PSGuerrilla

2.11.1

Security assessment, threat detection, and continuous monitoring module for Google Workspace, Active Directory, and Microsoft cloud environments. Includes Google Workspace compromise assessment with 23 detection signals, Active Directory reconnaissance (204 security checks across 15 categories including a Tier-0 attack-path analysis, NTLM-relay preconditions, Tier-0 h
Security assessment, threat detection, and continuous monitoring module for Google Workspace, Active Directory, and Microsoft cloud environments. Includes Google Workspace compromise assessment with 23 detection signals, Active Directory reconnaissance (204 security checks across 15 categories including a Tier-0 attack-path analysis, NTLM-relay preconditions, Tier-0 hygiene, telemetry posture, and adversary tradecraft indicators), Entra ID / Azure / Intune / M365 infiltration audit (158 checks), and continuous monitoring across all four theaters (Entra ID sign-in risk, AD baseline monitoring, M365 audit log monitoring). Supports alerting via SendGrid, Mailgun, Twilio SMS, Teams, Slack, generic webhooks, PagerDuty, Pushover, Syslog (CEF/LEEF), and Windows Event Log.
Show more

Minimum PowerShell version

7.0

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name PSGuerrilla -RequiredVersion 2.11.1

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name PSGuerrilla -Version 2.11.1

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

(c) 2026 Jim Tyler. All rights reserved.

Package Details

Author(s)

  • Jim Tyler Microsoft MVP

Tags

GoogleWorkspace ActiveDirectory EntraID AzureAD Intune M365 Security CompromiseAssessment IncidentResponse ThreatDetection ADSecurity CloudSecurity NTLMRelay TierZero GUI WPF PSGuerrilla

Functions

Invoke-Recon Invoke-Surveillance Invoke-Watchtower Invoke-Wiretap Get-DeadDrop Send-Signal Send-SignalSendGrid Send-SignalMailgun Send-SignalTwilio Send-SignalTeams Send-SignalSlack Send-SignalWebhook Send-SignalPagerDuty Send-SignalPushover Send-SignalSyslog Send-SignalEventLog Send-SignalDigest Set-Safehouse Test-Safehouse Get-Safehouse Register-Patrol Unregister-Patrol Get-Patrol Update-ThreatIntel Invoke-ReconDemo Invoke-Fortification Invoke-Reconnaissance Invoke-Infiltration Invoke-Campaign Get-GuerrillaScore Get-QuickWins Get-ComplianceCrosswalk Export-BudgetJustification Export-ExecutiveSummary Export-TechnicalReport Export-RemediationPlaybook Export-RemediationScripts Set-RiskAcceptance Get-RiskAcceptance Get-TrendReport Export-ReportPdf Export-Dashboard Show-Guerrilla

Dependencies

This module has no dependencies.

