PSGuerrilla

2.25.0

PSGuerrilla.psd1

                                @{

    RootModule        = 'PSGuerrilla.psm1'

    ModuleVersion     = '2.25.0'

    GUID              = 'f7a3b2c1-4d5e-6f78-9a0b-1c2d3e4f5a6b'

    Author            = 'Jim Tyler, Microsoft MVP'

    CompanyName       = 'Jim Tyler'

    Copyright         = '(c) 2026 Jim Tyler. All rights reserved.'

    Description       = 'Security assessment, threat detection, and continuous monitoring module for Google Workspace, Active Directory, and Microsoft cloud environments. Includes Google Workspace compromise assessment with 23 detection signals, Active Directory reconnaissance (205 security checks across 15 categories including transitive Tier-0 attack-path analysis, NTLM-relay preconditions, Tier-0 hygiene, telemetry posture, and adversary tradecraft indicators), Entra ID / Azure / Intune / M365 infiltration audit (202 checks, including a full 44-control EIDSCA baseline), and continuous monitoring across all four theaters (Entra ID sign-in risk, AD baseline monitoring, M365 audit log monitoring). Supports alerting via SendGrid, Mailgun, Twilio SMS, Teams, Slack, generic webhooks, PagerDuty, Pushover, Syslog (CEF/LEEF), and Windows Event Log.'

    PowerShellVersion = '7.0'

    FunctionsToExport = @(

        'Invoke-Recon'

        'Invoke-Surveillance'

        'Invoke-Watchtower'

        'Invoke-Wiretap'

        'Invoke-Lookout'

        'Get-DeadDrop'

        'Send-Signal'

        'Send-SignalSendGrid'

        'Send-SignalMailgun'

        'Send-SignalTwilio'

        'Send-SignalTeams'

        'Send-SignalSlack'

        'Send-SignalWebhook'

        'Send-SignalPagerDuty'

        'Send-SignalPushover'

        'Send-SignalSyslog'

        'Send-SignalEventLog'

        'Send-SignalDigest'

        'Set-Safehouse'

        'Test-Safehouse'

        'Get-Safehouse'

        'Register-Patrol'

        'Unregister-Patrol'

        'Get-Patrol'

        'Update-ThreatIntel'

        'Invoke-ReconDemo'

        'Invoke-Fortification'

        'Invoke-Reconnaissance'

        'Invoke-Infiltration'

        'Invoke-Campaign'

        'Get-GuerrillaScore'

        'Get-GuerrillaMaturity'

        'Get-QuickWins'

        'Get-ComplianceCrosswalk'

        'Test-GuerrillaConditionalAccess'

        'Export-BudgetJustification'

        'Export-ExecutiveSummary'

        'Export-TechnicalReport'

        'Export-RemediationPlaybook'

        'Export-RemediationScripts'

        'Set-RiskAcceptance'

        'Get-RiskAcceptance'

        'Get-TrendReport'

        'Export-ReportPdf'

        'Export-Dashboard'

        'Export-BloodHoundData'

        'Show-Guerrilla'

    )

    CmdletsToExport   = @()

    VariablesToExport  = @()

    AliasesToExport    = @(

        # PSRecon -> PSGuerrilla rename aliases

        'Invoke-GoogleRecon'

        'Get-ReconAlerts'

        'Send-ReconAlert'

        'Send-ReconAlertSendGrid'

        'Send-ReconAlertMailgun'

        'Send-ReconAlertTwilio'

        'Set-ReconConfig'

        'Get-ReconConfig'

        'Register-ReconScheduledTask'

        'Unregister-ReconScheduledTask'

        'Get-ReconScheduledTask'

        # Theater-disambiguating aliases

        'Invoke-WorkspaceRecon'

        'Invoke-ADRecon'

        'Invoke-CloudRecon'

    )

    FormatsToProcess   = @('PSGuerrilla.format.ps1xml')

    PrivateData = @{

        PSData = @{

            Tags       = @('GoogleWorkspace', 'ActiveDirectory', 'EntraID', 'AzureAD', 'Intune', 'M365', 'Security', 'CompromiseAssessment', 'IncidentResponse', 'ThreatDetection', 'ADSecurity', 'CloudSecurity', 'NTLMRelay', 'TierZero', 'GUI', 'WPF', 'PSGuerrilla')

            LicenseUri = 'https://creativecommons.org/licenses/by/4.0/'

            ProjectUri = 'https://guerrilla.army'

            ReleaseNotes = 'v2.25.0: New Conditional Access what-if simulation - the free answer to Maester Test-MtConditionalAccessWhatIf. Test-GuerrillaConditionalAccess simulates a sign-in against live CA policies via POST /beta/identity/conditionalAccess/evaluate (same request shape as Maester) and normalizes applied policies into one verdict (Block/MfaRequired/CompliantDeviceRequired/PasswordChangeRequired/Grant/NotApplied/Unknown). Invoke-Infiltration -WhatIfUserId runs a pre-built attack-scenario matrix (legacy-auth, no-MFA, high sign-in/user risk, unmanaged device) graded PASS/FAIL - more opinionated than Maester BYO tests - driving EIDCA-015 (was a placeholder/inference, now a real simulation when a user is supplied; without it, falls back to clearly-labeled policy-config inference). Beta API: empty/unrecognised response -> Unknown -> grader SKIP = Not Assessed, never false PASS. 47 public functions; check counts unchanged (517). Test verify-ca-whatif.ps1 (19/19). Maester roadmap M1 (EIDSCA) + M2 (CA what-if) done; remaining M6 EXO/email depth. v2.24.0: Full EIDSCA baseline (44 controls) as a new Eidsca category - matches Maester EIDSCA 1:1 (AF/AG/AM/AS/AT/AV auth-method, AP authorization, CP/CR consent, PR password-protection, ST guest-group). Control definitions (Graph object + exact property path + operator + expected) extracted from the authoritative Maester corpus, not fabricated; live in Data/AuditChecks/EidscaChecks.json. Data-driven evaluator (Resolve-EidscaControl) runs against the raw Graph objects PSGuerrilla already collects (authenticationMethodsPolicy/authorizationPolicy/adminConsentRequestPolicy/directory settings) - no new collection. Surfaced via Get-ComplianceCrosswalk -Framework EIDSCA and the new Invoke-Infiltration category. EIDSCA coverage 10 approximate tags -> 44 controls evaluated (interim tags removed to avoid duplicate crosswalk rows). Check count 473 -> 517 (Entra/M365 158 -> 202; AD 205, GWS 110 unchanged). HONEST: any control whose source policy/setting was not collected returns SKIP = Not Assessed, never PASS. Test verify-eidsca.ps1 (18/18). Maester roadmap M1 done; next M2 CA what-if + M6 EXO/email depth. See CHANGELOG.md for v2.24.0 and earlier.'

        }

    }

}