PSGuerrilla
2.2.0
Security assessment, threat detection, and continuous monitoring module for Google Workspace, Active Directory, and Microsoft cloud environments. Includes Google Workspace compromise assessment with 23 detection signals, Active Directory reconnaissance (203 security checks across 14 categories including NTLM-relay preconditions, Tier-0 hygiene, telemetry posture, and
Security assessment, threat detection, and continuous monitoring module for Google Workspace, Active Directory, and Microsoft cloud environments. Includes Google Workspace compromise assessment with 23 detection signals, Active Directory reconnaissance (203 security checks across 14 categories including NTLM-relay preconditions, Tier-0 hygiene, telemetry posture, and adversary tradecraft indicators), Entra ID / Azure / Intune / M365 infiltration audit (159 checks), and continuous monitoring across all four theaters (Entra ID sign-in risk, AD baseline monitoring, M365 audit log monitoring). Supports alerting via SendGrid, Mailgun, Twilio SMS, Teams, Slack, generic webhooks, PagerDuty, Pushover, Syslog (CEF/LEEF), and Windows Event Log.
Show more
Minimum PowerShell version
7.0
Installation Options
Owners
Copyright
(c) 2026 Jim Tyler. All rights reserved.
Package Details
Author(s)
- Jim Tyler Microsoft MVP
Tags
GoogleWorkspace ActiveDirectory EntraID AzureAD Intune M365 Security CompromiseAssessment IncidentResponse ThreatDetection ADSecurity CloudSecurity NTLMRelay TierZero PSGuerrilla
Functions
Invoke-Recon Invoke-Surveillance Invoke-Watchtower Invoke-Wiretap Get-DeadDrop Send-Signal Send-SignalSendGrid Send-SignalMailgun Send-SignalTwilio Send-SignalTeams Send-SignalSlack Send-SignalWebhook Send-SignalPagerDuty Send-SignalPushover Send-SignalSyslog Send-SignalEventLog Send-SignalDigest Set-Safehouse Test-Safehouse Get-Safehouse Register-Patrol Unregister-Patrol Get-Patrol Update-ThreatIntel Invoke-ReconDemo Invoke-Fortification Invoke-Reconnaissance Invoke-Infiltration Invoke-Campaign Get-GuerrillaScore Get-QuickWins Get-ComplianceCrosswalk Export-BudgetJustification Export-ExecutiveSummary Export-TechnicalReport Export-RemediationPlaybook Export-RemediationScripts Set-RiskAcceptance Get-RiskAcceptance Get-TrendReport Export-ReportPdf Export-Dashboard
Dependencies
This module has no dependencies.
Release Notes
v2.2.0: 28 new AD checks across 4 new categories (Network, TierZero, Logging, Tradecraft). Cross-platform data paths via Get-PSGuerrillaDataRoot. Set-Safehouse asks which environments to set up. Banner suppressed in non-interactive sessions. SupportsShouldProcess on state-mutating cmdlets. Theater-disambiguating aliases. Score no longer inflates for missing categories. Atomic state writes. 30+ bug fixes. Total checks: 459 (was 431). See https://github.com/jimrtyler/PSGuerrilla for full notes.
