PSGuerrilla

2.13.0

PSGuerrilla.psd1

                                @{

    RootModule        = 'PSGuerrilla.psm1'

    ModuleVersion     = '2.13.0'

    GUID              = 'f7a3b2c1-4d5e-6f78-9a0b-1c2d3e4f5a6b'

    Author            = 'Jim Tyler, Microsoft MVP'

    CompanyName       = 'Jim Tyler'

    Copyright         = '(c) 2026 Jim Tyler. All rights reserved.'

    Description       = 'Security assessment, threat detection, and continuous monitoring module for Google Workspace, Active Directory, and Microsoft cloud environments. Includes Google Workspace compromise assessment with 23 detection signals, Active Directory reconnaissance (204 security checks across 15 categories including a Tier-0 attack-path analysis, NTLM-relay preconditions, Tier-0 hygiene, telemetry posture, and adversary tradecraft indicators), Entra ID / Azure / Intune / M365 infiltration audit (158 checks), and continuous monitoring across all four theaters (Entra ID sign-in risk, AD baseline monitoring, M365 audit log monitoring). Supports alerting via SendGrid, Mailgun, Twilio SMS, Teams, Slack, generic webhooks, PagerDuty, Pushover, Syslog (CEF/LEEF), and Windows Event Log.'

    PowerShellVersion = '7.0'

    FunctionsToExport = @(

        'Invoke-Recon'

        'Invoke-Surveillance'

        'Invoke-Watchtower'

        'Invoke-Wiretap'

        'Invoke-Lookout'

        'Get-DeadDrop'

        'Send-Signal'

        'Send-SignalSendGrid'

        'Send-SignalMailgun'

        'Send-SignalTwilio'

        'Send-SignalTeams'

        'Send-SignalSlack'

        'Send-SignalWebhook'

        'Send-SignalPagerDuty'

        'Send-SignalPushover'

        'Send-SignalSyslog'

        'Send-SignalEventLog'

        'Send-SignalDigest'

        'Set-Safehouse'

        'Test-Safehouse'

        'Get-Safehouse'

        'Register-Patrol'

        'Unregister-Patrol'

        'Get-Patrol'

        'Update-ThreatIntel'

        'Invoke-ReconDemo'

        'Invoke-Fortification'

        'Invoke-Reconnaissance'

        'Invoke-Infiltration'

        'Invoke-Campaign'

        'Get-GuerrillaScore'

        'Get-QuickWins'

        'Get-ComplianceCrosswalk'

        'Export-BudgetJustification'

        'Export-ExecutiveSummary'

        'Export-TechnicalReport'

        'Export-RemediationPlaybook'

        'Export-RemediationScripts'

        'Set-RiskAcceptance'

        'Get-RiskAcceptance'

        'Get-TrendReport'

        'Export-ReportPdf'

        'Export-Dashboard'

        'Show-Guerrilla'

    )

    CmdletsToExport   = @()

    VariablesToExport  = @()

    AliasesToExport    = @(

        # PSRecon -> PSGuerrilla rename aliases

        'Invoke-GoogleRecon'

        'Get-ReconAlerts'

        'Send-ReconAlert'

        'Send-ReconAlertSendGrid'

        'Send-ReconAlertMailgun'

        'Send-ReconAlertTwilio'

        'Set-ReconConfig'

        'Get-ReconConfig'

        'Register-ReconScheduledTask'

        'Unregister-ReconScheduledTask'

        'Get-ReconScheduledTask'

        # Theater-disambiguating aliases

        'Invoke-WorkspaceRecon'

        'Invoke-ADRecon'

        'Invoke-CloudRecon'

    )

    FormatsToProcess   = @('PSGuerrilla.format.ps1xml')

    PrivateData = @{

        PSData = @{

            Tags       = @('GoogleWorkspace', 'ActiveDirectory', 'EntraID', 'AzureAD', 'Intune', 'M365', 'Security', 'CompromiseAssessment', 'IncidentResponse', 'ThreatDetection', 'ADSecurity', 'CloudSecurity', 'NTLMRelay', 'TierZero', 'GUI', 'WPF', 'PSGuerrilla')

            LicenseUri = 'https://creativecommons.org/licenses/by/4.0/'