Release Notes

v2.11.1: GWS-1 coverage extension: 7 more Fortification checks now read live Cloud Identity policy (33 real policy-backed checks total, up from 26). EMAIL-018 Compliance Rules (gmail.content_compliance), EMAIL-019 DLP Rules (rule.dlp, active Gmail-scoped), DRIVE-010 Drive DLP Rules (rule.dlp, active Drive-scoped), ADMIN-010 Groups external membership and ADMIN-011 group-creation restriction (groups_for_business.groups_sharing), COLLAB-004 Chat external comms (chat.external_chat_restriction) and COLLAB-008 Calendar external sharing (calendar.primary_calendar_max_allowed_external_sharing) - the two COLLAB checks keep their OrgUnitPolicies path as a fallback. Same rails: weakest-OU-wins, API-unavailable/policy-absent -> SKIP, unrecognized enums -> WARN never PASS, anchored DLP state matching. Check counts unchanged (204/98/158). New tests verify-gws1-{email,drive,admin,collab}-p2.ps1, all green. v2.11.0: GWS-1 complete - the v2.10.8 Cloud Identity policy collector is now wired into real checks. 26 placeholder checks across 7 Fortification categories now evaluate live policy instead of an always-WARN verify-in-Admin-Console: Authentication (AUTH-003/004/005/006/008/011), Email (EMAIL-013/015/016/017/020/021), Collaboration (COLLAB-001/002/003/005/006), Drive (DRIVE-001/004/008), OAuth (OAUTH-001/006/007), Logging (LOG-004/005), Admin (ADMIN-012). New shape-immune helper Resolve-GooglePolicyValue normalizes the lookup, returns per-OU field values, distinguishes API-unavailable (SKIP) from policy-absent, and grades weakest-OU-wins. Checks with no policy-API equivalent (mobile/MDM, mail routing/compliance, several sharing sub-settings) stay documented manual-verify; an unrecognized enum value grades WARN, never PASS. Check counts unchanged (204/98/158). 9 regression suites green. v2.10.8 (patch): (1) GWS-1 enabling infrastructure — a new Get-GoogleCloudIdentityPolicies collector pulls the full Workspace settings set from the Cloud Identity Policy API (policies.list, paginated), indexes it by setting type, and exposes a Get-GooglePolicySetting lookup helper; wired into Get-FortificationData as CloudIdentityPolicies. This is the data layer that turns the ~60 "verify in Admin Console" placeholder checks (Gmail/Drive/Auth/Chat/Meet/Calendar/DLP/service-status) into real ones — check conversions follow once live value shapes are confirmed. The cloud-identity.policies.readonly scope is requested in an isolated token so a tenant that hasn't delegated it degrades gracefully (collector returns null, dependent checks SKIP) instead of breaking the whole Google scan with unauthorized_client. (2) Chrome-policy collection no longer hardcodes a tenant-specific org-unit id — it resolves the customer root OU dynamically and skips gracefully if it can't (was a bug for every other tenant). Teams /appCatalogs/teamsApps needs no change (the collector already uses $filter, not $top). Test: verify-gws1-policy-collector.ps1 (8/8). v2.10.7 (patch): (1) Spectre.Console console rendering restored — when PwshSpectreConsole is installed the bar charts and tables were calling Spectre.Console C# extension methods as instance methods ($chart.AddItem, $table.AddRow, $table.BorderColor, $tree.AddNode), which PowerShell cannot do, so every non-Quiet scan spammed "does not contain a method named …" and the chart/table/tree rendered blank. They now use the correct static extension classes (BarChartExtensions::AddItem, TableExtensions::AddRow, HasTreeNodeExtensions::AddNode) and set the border via BorderStyle, so the category bar charts, Findings-by-severity chart, and Priority-findings table render again; each enhanced renderer also falls back to the text renderer on error so a future Spectre API change degrades gracefully. (2) Test mode now uses a zeroed report-filename timestamp (…_report_00000000_000000.… / …-00000000-000000.…) so demo/sample output is fully deterministic, completing the test-mode determinism from v2.10.5 (real scans keep the real timestamp). v2.10.6 (docs): Endpoint-protection guidance + a Graph scope. README now documents — prominently in Requirements + a Troubleshooting section — that Microsoft Defender / EDR can false-positive on PSGuerrilla's AD attack-detection files and block read access, so Import-Module fails with "Access to the path …Invoke-ADAclDelegationChecks.ps1 is denied"; fix is a Defender path exclusion (Add-MpPreference -ExclusionPath) or a Protection-history Allow. This is the most common first-run failure on a hardened host. Also added AppCatalog.Read.All to the documented Entra app scopes (Teams app-catalog collection), plus Troubleshooting entries for the Teams 403 and the "No accessible Azure subscriptions" SKIP. Surfaced by the v2.10.4 live validation. v2.10.5 (patch): Test mode renders deterministic (zeroed) timestamps. With -TestMode (or the GUI "Test mode" checkbox) all console timestamps read 00:00 / 00:00:00 instead of the live clock, so demo/sample/screenshot output is stable — the operation header shows "0000 UTC" (date kept real), Write-ProgressLine shows "[0000 UTC]", and the GUI Operations log prefixes each line with "[00:00:00]". Driven by a self-healing module flag the audit cmdlets set per run (a real run resets it). Report filenames keep the real timestamp (zeroing would collide). v2.10.4 (patch): Backlog sweep — code-only gaps that don't need a live tenant/DC. (GUI-1) The Safehouse tab "Add Credential" button now opens a real dark-themed WPF dialog (not a redirect-to-terminal stub) that stores Microsoft Entra/Graph (tenant/client/secret + optional expiry) or Google Workspace (service-account JSON via file picker + delegated-admin email) credentials straight into the vault and refreshes the grid, with GUID/email/SA-JSON validation before any write (non-interactive Save-SafehouseCredentialSet; builder/validator unit-tested; window render-verified). (ENT-5) Azure IAM checks now distinguish "no ARM access / no accessible subscriptions" — a single clear SKIP pointing at "grant the app Reader at the root management group" — from "no resources of this type found" (WARN, only when subscriptions exist). Previously every AZIAM check emitted a misleading "No X found in scanned subscriptions" WARN even with zero Azure access. (ENT-4 partial) Invoke-Infiltration collapses the ~40 individual "workload module not connected" SKIP lines into one pre-flight banner (EXO/Teams/SharePoint/Power Platform); net-new workload checks still need live validation. (DSInternals) One pre-flight note that the 5 password-hash checks (ADPWD-010..014) will SKIP, instead of five identical lines. Regression tests: verify-ent5-azure-skip.ps1 (7/7), verify-gui-credential-entry.ps1 (15/15); check counts unchanged (204/98/158). See CHANGELOG.md for v2.10.3 and earlier.