FileList
- PSGuerrilla.nuspec
- AI-USAGE.md
- Config\guerrilla-defaults.json
- Public\Export-ExecutiveSummary.ps1
- Public\Get-Safehouse.ps1
- Public\Register-Patrol.ps1
- Public\Send-SignalTwilio.ps1
- Data\AuditChecks\ADAclDelegationChecks.json
- Data\AuditChecks\ADStaleObjectChecks.json
- Data\AuditChecks\EntraCAChecks.json
- Data\AuditChecks\M365TeamsChecks.json
- Private\Audit\Invoke-AuthenticationChecks.ps1
- Private\Console\Initialize-SpectreCapability.ps1
- Private\Console\Write-SpectreBarChart.ps1
- Private\Core\Get-IpGeoData.ps1
- Private\Core\Save-TheaterState.ps1
- Private\Core\Test-HighRiskOAuthApp.ps1
- Private\Export\Export-DashboardHtml.ps1
- Private\Export\Export-ReconnaissanceReportCsv.ps1
- Private\Export\Export-WiretapReportCsv.ps1
- Private\Graph\Invoke-GraphApi.ps1
- Private\AD\Checks\Invoke-ADAclDelegationChecks.ps1
- Private\AD\Checks\Invoke-ADStaleObjectChecks.ps1
- Private\AD\Core\Get-ADNetworkConfig.ps1
- Private\AD\Core\New-LdapConnection.ps1
- Private\ADMonitor\Detections\Test-ADCertTemplateChange.ps1
- Private\ADMonitor\Detections\Test-ADLdapQueryAnomaly.ps1
- Private\Entra\Checks\Invoke-EntraAuthChecks.ps1
- Private\Entra\Checks\Invoke-M365SharePointChecks.ps1
- Private\Entra\Core\Get-IntuneData.ps1
- Private\EntraMonitor\Detections\Test-EntraAppPermissionGrant.ps1
- Private\EntraMonitor\Detections\Test-EntraPasswordSpray.ps1
- Private\M365Monitor\Detections\Test-M365AuditLogDisablement.ps1
- CHANGELOG.md
- Data\CloudIpRanges.json
- Public\Export-RemediationPlaybook.ps1
- Public\Get-TrendReport.ps1
- Public\Send-Signal.ps1
- Public\Send-SignalWebhook.ps1
- Data\AuditChecks\ADCertificateServicesChecks.json
- Data\AuditChecks\ADTradecraftChecks.json
- Data\AuditChecks\EntraFedChecks.json
- Data\AuditChecks\OAuthSecurityChecks.json
- Private\Audit\Invoke-CollaborationChecks.ps1
- Private\Console\Write-CampaignReport.ps1
- Private\Console\Write-SpectrePanel.ps1
- Private\Core\Get-LocalizedString.ps1
- Private\Core\Test-2svDisablement.ps1
- Private\Core\Test-ImpossibleTravel.ps1
- Private\Export\Export-FieldReportCsv.ps1
- Private\Export\Export-ReconnaissanceReportHtml.ps1
- Private\Export\Export-WiretapReportHtml.ps1
- Private\Graph\Test-GraphModuleAvailability.ps1
- Private\AD\Checks\Invoke-ADCertificateServicesChecks.ps1
- Private\AD\Checks\Invoke-ADTradecraftChecks.ps1
- Private\AD\Core\Get-ADObjectACLs.ps1
- Private\AD\Core\Resolve-ADSid.ps1
- Private\ADMonitor\Detections\Test-ADComputerAccountCreation.ps1
- Private\ADMonitor\Detections\Test-ADOUPermissionChange.ps1
- Private\Entra\Checks\Invoke-EntraCAChecks.ps1
- Private\Entra\Checks\Invoke-M365TeamsChecks.ps1
- Private\Entra\Core\Get-M365ServiceData.ps1
- Private\EntraMonitor\Detections\Test-EntraAuditLogGap.ps1
- Private\EntraMonitor\Detections\Test-EntraPrivilegedRoleChange.ps1
- Private\M365Monitor\Detections\Test-M365BulkFileExfiltration.ps1
- CONTRIBUTING.md
- Data\ComplianceCrosswalk.json
- Public\Export-RemediationScripts.ps1
- Public\Invoke-Campaign.ps1
- Public\Send-SignalDigest.ps1
