Guerrilla

2.46.3

Security assessment, threat detection, and continuous monitoring module for Google Workspace, Active Directory, and Microsoft cloud environments. Includes Google Workspace compromise assessment with 23 detection signals, Active Directory reconnaissance (205 security checks across 15 categories including transitive Tier-0 attack-path analysis, NTLM-relay preconditions,
Security assessment, threat detection, and continuous monitoring module for Google Workspace, Active Directory, and Microsoft cloud environments. Includes Google Workspace compromise assessment with 23 detection signals, Active Directory reconnaissance (205 security checks across 15 categories including transitive Tier-0 attack-path analysis, NTLM-relay preconditions, Tier-0 hygiene, telemetry posture, and adversary tradecraft indicators), Entra ID / Azure identity-plane / Intune / M365 infiltration audit (215 checks, including a full 44-control EIDSCA baseline, partner/GDAP delegated-access review, Entra ID Governance entitlement-management hygiene, and Copilot Studio AI-agent governance), and continuous monitoring across all four theaters (Entra ID sign-in risk, AD baseline monitoring, M365 audit log monitoring). Supports alerting via SendGrid, Mailgun, Twilio SMS, Teams, Slack, generic webhooks, PagerDuty, Pushover, Syslog (CEF/LEEF), and Windows Event Log.
Show more

Minimum PowerShell version

7.0

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name Guerrilla -RequiredVersion 2.46.3

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name Guerrilla -Version 2.46.3

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

(c) 2026 Jim Tyler. All rights reserved.

Package Details

Author(s)

  • Jim Tyler Microsoft MVP

Tags

GoogleWorkspace ActiveDirectory EntraID AzureAD Intune M365 Security CompromiseAssessment IncidentResponse ThreatDetection ADSecurity CloudSecurity NTLMRelay TierZero GUI WPF Guerrilla

Functions

Invoke-Recon Invoke-Surveillance Invoke-Watchtower Invoke-Wiretap Invoke-Lookout Get-DeadDrop Send-Signal Send-SignalSendGrid Send-SignalMailgun Send-SignalTwilio Send-SignalTeams Send-SignalSlack Send-SignalWebhook Send-SignalPagerDuty Send-SignalPushover Send-SignalSyslog Send-SignalEventLog Send-SignalDigest Set-Safehouse Test-Safehouse Get-Safehouse Register-Patrol Unregister-Patrol Get-Patrol Update-ThreatIntel Invoke-ReconDemo Invoke-Fortification Invoke-Reconnaissance Invoke-Infiltration Invoke-Campaign Get-GuerrillaScore Get-GuerrillaMaturity Get-QuickWins Get-ComplianceCrosswalk Test-GuerrillaConditionalAccess Export-BudgetJustification Export-ExecutiveSummary Export-TechnicalReport Export-RemediationPlaybook Export-RemediationScripts Set-RiskAcceptance Get-RiskAcceptance Get-TrendReport Export-ReportPdf Export-Dashboard Export-BloodHoundData Export-GuerrillaJUnit Get-GuerrillaCIGate Show-Guerrilla Get-ZeroTrustScore

Dependencies

This module has no dependencies.