            ProjectUri = 'https://guerrilla.army'

            ReleaseNotes = 'v2.13.0: Google Workspace coverage expansion - GWS is now 104 checks (466 total, up from 98/460). Six net-new policy checks: AUTH-014 2SV enrollment allowed (security.two_step_verification_enrollment), AUTH-015 2SV enrollment grace period (security.two_step_verification_grace_period), AUTH-016 Advanced Protection self-enrollment (security.advanced_protection_program), AUTH-017 super-admin self-recovery -> FAIL (security.super_admin_account_recovery), COLLAB-011 Meet external-participant labeling (meet.safety_external_participants), COLLAB-012 Meet host management (meet.safety_host_management). Plus ADMIN-008/009 converted from placeholders to real checks via directory.workspace_resource_type_visibility (WARN on broad directory exposure). 39 of 104 GWS checks now read live Cloud Identity policy. All read-only, weakest-OU-wins, API-unavailable -> SKIP. Test-mode Fortification: 104 findings, 0 ERROR. New suites verify-gws1-{auth,collab,admin}-p3.ps1. AD 204 / Entra 158 unchanged. v2.12.1: Live-validation fixes. (1) Invoke-Lookout drift was non-functional - Get/Save-TheaterState ValidateSet rejected the workspace theater, so the baseline never persisted and every run re-baselined; added workspace to the ValidateSet, plus a real-state two-run regression test. (2) Confirmed-enum tighten-ups from a live tenant: COLLAB-008 EXTERNAL_ALL_INFO_* (full event details shared externally) -> FAIL and EXTERNAL_FREE_BUSY_ONLY/EXTERNAL_NO_SHARING -> PASS; OAUTH-006 corrected - api_controls.app_approval_requests.allowedForAll=ENABLED is the app-access request-and-approve workflow (admin still approves) -> PASS, not insecure; OAUTH-001 UNSPECIFIED_UBER_BLOCK confirmed block-all -> PASS. (3) EMAIL-019 remediation reworded. ADMIN-008/009 convertible via directory.workspace_resource_type_visibility (deferred pending direction). Check counts unchanged (204/98/158); all GWS-1 + Lookout suites green. v2.12.0: Google Workspace continuous monitoring: new Invoke-Lookout cmdlet - the GWS configuration-drift monitor that joins Invoke-Surveillance (Entra), Invoke-Watchtower (AD), and Invoke-Wiretap (M365). It runs the read-only Fortification posture audit, stores a baseline, and on each subsequent run reports newly-failing controls (drift), resolved controls, and the posture-score change; complements Invoke-Recon (behavioural) by watching configuration. First run baselines, -Force re-baselines, -ScanMode Fast (default, via Fortification -Quick) or Full. New failures surface on .NewThreats for alerting; baseline stored under theater workspace; built on the existing Compare-FortificationState engine. Register-Patrol now schedules Invoke-Lookout for the Workspace theater alongside Invoke-Recon. Read-only - no changes to Google Workspace. 44 public functions now. Check counts unchanged (204/98/158). Test verify-lookout.ps1 (16/16). v2.11.1: GWS-1 coverage extension: 7 more Fortification checks now read live Cloud Identity policy (33 real policy-backed checks total, up from 26). EMAIL-018 Compliance Rules (gmail.content_compliance), EMAIL-019 DLP Rules (rule.dlp, active Gmail-scoped), DRIVE-010 Drive DLP Rules (rule.dlp, active Drive-scoped), ADMIN-010 Groups external membership and ADMIN-011 group-creation restriction (groups_for_business.groups_sharing), COLLAB-004 Chat external comms (chat.external_chat_restriction) and COLLAB-008 Calendar external sharing (calendar.primary_calendar_max_allowed_external_sharing) - the two COLLAB checks keep their OrgUnitPolicies path as a fallback. Same rails: weakest-OU-wins, API-unavailable/policy-absent -> SKIP, unrecognized enums -> WARN never PASS, anchored DLP state matching. Check counts unchanged (204/98/158). New tests verify-gws1-{email,drive,admin,collab}-p2.ps1, all green. See CHANGELOG.md for v2.11.0 and earlier.'

        }

    }

}