- Public\Set-RiskAcceptance.ps1
- Data\AuditChecks\ADDomainForestChecks.json
- Data\AuditChecks\ADTrustChecks.json
- Data\AuditChecks\EntraPIMChecks.json
- Data\AuditChecks\TierZeroChecks.json
- Private\Audit\Invoke-DeviceManagementChecks.ps1
- Private\Console\Write-FieldReport.ps1
- Private\Console\Write-SpectreProgress.ps1
- Private\Core\Get-OperationState.ps1
- Private\Core\Test-AdminAction.ps1
- Private\Core\Test-NewDevice.ps1
- Private\Export\Export-FieldReportHtml.ps1
- Private\Export\Export-ReconnaissanceReportJson.ps1
- Private\Export\Export-WiretapReportJson.ps1
- Private\Vault\Get-GuerrillaCredential.ps1
- Private\AD\Checks\Invoke-ADDomainForestChecks.ps1
- Private\AD\Checks\Invoke-ADTrustChecks.ps1
- Private\AD\Core\Get-ADPasswordPolicies.ps1
- Private\AD\Core\Test-ADModuleAvailability.ps1
- Private\ADMonitor\Detections\Test-ADDCSyncPermission.ps1
- Private\ADMonitor\Detections\Test-ADPrivilegedGroupChange.ps1
- Private\Entra\Checks\Invoke-EntraFedChecks.ps1
- Private\Entra\Core\Get-AzureIAMData.ps1
- Private\EntraMonitor\Core\Get-EntraDirectoryAudits.ps1
- Private\EntraMonitor\Detections\Test-EntraAuthMethodChange.ps1
- Private\EntraMonitor\Detections\Test-EntraRiskySignIn.ps1
- Private\M365Monitor\Detections\Test-M365DefenderAlertChange.ps1
- LICENSE
- Data\HighRiskOAuthApps.json
- Public\Export-ReportPdf.ps1
- Public\Invoke-Fortification.ps1
- Public\Send-SignalEventLog.ps1
- Public\Set-Safehouse.ps1
- Data\AuditChecks\ADGroupPolicyChecks.json
- Data\AuditChecks\AuthenticationChecks.json
- Data\AuditChecks\EntraTenantChecks.json
- Data\Localization\en-US.json
- Private\Audit\Invoke-DriveSecurityChecks.ps1
- Private\Console\Write-FortificationReport.ps1
- Private\Console\Write-SpectreTable.ps1
- Private\Core\Get-ResourceConstrainedFixes.ps1
- Private\Core\Test-AfterHoursLogin.ps1
- Private\Core\Test-UserAgentAnomaly.ps1
- Private\Export\Export-FieldReportJson.ps1
- Private\Export\Export-SurveillanceReportCsv.ps1
- Private\Export\Format-SignalContent.ps1
- Private\Vault\Get-VaultMetadata.ps1
- Private\AD\Checks\Invoke-ADGroupPolicyChecks.ps1
- Private\AD\Checks\Invoke-TierZeroChecks.ps1
- Private\AD\Core\Get-ADPrivilegedMembers.ps1
- Private\ADMonitor\Core\Compare-ADBaseline.ps1
- Private\ADMonitor\Detections\Test-ADDelegationChange.ps1
- Private\ADMonitor\Detections\Test-ADReplicationAnomaly.ps1
- Private\Entra\Checks\Invoke-EntraPIMChecks.ps1
- Private\Entra\Core\Get-EntraApplicationData.ps1
- Private\EntraMonitor\Core\Get-EntraMonitorThreatScore.ps1
- Private\EntraMonitor\Detections\Test-EntraCAPolicyChange.ps1
- Private\EntraMonitor\Detections\Test-EntraServicePrincipalCred.ps1
- Private\M365Monitor\Detections\Test-M365DLPPolicyChange.ps1
- PSGuerrilla-Sample-Report.html
- Data\KnownAttackerIps.json
- Public\Export-TechnicalReport.ps1
- Public\Invoke-Infiltration.ps1
- Public\Send-SignalMailgun.ps1
- Public\Test-Safehouse.ps1
- Data\AuditChecks\ADKerberosChecks.json
- Data\AuditChecks\AzureIAMChecks.json
- Data\AuditChecks\IntuneChecks.json