FileList

Version History

Version Downloads Last updated
2.37.0 5 6/27/2026
2.36.0 5 6/27/2026
2.35.0 6 6/26/2026
2.34.0 4 6/25/2026
2.33.0 3 6/25/2026
2.32.2 4 6/25/2026
2.32.1 4 6/25/2026
2.32.0 6 6/25/2026
2.31.0 7 6/24/2026
2.30.3 5 6/24/2026
2.30.2 5 6/24/2026
2.30.1 6 6/24/2026
2.30.0 6 6/24/2026
2.29.1 7 6/22/2026
2.29.0 4 6/22/2026
2.28.1 4 6/22/2026
2.28.0 4 6/22/2026
2.27.0 5 6/22/2026
2.26.0 7 6/22/2026
2.25.0 4 6/22/2026
2.24.0 8 6/22/2026
2.23.0 6 6/21/2026
2.22.0 8 6/21/2026
2.21.0 7 6/21/2026
2.20.1 5 6/21/2026
2.20.0 4 6/21/2026
2.19.0 6 6/21/2026
2.18.0 7 6/21/2026
2.17.0 5 6/21/2026
2.16.0 5 6/21/2026
2.15.0 9 6/21/2026
2.14.1 8 6/20/2026
2.14.0 8 6/20/2026
2.13.0 7 6/20/2026
2.12.1 6 6/20/2026
2.12.0 9 6/20/2026
2.11.1 (current version) 6 6/20/2026
2.11.0 5 6/19/2026
2.10.8 11 6/19/2026
2.10.7 16 6/19/2026
2.10.6 5 6/19/2026
2.10.5 6 6/19/2026
2.10.4 14 6/18/2026
2.10.3 9 6/18/2026
2.10.2 8 6/18/2026
2.10.1 7 6/18/2026
2.10.0 6 6/18/2026
2.9.4 7 6/18/2026
2.9.3 7 6/18/2026
2.9.2 5 6/18/2026
2.9.1 5 6/18/2026
2.9.0 9 6/17/2026
2.8.1 7 6/17/2026
2.8.0 7 6/17/2026
2.7.0 11 6/17/2026
2.6.0 6 6/16/2026
2.5.2 7 6/16/2026
2.5.1 6 6/16/2026
2.5.0 6 6/16/2026
2.4.4 6 6/16/2026
2.4.3 6 6/16/2026
2.4.2 7 6/16/2026
2.4.1 8 6/15/2026
2.4.0 9 6/11/2026
2.3.1 12 5/28/2026
2.3.0 5 5/28/2026
2.2.1 12 5/15/2026
2.2.0 4 5/15/2026
Show less