Guerrilla.psd1

@{
    RootModule        = 'Guerrilla.psm1'
    ModuleVersion     = '2.46.4'
    GUID              = 'f7a3b2c1-4d5e-6f78-9a0b-1c2d3e4f5a6b'
    Author            = 'Jim Tyler, Microsoft MVP'
    CompanyName       = 'Jim Tyler'
    Copyright         = '(c) 2026 Jim Tyler. All rights reserved.'
    Description       = 'Agentless, read-only security assessment and continuous monitoring for PowerShell 7 across three theaters: on-premises Active Directory (211 checks across 15 categories including transitive Tier-0 attack-path analysis, certificate-services ESC1-ESC16, NTLM-relay preconditions, telemetry posture, and adversary tradecraft indicators), the Entra ID / Azure / Intune / M365 identity plane (257 checks including a full 44-control EIDSCA baseline, conditional access, PIM, application and OAuth governance, Exchange Online, SharePoint, Teams, Defender, and entitlement-management hygiene), and Google Workspace (150 checks aligned to the CISA SCuBA baselines). 618 checks total, each mapped to NIST 800-53, MITRE ATT&CK, CIS, EIDSCA, and CISA SCuBA where applicable and carrying a CISA Zero Trust pillar and weight, and each verdict validated by a golden-fixture test (1,730 fixtures). Continuous monitoring covers Entra ID sign-in risk, AD baseline drift, and M365 audit logs. Alerting via SendGrid, Mailgun, Twilio SMS, Teams, Slack, generic webhooks, PagerDuty, Pushover, Syslog (CEF/LEEF), and Windows Event Log.'
    PowerShellVersion = '7.0'
    FunctionsToExport = @(
        'Invoke-Recon'
        'Invoke-Surveillance'
        'Invoke-Watchtower'
        'Invoke-Wiretap'
        'Invoke-Lookout'
        'Get-DeadDrop'
        'Send-Signal'
        'Send-SignalSendGrid'
        'Send-SignalMailgun'
        'Send-SignalTwilio'
        'Send-SignalTeams'
        'Send-SignalSlack'
        'Send-SignalWebhook'
        'Send-SignalPagerDuty'
        'Send-SignalPushover'
        'Send-SignalSyslog'
        'Send-SignalEventLog'
        'Send-SignalDigest'
        'Set-Safehouse'
        'Test-Safehouse'
        'Get-Safehouse'
        'Register-Patrol'
        'Unregister-Patrol'
        'Get-Patrol'
        'Update-ThreatIntel'
        'Invoke-ReconDemo'
        'Invoke-Fortification'
        'Invoke-Reconnaissance'
        'Invoke-Infiltration'
        'Invoke-Campaign'
        'Get-GuerrillaScore'
        'Get-GuerrillaMaturity'
        'Get-QuickWins'
        'Get-ComplianceCrosswalk'
        'Test-GuerrillaConditionalAccess'
        'Export-BudgetJustification'
        'Export-ExecutiveSummary'
        'Export-TechnicalReport'
        'Export-RemediationPlaybook'
        'Export-RemediationScripts'
        'Set-RiskAcceptance'
        'Get-RiskAcceptance'
        'Get-TrendReport'
        'Export-ReportPdf'
        'Export-Dashboard'
        'Export-BloodHoundData'
        'Export-GuerrillaJUnit'
        'Get-GuerrillaCIGate'
        'Show-Guerrilla'
        'Get-ZeroTrustScore'
    )
    CmdletsToExport   = @()
    VariablesToExport  = @()
    AliasesToExport    = @(
        'Invoke-GoogleRecon'
        'Get-ReconAlerts'
        'Send-ReconAlert'
        'Send-ReconAlertSendGrid'
        'Send-ReconAlertMailgun'
        'Send-ReconAlertTwilio'
        'Set-ReconConfig'
        'Get-ReconConfig'
        'Register-ReconScheduledTask'
        'Unregister-ReconScheduledTask'
        'Get-ReconScheduledTask'
        'Invoke-WorkspaceRecon'
        'Invoke-ADRecon'
        'Invoke-CloudRecon'
    )
    FormatsToProcess   = @('Guerrilla.format.ps1xml')
    PrivateData = @{
        PSData = @{
            Tags       = @('GoogleWorkspace', 'ActiveDirectory', 'EntraID', 'AzureAD', 'Intune', 'M365', 'Security', 'CompromiseAssessment', 'IncidentResponse', 'ThreatDetection', 'ADSecurity', 'CloudSecurity', 'NTLMRelay', 'TierZero', 'GUI', 'WPF', 'Guerrilla')
            LicenseUri = 'https://creativecommons.org/licenses/by/4.0/'
            ProjectUri = 'https://guerrilla.army'
            ReleaseNotes = 'Guerrilla (formerly PSGuerrilla, renamed 2026-07-08). v2.46.4: Documentation and provenance release. Full README rewrite (three theaters, 618 checks, golden-fixture discipline). CONTRIBUTING rewritten as a contribution ladder with rung-matched issue templates. GRLA provenance schema added to every check definition (provenance, source_url, source_read_date, official_id), gated by a new provenance schema test; seven checks classified as Guerrilla-original attack paths no baseline models yet. The golden-fixture gate now emits a machine-readable test-summary.json (checks, fixtures, pass/fail, per-check verdicts) that the public docs render from, so published numbers cannot go stale. SCuBA crosswalk hygiene: four Exchange Online tags remapped to the current CISA Defender baseline, 24 stale tags removed. No check verdict logic changed; 618 checks, 1,730 fixtures, 0 failures. v2.46.3: Closed the last 10 configuration-derived Google Workspace SCuBA gaps found by a setting-level review of the baseline: EMAIL-025 (mail delegation), EMAIL-026 (POP/IMAP), EMAIL-027 (email import), EMAIL-028 (Outlook sync), EMAIL-029 (spam-override lists), DRIVE-014 (Drive SDK), DRIVE-015 (external-file warning), DRIVE-016 (file security update), ADMIN-017 (internal-app trust), ADMIN-018 (data-at-rest region). All read Cloud Identity Policy settings, weakest-OU-wins, absent policy = Not Assessed, tagged with GWS.