- Data\Profiles\Default-Baseline.json
- Private\Audit\Invoke-EmailSecurityChecks.ps1
- Private\Console\Write-GuerrillaBanner.ps1
- Private\Console\Write-SpectreTree.ps1
- Private\Core\Get-TheaterState.ps1
- Private\Core\Test-BruteForce.ps1
- Private\Core\Test-UserSuspension.ps1
- Private\Export\Export-FortificationReportCsv.ps1
- Private\Export\Export-SurveillanceReportHtml.ps1
- Private\Google\Get-GoogleAccessToken.ps1
- Private\Vault\Initialize-GuerrillaVault.ps1
- Private\AD\Checks\Invoke-ADKerberosChecks.ps1
- Private\AD\Core\Get-ADCertificateServices.ps1
- Private\AD\Core\Get-ADStaleObjects.ps1
- Private\ADMonitor\Core\Get-ADBaseline.ps1
- Private\ADMonitor\Detections\Test-ADDnsRecordChange.ps1
- Private\ADMonitor\Detections\Test-ADSchemaChange.ps1
- Private\Entra\Checks\Invoke-EntraTenantChecks.ps1
- Private\Entra\Core\Get-EntraAuthMethodsData.ps1
- Private\EntraMonitor\Core\Get-EntraRiskDetections.ps1
- Private\EntraMonitor\Detections\Test-EntraFederationChange.ps1
- Private\EntraMonitor\Detections\Test-EntraSubscriptionPermChange.ps1
- Private\M365Monitor\Detections\Test-M365EDiscoverySearch.ps1
- PSGuerrilla.format.ps1xml
- Data\RemediationCosts.json
- Public\Get-ComplianceCrosswalk.ps1
- Public\Invoke-Recon.ps1
- Public\Send-SignalPagerDuty.ps1
- Public\Unregister-Patrol.ps1
- Data\AuditChecks\ADLoggingChecks.json
- Data\AuditChecks\CollaborationChecks.json
- Data\AuditChecks\LoggingAlertingChecks.json
- Data\Profiles\K12-Baseline.json
- Private\Audit\Invoke-LoggingAlertingChecks.ps1
- Private\Console\Write-GuerrillaText.ps1
- Private\Console\Write-SurveillanceReport.ps1
- Private\Core\Get-ThreatScore.ps1
- Private\Core\Test-BulkFileDownload.ps1
- Private\Core\Test-WorkspaceSettingChange.ps1
- Private\Export\Export-FortificationReportHtml.ps1
- Private\Export\Export-SurveillanceReportJson.ps1
- Private\Google\Invoke-GoogleAdminApi.ps1
- Private\Vault\Read-MissionConfig.ps1
- Private\AD\Checks\Invoke-ADLoggingChecks.ps1
- Private\AD\Core\Get-ADDomainControllers.ps1
- Private\AD\Core\Get-ADTierZeroSignals.ps1
- Private\ADMonitor\Core\Get-ADMonitorData.ps1
- Private\ADMonitor\Detections\Test-ADDomainAdminChange.ps1
- Private\ADMonitor\Detections\Test-ADSensitivePasswordChange.ps1
- Private\Entra\Checks\Invoke-IntuneChecks.ps1
- Private\Entra\Core\Get-EntraConditionalAccessData.ps1
- Private\EntraMonitor\Core\Get-EntraSignInEvents.ps1
- Private\EntraMonitor\Detections\Test-EntraGlobalAdminAssignment.ps1
- Private\EntraMonitor\Detections\Test-EntraTenantSettingChange.ps1
- Private\M365Monitor\Detections\Test-M365ExternalSharingChange.ps1
- Data\SuspiciousCountries.json
- Public\Get-DeadDrop.ps1
- Public\Invoke-ReconDemo.ps1
- Public\Send-SignalPushover.ps1
- Public\Update-ThreatIntel.ps1
- Data\AuditChecks\ADLogonScriptChecks.json
- Data\AuditChecks\DeviceManagementChecks.json
- Data\AuditChecks\M365AuditChecks.json
- Private\Audit\Compare-FortificationState.ps1
- Private\Audit\Invoke-OAuthSecurityChecks.ps1
- Private\Console\Write-InfiltrationReport.ps1
