self-recovery for users and non-super-admins; ADMIN-020 (COMMONCONTROLS.10.4) fails when access to unconfigured third-party apps is not blocked; ADMIN-021 (COMMONCONTROLS.16.1) warns when additional Google services without an individual control are not restricted (Google models this with inverted serviceState semantics, confirmed against the Rego); ADMIN-022 (COMMONCONTROLS.16.2) warns when Early Access applications are enabled. All read Cloud Identity Policy settings, weakest-OU-wins, absent policy = Not Assessed. GWS SCuBA controls assessed rose from 87 to 95. New branch-coverage gate: a check may declare its verdict paths and the golden-fixture suite fails unless a fixture exercises each one, so a multi-field check must prove every branch, not merely that one fixture passed. 626 checks, 1,754 fixtures, 0 failures. v2.46.4: Documentation and provenance release. Full README rewrite (three theaters, 618 checks, golden-fixture discipline). CONTRIBUTING rewritten as a contribution ladder with rung-matched issue templates. GRLA provenance schema added to every check definition (provenance, source_url, source_read_date, official_id), gated by a new provenance schema test; seven checks classified as Guerrilla-original attack paths no baseline models yet. The golden-fixture gate now emits a machine-readable test-summary.json (checks, fixtures, pass/fail, per-check verdicts) that the public docs render from, so published numbers cannot go stale. SCuBA crosswalk hygiene: four Exchange Online tags remapped to the current CISA Defender baseline, 24 stale tags removed. No check verdict logic changed; 618 checks, 1,730 fixtures, 0 failures. v2.46.3: Closed the last 10 configuration-derived Google Workspace SCuBA gaps found by a setting-level review of the baseline: EMAIL-025 (mail delegation), EMAIL-026 (POP/IMAP), EMAIL-027 (email import), EMAIL-028 (Outlook sync), EMAIL-029 (spam-override lists), DRIVE-014 (Drive SDK), DRIVE-015 (external-file warning), DRIVE-016 (file security update), ADMIN-017 (internal-app trust), ADMIN-018 (data-at-rest region). All read Cloud Identity Policy settings, weakest-OU-wins, absent policy = Not Assessed, tagged with GWS.* control IDs. 30 fixtures. v2.46.2: Four more Google Workspace SCuBA configuration controls: COLLAB-017 (CALENDAR.3.1 interop), COLLAB-018 (CALENDAR.4.1 paid appointments), COLLAB-019 (MEET.5.1 auto-recording), GROUP-006 (GROUPS.4.1 hide-from-directory). Cloud Identity Policy reads, weakest-OU-wins, absent = Not Assessed. Controls with no configuration API (Chat content-reporting, Meet Gemini, calendar interop-management) remain manual or audit-log-derived and are reported honestly as out of automated scope. 12 fixtures. v2.46.1: Consolidated PSGallery release carrying everything since 2.40.1: SCuBA EXO + CIS reconciliation closes, Entra ID Governance entitlement-management hygiene, Copilot Studio AI-agent governance, and the full Google Workspace SCuBA baseline closes (Gmail, Groups, Chat, Meet) with provable GWS.* crosswalk tagging. Release process now tags + creates a GitHub release on publish (repo/Gallery reconciliation). v2.46.0: Five Google Workspace tail SCuBA controls (Chat/Meet/Groups). COLLAB-013 (GWS.CHAT.2.1) fails on Chat external file sharing (exfil); COLLAB-014 (CHAT.3.1) warns on space history off; COLLAB-015 (MEET.2.1) fails when meeting join is not org-restricted; COLLAB-016 (MEET.5.2) warns on default auto-transcription; GROUP-005 (GROUPS.3.1) warns on broad conversation visibility. All Cloud Identity Policy reads, weakest-OU-wins, absent policy = Not Assessed. Closes the mission-relevant GWS SCuBA remainder; residual no-config-API controls (Gemini-in-Meet, hide-from-directory, content-reporting, calendar interop/payments) are honestly out of automated scope. 15 fixtures. v2.45.0: Google Workspace Groups sharing controls (4 checks), the one GWS SCuBA baseline area that previously had no coverage. GROUP-001 (GWS.GROUPS.1.1) fails on external group access; GROUP-002 (1.2) on owners adding external members; GROUP-003 (1.3) on groups receiving public mail (inbound phishing vector); GROUP-004 (2.1) warns on group creation not restricted to admins. All read groups_for_business.groups_sharing from the Cloud Identity Policy API; absent policy is Not Assessed. 13 fixtures. v2.44.0: Two Google Workspace Gmail SCuBA controls + baseline crosswalk. EMAIL-023 (GWS.GMAIL.12.1) flags per-user outbound gateways (external SMTP routing = exfil/spoofing path); EMAIL-024 (GWS.GMAIL.16.1) flags a disabled Gmail Security Sandbox, best-effort field so it reports Not Assessed if the setting is not returned. Also tagged EMAIL-015/016/017 with the GWS.GMAIL.5.x/6.x/7.x controls they satisfy (14 controls, previously covered but untagged) so GWS baseline coverage is provable by control ID. 8 fixtures. v2.43.0: Copilot Studio AI-agent governance (new category, 4 checks). Agents front organizational data yet are rarely governed. New AIAgent category collects agents from Dataverse (bots table per Power Platform environment): AIAGENT-001 fails Any/Any-multitenant access; 002 fails anonymous agents, warns as-needed auth; 003 warns dormant published agents; 004 warns authenticated agents not scoped to security groups. Verdict logic is fixture-proven (15 fixtures); the Dataverse collector is contract-tested. Collection requires live validation on a Power Platform tenant; until then agents are Not Assessed, never a fabricated verdict. v2.42.0: Entra ID Governance entitlement-management hygiene (new category, 5 checks). Access packages are a standing grant rarely reviewed after creation; Guerrilla now inspects assignment policies and catalogs. EIDGOV-001 flags policies granting access without approval; 002 flags missing access reviews; 003 flags perpetual (never-expiring) assignments; 004 fails on external/all-users eligibility without approval; 005 flags externally-visible catalogs. A failed collection is Not Assessed; empty-but-collected means entitlement management is not in use (PASS). Contract-tested endpoints + 18 golden fixtures; sub-field names best-effort pending live validation, absent fields take the safe branch. See CHANGELOG.md for v2.41 and earlier.

FileList

Version History

Version Downloads Last updated
2.46.5 (current version) 5 7/11/2026
2.46.4 4 7/9/2026
2.46.3 5 7/9/2026