PSGuerrilla.psd1
|
@{ RootModule = 'PSGuerrilla.psm1' ModuleVersion = '2.24.0' GUID = 'f7a3b2c1-4d5e-6f78-9a0b-1c2d3e4f5a6b' Author = 'Jim Tyler, Microsoft MVP' CompanyName = 'Jim Tyler' Copyright = '(c) 2026 Jim Tyler. All rights reserved.' Description = 'Security assessment, threat detection, and continuous monitoring module for Google Workspace, Active Directory, and Microsoft cloud environments. Includes Google Workspace compromise assessment with 23 detection signals, Active Directory reconnaissance (205 security checks across 15 categories including transitive Tier-0 attack-path analysis, NTLM-relay preconditions, Tier-0 hygiene, telemetry posture, and adversary tradecraft indicators), Entra ID / Azure / Intune / M365 infiltration audit (202 checks, including a full 44-control EIDSCA baseline), and continuous monitoring across all four theaters (Entra ID sign-in risk, AD baseline monitoring, M365 audit log monitoring). Supports alerting via SendGrid, Mailgun, Twilio SMS, Teams, Slack, generic webhooks, PagerDuty, Pushover, Syslog (CEF/LEEF), and Windows Event Log.' PowerShellVersion = '7.0' FunctionsToExport = @( 'Invoke-Recon' 'Invoke-Surveillance' 'Invoke-Watchtower' 'Invoke-Wiretap' 'Invoke-Lookout' 'Get-DeadDrop' 'Send-Signal' 'Send-SignalSendGrid' 'Send-SignalMailgun' 'Send-SignalTwilio' 'Send-SignalTeams' 'Send-SignalSlack' 'Send-SignalWebhook' 'Send-SignalPagerDuty' 'Send-SignalPushover' 'Send-SignalSyslog' 'Send-SignalEventLog' 'Send-SignalDigest' 'Set-Safehouse' 'Test-Safehouse' 'Get-Safehouse' 'Register-Patrol' 'Unregister-Patrol' 'Get-Patrol' 'Update-ThreatIntel' 'Invoke-ReconDemo' 'Invoke-Fortification' 'Invoke-Reconnaissance' 'Invoke-Infiltration' 'Invoke-Campaign' 'Get-GuerrillaScore' 'Get-GuerrillaMaturity' 'Get-QuickWins' 'Get-ComplianceCrosswalk' 'Export-BudgetJustification' 'Export-ExecutiveSummary' 'Export-TechnicalReport' 'Export-RemediationPlaybook' 'Export-RemediationScripts' 'Set-RiskAcceptance' 'Get-RiskAcceptance' 'Get-TrendReport' 'Export-ReportPdf' 'Export-Dashboard' 'Export-BloodHoundData' 'Show-Guerrilla' ) CmdletsToExport = @() VariablesToExport = @() AliasesToExport = @( # PSRecon -> PSGuerrilla rename aliases 'Invoke-GoogleRecon' 'Get-ReconAlerts' 'Send-ReconAlert' 'Send-ReconAlertSendGrid' 'Send-ReconAlertMailgun' 'Send-ReconAlertTwilio' 'Set-ReconConfig' 'Get-ReconConfig' 'Register-ReconScheduledTask' 'Unregister-ReconScheduledTask' 'Get-ReconScheduledTask' # Theater-disambiguating aliases 'Invoke-WorkspaceRecon' 'Invoke-ADRecon' 'Invoke-CloudRecon' ) FormatsToProcess = @('PSGuerrilla.format.ps1xml') PrivateData = @{ PSData = @{ Tags = @('GoogleWorkspace', 'ActiveDirectory', 'EntraID', 'AzureAD', 'Intune', 'M365', 'Security', 'CompromiseAssessment', 'IncidentResponse', 'ThreatDetection', 'ADSecurity', 'CloudSecurity', 'NTLMRelay', 'TierZero', 'GUI', 'WPF', 'PSGuerrilla') LicenseUri = 'https://creativecommons.org/licenses/by/4.0/' ProjectUri = 'https://guerrilla.army' ReleaseNotes = 'v2.24.0: Full EIDSCA baseline (44 controls) as a new Eidsca category - matches Maester EIDSCA 1:1 (AF/AG/AM/AS/AT/AV auth-method, AP authorization, CP/CR consent, PR password-protection, ST guest-group). Control definitions (Graph object + exact property path + operator + expected) extracted from the authoritative Maester corpus, not fabricated; live in Data/AuditChecks/EidscaChecks.json. Data-driven evaluator (Resolve-EidscaControl) runs against the raw Graph objects PSGuerrilla already collects (authenticationMethodsPolicy/authorizationPolicy/adminConsentRequestPolicy/directory settings) - no new collection. Surfaced via Get-ComplianceCrosswalk -Framework EIDSCA and the new Invoke-Infiltration category. EIDSCA coverage 10 approximate tags -> 44 controls evaluated (interim tags removed to avoid duplicate crosswalk rows). Check count 473 -> 517 (Entra/M365 158 -> 202; AD 205, GWS 110 unchanged). HONEST: any control whose source policy/setting was not collected returns SKIP = Not Assessed, never PASS. Test verify-eidsca.ps1 (18/18). Maester roadmap M1 done; next M2 CA what-if + M6 EXO/email depth. v2.23.0: Fixes from the v2.22.0 live-validation pass. FIXED: attack-path visuals rendered EMPTY on real domains - the shared report code read Details.Chains (only ADPATH-002 has that) but ADPATH-001 carries rich objects under Details.Paths, and the @(null).Count==1 gotcha defeated the AffectedItems fallback; a shared gather now reads BOTH shapes, filters null, excludes by-design Expected service-account paths, and derives hop count when Length is absent (fixes the Attack Paths list + Cartography across Recon/Campaign/Technical). FIXED: compliance crosswalk silently dropped SKIP checks (coverage read artificially low) - SKIP now surfaces as Not Assessed, only ERROR dropped. FIXED: maturity rated all-SKIP categories as Level 5 Optimized - now Level 0 Not Assessed (absence of evidence is not compliance). CHANGED: BloodHound export resolves well-known privileged groups (Domain/Enterprise/Schema Admins + builtin operator aliases) to real SIDs so they overlay SharpHound instead of parallel NAME: nodes. CHANGED: full-domain ACL sweep now includes organizationalUnit objects (OU delegation was invisible). Report/honesty only - no check/scoring/count changes (473 checks, 46 functions). Tests: report-sections 29/29, maturity 22/22, bloodhound 14/14, fulldomain 18/18, scuba 12/12. See CHANGELOG.md for v2.23.0 and earlier.' } } } |