- Private\Console\Write-WatchtowerReport.ps1
- Private\Core\Initialize-ConfigMigration.ps1
- Private\Core\Test-ConcurrentSessions.ps1
- Private\Core\Update-ThreatIntelData.ps1
- Private\Export\Export-FortificationReportJson.ps1
- Private\Export\Export-TrendReportHtml.ps1
- Private\Google\Invoke-GoogleReportsApi.ps1
- Private\Vault\Set-GuerrillaCredential.ps1
- Private\AD\Checks\Invoke-ADLogonScriptChecks.ps1
- Private\AD\Core\Get-ADDomainInfo.ps1
- Private\AD\Core\Get-ADTradecraftSignals.ps1
- Private\ADMonitor\Core\Get-ADMonitorThreatScore.ps1
- Private\ADMonitor\Detections\Test-ADEnterpriseAdminChange.ps1
- Private\ADMonitor\Detections\Test-ADServiceAccountCreation.ps1
- Private\Entra\Checks\Invoke-M365AuditChecks.ps1
- Private\Entra\Core\Get-EntraFederationData.ps1
- Private\EntraMonitor\Core\New-EntraRiskProfile.ps1
- Private\EntraMonitor\Detections\Test-EntraGuestInvitation.ps1
- Private\EntraMonitor\Detections\Test-EntraUnfamiliarSignIn.ps1
- Private\M365Monitor\Detections\Test-M365ForwardingRule.ps1
- PSGuerrilla.psd1
- Data\ThreatActorProfiles.json
- Public\Get-GuerrillaScore.ps1
- Public\Invoke-Reconnaissance.ps1
- Public\Send-SignalSendGrid.ps1
- Samples\Fortification-AllFail.html
- Data\AuditChecks\AdminManagementChecks.json
- Data\AuditChecks\DriveSecurityChecks.json
- Data\AuditChecks\M365DefenderChecks.json
- Private\Audit\Get-AuditCategoryDefinitions.ps1
- Private\Audit\New-AuditFinding.ps1
- Private\Console\Write-InterceptAlert.ps1
- Private\Console\Write-WiretapReport.ps1
- Private\Core\Invoke-AlertEscalation.ps1
- Private\Core\Test-DomainWideDelegation.ps1
- Private\Export\Export-CampaignReportCsv.ps1
- Private\Export\Export-InfiltrationReportCsv.ps1
- Private\Export\Export-WatchtowerReportCsv.ps1
- Private\Google\New-GoogleJwt.ps1
- Private\Vault\Set-VaultMetadata.ps1
- Private\AD\Checks\Invoke-ADNetworkChecks.ps1
- Private\AD\Core\Get-ADGroupPolicyObjects.ps1
- Private\AD\Core\Get-ADTrustRelationships.ps1
- Private\ADMonitor\Core\New-ADChangeProfile.ps1
- Private\ADMonitor\Detections\Test-ADGPOChange.ps1
- Private\ADMonitor\Detections\Test-ADTrustChange.ps1
- Private\Entra\Checks\Invoke-M365DefenderChecks.ps1
- Private\Entra\Core\Get-EntraPIMData.ps1
- Private\EntraMonitor\Detections\Test-EntraAdminUnitChange.ps1
- Private\EntraMonitor\Detections\Test-EntraImpossibleTravel.ps1
- Private\M365Monitor\Core\Get-M365AuditEvents.ps1
- Private\M365Monitor\Detections\Test-M365PowerAutomateFlow.ps1
- PSGuerrilla.psm1
- Data\VpnTorProxies.json
- Public\Get-Patrol.ps1
- Public\Invoke-Surveillance.ps1
- Public\Send-SignalSlack.ps1
- Samples\Generate-SampleReports.ps1
- Data\AuditChecks\ADNetworkChecks.json
- Data\AuditChecks\EmailSecurityChecks.json
- Data\AuditChecks\M365ExchangeChecks.json
- Private\Audit\Get-AuditPostureScore.ps1
- Private\Audit\Resolve-DomainMailSecurity.ps1
- Private\Console\Write-OperationHeader.ps1
- Private\Core\Get-AlertDeduplication.ps1
- Private\Core\Match-ThreatActorProfile.ps1
- Private\Core\Test-DriveExternalSharing.ps1