Release Notes

Guerrilla (formerly PSGuerrilla, renamed 2026-07-08). v2.46.3: Verified zero concessions to ScubaGoggles. A setting-level diff of ScubaGoggles' rego surfaced 10 real config gaps the family-level pass missed; all now closed: EMAIL-025 (mail delegation), EMAIL-026 (POP/IMAP), EMAIL-027 (email import), EMAIL-028 (Outlook sync), EMAIL-029 (spam-override lists), DRIVE-014 (Drive SDK), DRIVE-015 (external-file warning), DRIVE-016 (file security update), ADMIN-017 (internal-app trust), ADMIN-018 (data-at-rest region). Guerrilla now reads every config setting ScubaGoggles reads, or covers the same control more thoroughly. 30 fixtures. v2.46.2: Closes the last ScubaGoggles config-coverage concessions — 4 GWS SCuBA controls ScubaGoggles reads from a setting that we did not: COLLAB-017 (CALENDAR.3.1 interop), COLLAB-018 (CALENDAR.4.1 paid appointments), COLLAB-019 (MEET.5.1 auto-recording), GROUP-006 (GROUPS.4.1 hide-from-directory). Cloud Identity Policy reads, weakest-OU-wins, absent = Not Assessed. After this, every GWS SCuBA control ScubaGoggles derives from config is covered; the residual (Chat content-reporting, Meet Gemini, calendar interop-management) is manual/audit-log for BOTH tools, not a concession. 12 fixtures. v2.46.1: Consolidated PSGallery release — carries everything since 2.40.1: SCuBA EXO + CIS reconciliation closes, Entra ID Governance entitlement-management hygiene, Copilot Studio AI-agent governance, and the full Google Workspace SCuBA baseline closes (Gmail, Groups, Chat, Meet) with provable GWS.* crosswalk tagging. Release process now tags + creates a GitHub release on publish (repo/Gallery reconciliation). v2.46.0: Five Google Workspace tail SCuBA controls (Chat/Meet/Groups). COLLAB-013 (GWS.CHAT.2.1) fails on Chat external file sharing (exfil); COLLAB-014 (CHAT.3.1) warns on space history off; COLLAB-015 (MEET.2.1) fails when meeting join is not org-restricted; COLLAB-016 (MEET.5.2) warns on default auto-transcription; GROUP-005 (GROUPS.3.1) warns on broad conversation visibility. All Cloud Identity Policy reads, weakest-OU-wins, absent policy = Not Assessed. Closes the mission-relevant GWS SCuBA remainder; residual no-config-API controls (Gemini-in-Meet, hide-from-directory, content-reporting, calendar interop/payments) are honestly out of automated scope. 15 fixtures. v2.45.0: Google Workspace Groups sharing controls (4 checks) — the one GWS SCuBA baseline area with no coverage. GROUP-001 (GWS.GROUPS.1.1) fails on external group access; GROUP-002 (1.2) on owners adding external members; GROUP-003 (1.3) on groups receiving public mail (inbound phishing vector); GROUP-004 (2.1) warns on group creation not restricted to admins. All read groups_for_business.groups_sharing from the Cloud Identity Policy API; absent policy is Not Assessed. 13 fixtures. v2.44.0: Two Google Workspace Gmail SCuBA controls + baseline crosswalk. EMAIL-023 (GWS.GMAIL.12.1) flags per-user outbound gateways (external SMTP routing = exfil/spoofing path); EMAIL-024 (GWS.GMAIL.16.1) flags a disabled Gmail Security Sandbox, best-effort field so it reports Not Assessed if the setting is not returned. Also tagged EMAIL-015/016/017 with the GWS.GMAIL.5.x/6.x/7.x controls they satisfy (14 controls, previously covered but untagged) so GWS baseline coverage is provable by control ID. 8 fixtures. v2.43.0: Copilot Studio AI-agent governance (new category, 4 checks). Agents front organizational data yet are rarely governed. New AIAgent category collects agents from Dataverse (bots table per Power Platform environment): AIAGENT-001 fails Any/Any-multitenant access; 002 fails anonymous agents, warns as-needed auth; 003 warns dormant published agents; 004 warns authenticated agents not scoped to security groups. Verdict logic is fixture-proven (15 fixtures); the Dataverse collector is contract-tested. Collection requires live validation on a Power Platform tenant; until then agents are Not Assessed, never a fabricated verdict. v2.42.0: Entra ID Governance — entitlement-management hygiene (new category, 5 checks). Access packages are a standing grant rarely reviewed after creation; Guerrilla now inspects assignment policies and catalogs. EIDGOV-001 flags policies granting access without approval; 002 flags missing access reviews; 003 flags perpetual (never-expiring) assignments; 004 fails on external/all-users eligibility without approval; 005 flags externally-visible catalogs. A failed collection is Not Assessed; empty-but-collected means entitlement management is not in use (PASS). Contract-tested endpoints + 18 golden fixtures; sub-field names best-effort pending live validation, absent fields take the safe branch. See CHANGELOG.md for v2.41 and earlier.

FileList

Version History

Version Downloads Last updated
2.46.5 5 7/11/2026
2.46.4 4 7/9/2026
2.46.3 (current version) 5 7/9/2026