PSGuerrilla

2.19.0

PSGuerrilla.psd1

                                @{

    RootModule        = 'PSGuerrilla.psm1'

    ModuleVersion     = '2.19.0'

    GUID              = 'f7a3b2c1-4d5e-6f78-9a0b-1c2d3e4f5a6b'

    Author            = 'Jim Tyler, Microsoft MVP'

    CompanyName       = 'Jim Tyler'

    Copyright         = '(c) 2026 Jim Tyler. All rights reserved.'

    Description       = 'Security assessment, threat detection, and continuous monitoring module for Google Workspace, Active Directory, and Microsoft cloud environments. Includes Google Workspace compromise assessment with 23 detection signals, Active Directory reconnaissance (205 security checks across 15 categories including transitive Tier-0 attack-path analysis, NTLM-relay preconditions, Tier-0 hygiene, telemetry posture, and adversary tradecraft indicators), Entra ID / Azure / Intune / M365 infiltration audit (158 checks), and continuous monitoring across all four theaters (Entra ID sign-in risk, AD baseline monitoring, M365 audit log monitoring). Supports alerting via SendGrid, Mailgun, Twilio SMS, Teams, Slack, generic webhooks, PagerDuty, Pushover, Syslog (CEF/LEEF), and Windows Event Log.'

    PowerShellVersion = '7.0'

    FunctionsToExport = @(

        'Invoke-Recon'

        'Invoke-Surveillance'

        'Invoke-Watchtower'

        'Invoke-Wiretap'

        'Invoke-Lookout'

        'Get-DeadDrop'

        'Send-Signal'

        'Send-SignalSendGrid'

        'Send-SignalMailgun'

        'Send-SignalTwilio'

        'Send-SignalTeams'

        'Send-SignalSlack'

        'Send-SignalWebhook'

        'Send-SignalPagerDuty'

        'Send-SignalPushover'

        'Send-SignalSyslog'

        'Send-SignalEventLog'

        'Send-SignalDigest'

        'Set-Safehouse'

        'Test-Safehouse'

        'Get-Safehouse'

        'Register-Patrol'

        'Unregister-Patrol'

        'Get-Patrol'

        'Update-ThreatIntel'

        'Invoke-ReconDemo'

        'Invoke-Fortification'

        'Invoke-Reconnaissance'

        'Invoke-Infiltration'

        'Invoke-Campaign'

        'Get-GuerrillaScore'

        'Get-GuerrillaMaturity'

        'Get-QuickWins'

        'Get-ComplianceCrosswalk'

        'Export-BudgetJustification'

        'Export-ExecutiveSummary'

        'Export-TechnicalReport'

        'Export-RemediationPlaybook'

        'Export-RemediationScripts'

        'Set-RiskAcceptance'

        'Get-RiskAcceptance'

        'Get-TrendReport'

        'Export-ReportPdf'

        'Export-Dashboard'

        'Export-BloodHoundData'

        'Show-Guerrilla'

    )

    CmdletsToExport   = @()

    VariablesToExport  = @()

    AliasesToExport    = @(

        # PSRecon -> PSGuerrilla rename aliases

        'Invoke-GoogleRecon'

        'Get-ReconAlerts'

        'Send-ReconAlert'

        'Send-ReconAlertSendGrid'

        'Send-ReconAlertMailgun'

        'Send-ReconAlertTwilio'

        'Set-ReconConfig'

        'Get-ReconConfig'

        'Register-ReconScheduledTask'

        'Unregister-ReconScheduledTask'

        'Get-ReconScheduledTask'

        # Theater-disambiguating aliases

        'Invoke-WorkspaceRecon'

        'Invoke-ADRecon'

        'Invoke-CloudRecon'

    )

    FormatsToProcess   = @('PSGuerrilla.format.ps1xml')

    PrivateData = @{

        PSData = @{

            Tags       = @('GoogleWorkspace', 'ActiveDirectory', 'EntraID', 'AzureAD', 'Intune', 'M365', 'Security', 'CompromiseAssessment', 'IncidentResponse', 'ThreatDetection', 'ADSecurity', 'CloudSecurity', 'NTLMRelay', 'TierZero', 'GUI', 'WPF', 'PSGuerrilla')

            LicenseUri = 'https://creativecommons.org/licenses/by/4.0/'

            ProjectUri = 'https://guerrilla.army'

            ReleaseNotes = 'v2.19.0: New full-domain ACL collector (Get-ADFullDomainAcl, via Invoke-Reconnaissance -FullDomainAcl). Sweeps every group/user/computer/gMSA in the domain, parsing each DACL from binary nTSecurityDescriptor in one paged LDAP query (no per-object bind), and merges domain-wide dangerous control ACEs into ACLs.DangerousACEs - consumed unchanged by the transitive engine and the BloodHound export. FIX: ACE records now carry ObjectClass + ObjectSID + ObjectName so the engine classifies group targets (grp:) and chains actually form (e.g. HelpDesk -GenericAll-> CORP-Helpdesk-Admins -MemberOf-> Domain Admins); previously missing, so chains dead-ended regardless of coverage. Opt-in (off by default; heaviest read PSGuerrilla performs), MaxObjects cap 50000 with explicit truncation reporting (no silent caps), SID-resolution cache. Read-only. 46 public functions. Test verify-fulldomain-acl.ps1 (18/18). Check counts unchanged. PingCastle plan remaining: cartography (visual map). v2.18.0: New Export-BloodHoundData cmdlet - exports the collected AD graph (privileged-group membership + dangerous ACLs) to a BloodHound CE OpenGraph file. SID-keyed nodes (overlay native SharpHound data) and BloodHound native edge kinds (GenericAll/WriteDacl/WriteOwner/GenericWrite/AllExtendedRights/GetChanges/GetChangesAll/MemberOf) so BloodHound pathfinding works directly. Full graph (no default-principal exclusion) - BloodHound does its own reachability. Invoke-Reconnaissance -BloodHoundPath writes it during a scan. Makes PSGuerrilla a free, agentless BloodHound feeder that does not touch endpoints (unlike SharpHound). Exported coverage tracks ACL collection; the full-domain ACL collector (roadmap) widens it. Read-only. 46 public functions. Test verify-bloodhound-export.ps1 (12/12). Check counts unchanged. PingCastle plan remaining: full-domain ACL collector + cartography. See CHANGELOG.md for v2.18.0 and earlier.'

        }

    }

}