- Private\Export\Export-CampaignReportHtml.ps1
- Private\Export\Export-InfiltrationReportHtml.ps1
- Private\Export\Export-WatchtowerReportHtml.ps1
- Private\Graph\Get-GraphAccessToken.ps1
- Private\Vault\Show-SafehouseStatus.ps1
- Private\AD\Checks\Invoke-ADPasswordPolicyChecks.ps1
- Private\AD\Core\Get-ADKerberosConfig.ps1
- Private\AD\Core\Get-ReconnaissanceData.ps1
- Private\ADMonitor\Detections\Test-ADAdminSDHolderChange.ps1
- Private\ADMonitor\Detections\Test-ADGPOLinkChange.ps1
- Private\Entra\Checks\Invoke-AzureIAMChecks.ps1
- Private\Entra\Checks\Invoke-M365ExchangeChecks.ps1
- Private\Entra\Core\Get-EntraTenantData.ps1
- Private\EntraMonitor\Detections\Test-EntraAnomalousToken.ps1
- Private\EntraMonitor\Detections\Test-EntraLeakedCredential.ps1
- Private\M365Monitor\Core\Get-M365MonitorThreatScore.ps1
- Private\M365Monitor\Detections\Test-M365TeamsExternalAccess.ps1
- README.md
- Public\Export-BudgetJustification.ps1
- Public\Get-QuickWins.ps1
- Public\Invoke-Watchtower.ps1
- Public\Send-SignalSyslog.ps1
- Samples\Infiltration-AllFail.html
- Data\AuditChecks\ADPasswordPolicyChecks.json
- Data\AuditChecks\EntraAppChecks.json
- Data\AuditChecks\M365PowerPlatformChecks.json
- Private\Audit\Get-FortificationData.ps1
- Private\Console\Get-FortificationScoreLabel.ps1
- Private\Console\Write-ProgressLine.ps1
- Private\Core\Get-CloudIpClassification.ps1
- Private\Core\New-UserCompromiseProfile.ps1
- Private\Core\Test-EmailForwarding.ps1
- Private\Export\Export-CampaignReportJson.ps1
- Private\Export\Export-InfiltrationReportJson.ps1
- Private\Export\Export-WatchtowerReportJson.ps1
- Private\Graph\Invoke-AzureRMApi.ps1
- Private\Vault\Test-CredentialConnectivity.ps1
- Private\AD\Checks\Invoke-ADPrivilegedAccountChecks.ps1
- Private\AD\Core\Get-ADLogonScripts.ps1
- Private\AD\Core\Invoke-LdapQuery.ps1
- Private\ADMonitor\Detections\Test-ADCertEnrollmentAnomaly.ps1
- Private\ADMonitor\Detections\Test-ADKrbtgtChange.ps1
- Private\Entra\Checks\Invoke-EntraAppChecks.ps1
- Private\Entra\Checks\Invoke-M365PowerPlatformChecks.ps1
- Private\Entra\Core\Get-InfiltrationData.ps1
- Private\EntraMonitor\Detections\Test-EntraAnonymousIp.ps1
- Private\EntraMonitor\Detections\Test-EntraMalwareIp.ps1
- Private\M365Monitor\Core\New-M365ChangeProfile.ps1
- Private\M365Monitor\Detections\Test-M365TransportRuleChange.ps1
- Config\guerrilla-config-schema.json
- Public\Export-Dashboard.ps1
- Public\Get-RiskAcceptance.ps1
- Public\Invoke-Wiretap.ps1
- Public\Send-SignalTeams.ps1
- Samples\Reconnaissance-AllFail.html
- Data\AuditChecks\ADPrivilegedAccountChecks.json
- Data\AuditChecks\EntraAuthChecks.json
- Data\AuditChecks\M365SharePointChecks.json
- Private\Audit\Invoke-AdminManagementChecks.ps1
- Private\Console\Get-GuerrillaScoreLabel.ps1
- Private\Console\Write-ReconnaissanceReport.ps1
- Private\Core\Get-GuerrillaScoreCalculation.ps1
- Private\Core\Save-OperationState.ps1
Version History
| Version | Downloads | Last updated |
|---|---|---|
| 2.2.1 | 3 | 5/15/2026 |
| 2.2.0 (current version) | 1 | 5/15/2026 |