* control IDs. 30 fixtures. v2.46.2: Four more Google Workspace SCuBA configuration controls: COLLAB-017 (CALENDAR.3.1 interop), COLLAB-018 (CALENDAR.4.1 paid appointments), COLLAB-019 (MEET.5.1 auto-recording), GROUP-006 (GROUPS.4.1 hide-from-directory). Cloud Identity Policy reads, weakest-OU-wins, absent = Not Assessed. Controls with no configuration API (Chat content-reporting, Meet Gemini, calendar interop-management) remain manual or audit-log-derived and are reported honestly as out of automated scope. 12 fixtures. v2.46.1: Consolidated PSGallery release carrying everything since 2.40.1: SCuBA EXO + CIS reconciliation closes, Entra ID Governance entitlement-management hygiene, Copilot Studio AI-agent governance, and the full Google Workspace SCuBA baseline closes (Gmail, Groups, Chat, Meet) with provable GWS.* crosswalk tagging. Release process now tags + creates a GitHub release on publish (repo/Gallery reconciliation). v2.46.0: Five Google Workspace tail SCuBA controls (Chat/Meet/Groups). COLLAB-013 (GWS.CHAT.2.1) fails on Chat external file sharing (exfil); COLLAB-014 (CHAT.3.1) warns on space history off; COLLAB-015 (MEET.2.1) fails when meeting join is not org-restricted; COLLAB-016 (MEET.5.2) warns on default auto-transcription; GROUP-005 (GROUPS.3.1) warns on broad conversation visibility. All Cloud Identity Policy reads, weakest-OU-wins, absent policy = Not Assessed. Closes the mission-relevant GWS SCuBA remainder; residual no-config-API controls (Gemini-in-Meet, hide-from-directory, content-reporting, calendar interop/payments) are honestly out of automated scope. 15 fixtures. v2.45.0: Google Workspace Groups sharing controls (4 checks), the one GWS SCuBA baseline area that previously had no coverage. GROUP-001 (GWS.GROUPS.1.1) fails on external group access; GROUP-002 (1.2) on owners adding external members; GROUP-003 (1.3) on groups receiving public mail (inbound phishing vector); GROUP-004 (2.1) warns on group creation not restricted to admins. All read groups_for_business.groups_sharing from the Cloud Identity Policy API; absent policy is Not Assessed. 13 fixtures. v2.44.0: Two Google Workspace Gmail SCuBA controls + baseline crosswalk. EMAIL-023 (GWS.GMAIL.12.1) flags per-user outbound gateways (external SMTP routing = exfil/spoofing path); EMAIL-024 (GWS.GMAIL.16.1) flags a disabled Gmail Security Sandbox, best-effort field so it reports Not Assessed if the setting is not returned. Also tagged EMAIL-015/016/017 with the GWS.GMAIL.5.x/6.x/7.x controls they satisfy (14 controls, previously covered but untagged) so GWS baseline coverage is provable by control ID. 8 fixtures. v2.43.0: Copilot Studio AI-agent governance (new category, 4 checks). Agents front organizational data yet are rarely governed. New AIAgent category collects agents from Dataverse (bots table per Power Platform environment): AIAGENT-001 fails Any/Any-multitenant access; 002 fails anonymous agents, warns as-needed auth; 003 warns dormant published agents; 004 warns authenticated agents not scoped to security groups. Verdict logic is fixture-proven (15 fixtures); the Dataverse collector is contract-tested. Collection requires live validation on a Power Platform tenant; until then agents are Not Assessed, never a fabricated verdict. v2.42.0: Entra ID Governance entitlement-management hygiene (new category, 5 checks). Access packages are a standing grant rarely reviewed after creation; Guerrilla now inspects assignment policies and catalogs. EIDGOV-001 flags policies granting access without approval; 002 flags missing access reviews; 003 flags perpetual (never-expiring) assignments; 004 fails on external/all-users eligibility without approval; 005 flags externally-visible catalogs. A failed collection is Not Assessed; empty-but-collected means entitlement management is not in use (PASS). Contract-tested endpoints + 18 golden fixtures; sub-field names best-effort pending live validation, absent fields take the safe branch. See CHANGELOG.md for v2.41 and earlier.'
        }
    }
}