PSGuerrilla

2.10.7

Security assessment, threat detection, and continuous monitoring module for Google Workspace, Active Directory, and Microsoft cloud environments. Includes Google Workspace compromise assessment with 23 detection signals, Active Directory reconnaissance (204 security checks across 15 categories including a Tier-0 attack-path analysis, NTLM-relay preconditions, Tier-0 h
Security assessment, threat detection, and continuous monitoring module for Google Workspace, Active Directory, and Microsoft cloud environments. Includes Google Workspace compromise assessment with 23 detection signals, Active Directory reconnaissance (204 security checks across 15 categories including a Tier-0 attack-path analysis, NTLM-relay preconditions, Tier-0 hygiene, telemetry posture, and adversary tradecraft indicators), Entra ID / Azure / Intune / M365 infiltration audit (158 checks), and continuous monitoring across all four theaters (Entra ID sign-in risk, AD baseline monitoring, M365 audit log monitoring). Supports alerting via SendGrid, Mailgun, Twilio SMS, Teams, Slack, generic webhooks, PagerDuty, Pushover, Syslog (CEF/LEEF), and Windows Event Log.
Show more

Minimum PowerShell version

7.0

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name PSGuerrilla -RequiredVersion 2.10.7

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name PSGuerrilla -Version 2.10.7

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

(c) 2026 Jim Tyler. All rights reserved.

Package Details

Author(s)

  • Jim Tyler Microsoft MVP

Tags

GoogleWorkspace ActiveDirectory EntraID AzureAD Intune M365 Security CompromiseAssessment IncidentResponse ThreatDetection ADSecurity CloudSecurity NTLMRelay TierZero GUI WPF PSGuerrilla

Functions

Invoke-Recon Invoke-Surveillance Invoke-Watchtower Invoke-Wiretap Get-DeadDrop Send-Signal Send-SignalSendGrid Send-SignalMailgun Send-SignalTwilio Send-SignalTeams Send-SignalSlack Send-SignalWebhook Send-SignalPagerDuty Send-SignalPushover Send-SignalSyslog Send-SignalEventLog Send-SignalDigest Set-Safehouse Test-Safehouse Get-Safehouse Register-Patrol Unregister-Patrol Get-Patrol Update-ThreatIntel Invoke-ReconDemo Invoke-Fortification Invoke-Reconnaissance Invoke-Infiltration Invoke-Campaign Get-GuerrillaScore Get-QuickWins Get-ComplianceCrosswalk Export-BudgetJustification Export-ExecutiveSummary Export-TechnicalReport Export-RemediationPlaybook Export-RemediationScripts Set-RiskAcceptance Get-RiskAcceptance Get-TrendReport Export-ReportPdf Export-Dashboard Show-Guerrilla

Dependencies

This module has no dependencies.

Release Notes

v2.10.7 (patch): (1) Spectre.Console console rendering restored — when PwshSpectreConsole is installed the bar charts and tables were calling Spectre.Console C# extension methods as instance methods ($chart.AddItem, $table.AddRow, $table.BorderColor, $tree.AddNode), which PowerShell cannot do, so every non-Quiet scan spammed "does not contain a method named …" and the chart/table/tree rendered blank. They now use the correct static extension classes (BarChartExtensions::AddItem, TableExtensions::AddRow, HasTreeNodeExtensions::AddNode) and set the border via BorderStyle, so the category bar charts, Findings-by-severity chart, and Priority-findings table render again; each enhanced renderer also falls back to the text renderer on error so a future Spectre API change degrades gracefully. (2) Test mode now uses a zeroed report-filename timestamp (…_report_00000000_000000.… / …-00000000-000000.…) so demo/sample output is fully deterministic, completing the test-mode determinism from v2.10.5 (real scans keep the real timestamp). v2.10.6 (docs): Endpoint-protection guidance + a Graph scope. README now documents — prominently in Requirements + a Troubleshooting section — that Microsoft Defender / EDR can false-positive on PSGuerrilla's AD attack-detection files and block read access, so Import-Module fails with "Access to the path …Invoke-ADAclDelegationChecks.ps1 is denied"; fix is a Defender path exclusion (Add-MpPreference -ExclusionPath) or a Protection-history Allow. This is the most common first-run failure on a hardened host. Also added AppCatalog.Read.All to the documented Entra app scopes (Teams app-catalog collection), plus Troubleshooting entries for the Teams 403 and the "No accessible Azure subscriptions" SKIP. Surfaced by the v2.10.4 live validation. v2.10.5 (patch): Test mode renders deterministic (zeroed) timestamps. With -TestMode (or the GUI "Test mode" checkbox) all console timestamps read 00:00 / 00:00:00 instead of the live clock, so demo/sample/screenshot output is stable — the operation header shows "0000 UTC" (date kept real), Write-ProgressLine shows "[0000 UTC]", and the GUI Operations log prefixes each line with "[00:00:00]". Driven by a self-healing module flag the audit cmdlets set per run (a real run resets it). Report filenames keep the real timestamp (zeroing would collide). v2.10.4 (patch): Backlog sweep — code-only gaps that don't need a live tenant/DC. (GUI-1) The Safehouse tab "Add Credential" button now opens a real dark-themed WPF dialog (not a redirect-to-terminal stub) that stores Microsoft Entra/Graph (tenant/client/secret + optional expiry) or Google Workspace (service-account JSON via file picker + delegated-admin email) credentials straight into the vault and refreshes the grid, with GUID/email/SA-JSON validation before any write (non-interactive Save-SafehouseCredentialSet; builder/validator unit-tested; window render-verified). (ENT-5) Azure IAM checks now distinguish "no ARM access / no accessible subscriptions" — a single clear SKIP pointing at "grant the app Reader at the root management group" — from "no resources of this type found" (WARN, only when subscriptions exist). Previously every AZIAM check emitted a misleading "No X found in scanned subscriptions" WARN even with zero Azure access. (ENT-4 partial) Invoke-Infiltration collapses the ~40 individual "workload module not connected" SKIP lines into one pre-flight banner (EXO/Teams/SharePoint/Power Platform); net-new workload checks still need live validation. (DSInternals) One pre-flight note that the 5 password-hash checks (ADPWD-010..014) will SKIP, instead of five identical lines. Regression tests: verify-ent5-azure-skip.ps1 (7/7), verify-gui-credential-entry.ps1 (15/15); check counts unchanged (204/98/158). v2.10.3 (patch): Fixes from the v2.10.1 attack-path validation + the v2.10.2 GUI re-check. (1) ADPATH-001 false positives eliminated — the attack-path engine was reporting default infrastructure/admin principals (Domain Controllers group, Enterprise Domain Controllers, RODCs, Enterprise Read-only DCs, Schema Admins) as Tier-0 escalation paths even though they hold replication/control rights by AD design. A centralized allowlist (Test-DefaultControlPrincipal, matched by forge-proof well-known SID/RID, not locale-dependent names) now excludes them; in the reporter's live domain this drops the headline from "32 paths, all non-privileged" to the ~7 genuine ones. (2) SourceIsPrivileged is now correct (was always false, so the highest-risk sort/count was meaningless) — true for default privileged principals incl. operator groups and Tier-0 members. (3) Azure AD Connect MSOL_* sync accounts have real DCSync rights but by design (tracked by ADTIER-001); they're now flagged Expected, kept out of the non-privileged count, and reported separately rather than as surprise escalations. (4) DCSync/ACL-delegation checks share the same allowlist — Test-SafeAdminSid (ADPRIV-028, ADACL-010/015/016) delegates to Test-DefaultControlPrincipal (a strict superset of its old list), closing the residual where Enterprise Read-only Domain Controllers (498) was reported as a non-default DCSync principal. (5) GUI-2 ComboBox selection box fixed for real — the closed box rendered with the system's light button chrome (the nested ToggleButton's TemplateBinding bound to its own unset Background, not the ComboBox's), so near-white selection text read as blank/faint; the box fill is now hardcoded dark, verified by rendering the control off-screen to a bitmap and inspecting pixels. Regression tests added (Tests/verify-adpath-fix.ps1, 19/19). v2.10.2 (patch): GUI + safehouse audit fixes from the live GUI validation. (SH-1) Set-Safehouse -ConfigFile now also persists the Google Workspace delegated-admin email (and the Pushover/Twilio providers, previously dropped) into the vault — before this, a config-file setup followed by a vault-only scan (GUI / scheduled patrol, no -ConfigFile) failed with "AdminEmail is required." (SH-2) Get-Safehouse, Set-Safehouse -Status and the GUI Safehouse tab now reconcile vault metadata with the REAL secret store (Get-SecretInfo), so present-but-unregistered secrets (admin email, Pushover, legacy keys) are no longer hidden — a "are my creds loaded?" blind spot. (SH-3) Status now plainly discloses the no-master-password unattended mode instead of just labeling it "DPAPI". (GUI-1) The Safehouse "Test All" button now runs the real Test-Safehouse connectivity engine asynchronously and shows per-check results, instead of redirecting to the terminal. (GUI-2) ComboBoxes (Report style / Profile / Min alert level) now show their selected value when collapsed — a full dark control template themes the selection box. (GUI-4) A single-instance guard stops a second GUI window from clobbering shared config/state. (GUI-5) Rotate/Remove with no row selected now prompts to pick one. Regression tests added (Tests/verify-safehouse-fixes.ps1, 10/10). v2.10.1: Attack-path analysis now also flags GROUP-NESTING pivots — ADPATH-001 reports non-default groups nested inside a Tier-0 group (Domain/Enterprise/Schema Admins, Administrators, operator groups) as escalation pivots (controlling such a group, or being added to it, confers the Tier-0 group's privileges). Uses the already-collected recursive privileged-group membership; well-known Tier-0 groups are excluded so only custom nesting is flagged. Each path now carries a PathType (Object control / Group nesting). v2.10.0: AD attack-path analysis. Invoke-Reconnaissance gains a new "AttackPath" category (check ADPATH-001) that turns the flat dangerous-ACL findings into named privilege-escalation PATHS to Tier-0, each annotated with the concrete takeover technique it enables. v1 models the highest-value edge class — non-default control (GenericAll/WriteDacl/WriteOwner/replication rights) over a Tier-0 object (the domain root, AdminSDHolder, the Domain Controllers OU, the GPO/Configuration/Schema containers), a one-hop path to Domain Admin equivalence — and surfaces paths from genuinely non-privileged principals first as the highest risk. Built on already-collected ACL + privileged-group data (no new collection); runs under -Categories All or ACLDelegation/AttackPath. AD coverage is now 204 checks across 15 categories. This is the first increment of the roadmap's graph-based attack-path gap; full domain-wide TRANSITIVE path computation (low-priv user through nested-group control to Domain Admins) needs a full-domain ACL collector and is the next step. Regression tests added. v2.9.4 (patch): Fixes from the v2.9.3 live re-validation. (MON-4, regression) Continuous monitoring broke after the first run — Invoke-Surveillance/Invoke-Wiretap succeeded once then threw "Item has already been added" on every subsequent run (silently killing Register-Patrol scheduled monitoring). The scan-history append used `@($state.scanHistory) += @{...}`, which merged hashtable keys once a prior single-entry history reloaded from JSON. Both now build history via a new List-based Add-ScanHistoryEntry helper that always returns a clean array; two-run regression test added. (AD-1b) ADPRIV-028 (DCSync rights) reported instead of always SKIPping: with AD-1 collecting the domain-root DACL, the collector now derives DCSyncAccounts from the dangerous-ACE set (replication GUIDs 1131f6aa/1131f6ad/89e95b76, dropping default Tier-0 principals), completing the DCSync attack-path coverage. (GWS-3, partial) New Invoke-Fortification -Quick skips the slow per-user Gmail crawl (~1.4s/user; ~11min for 500 users) — directory/DNS/OAuth still run, Gmail-dependent EMAIL checks SKIP. Full parallelization deferred (needs live-tenant validation of runspace/token handling). See CHANGELOG.md for v2.9.3 and earlier.

FileList

Version History

Version Downloads Last updated
2.37.0 5 6/27/2026
2.36.0 5 6/27/2026
2.35.0 6 6/26/2026
2.34.0 4 6/25/2026
2.33.0 3 6/25/2026
2.32.2 4 6/25/2026
2.32.1 4 6/25/2026
2.32.0 6 6/25/2026
2.31.0 7 6/24/2026
2.30.3 5 6/24/2026
2.30.2 5 6/24/2026
2.30.1 6 6/24/2026
2.30.0 6 6/24/2026
2.29.1 7 6/22/2026
2.29.0 4 6/22/2026
2.28.1 4 6/22/2026
2.28.0 4 6/22/2026
2.27.0 5 6/22/2026
2.26.0 7 6/22/2026
2.25.0 4 6/22/2026
2.24.0 8 6/22/2026
2.23.0 6 6/21/2026
2.22.0 8 6/21/2026
2.21.0 7 6/21/2026
2.20.1 5 6/21/2026
2.20.0 4 6/21/2026
2.19.0 6 6/21/2026
2.18.0 7 6/21/2026
2.17.0 5 6/21/2026
2.16.0 5 6/21/2026
2.15.0 9 6/21/2026
2.14.1 8 6/20/2026
2.14.0 8 6/20/2026
2.13.0 7 6/20/2026
2.12.1 6 6/20/2026
2.12.0 9 6/20/2026
2.11.1 6 6/20/2026
2.11.0 5 6/19/2026
2.10.8 11 6/19/2026
2.10.7 (current version) 16 6/19/2026
2.10.6 5 6/19/2026
2.10.5 6 6/19/2026
2.10.4 14 6/18/2026
2.10.3 9 6/18/2026
2.10.2 8 6/18/2026
2.10.1 7 6/18/2026
2.10.0 6 6/18/2026
2.9.4 7 6/18/2026
2.9.3 7 6/18/2026
2.9.2 5 6/18/2026
2.9.1 5 6/18/2026
2.9.0 9 6/17/2026
2.8.1 7 6/17/2026
2.8.0 7 6/17/2026
2.7.0 11 6/17/2026
2.6.0 6 6/16/2026
2.5.2 7 6/16/2026
2.5.1 6 6/16/2026
2.5.0 6 6/16/2026
2.4.4 6 6/16/2026
2.4.3 6 6/16/2026
2.4.2 7 6/16/2026
2.4.1 8 6/15/2026
2.4.0 9 6/11/2026
2.3.1 12 5/28/2026
2.3.0 5 5/28/2026
2.2.1 12 5/15/2026
2.2.0 4 5/15/2026
Show less