PSGuerrilla

2.26.0

PSGuerrilla.psd1

                                @{

    RootModule        = 'PSGuerrilla.psm1'

    ModuleVersion     = '2.26.0'

    GUID              = 'f7a3b2c1-4d5e-6f78-9a0b-1c2d3e4f5a6b'

    Author            = 'Jim Tyler, Microsoft MVP'

    CompanyName       = 'Jim Tyler'

    Copyright         = '(c) 2026 Jim Tyler. All rights reserved.'

    Description       = 'Security assessment, threat detection, and continuous monitoring module for Google Workspace, Active Directory, and Microsoft cloud environments. Includes Google Workspace compromise assessment with 23 detection signals, Active Directory reconnaissance (205 security checks across 15 categories including transitive Tier-0 attack-path analysis, NTLM-relay preconditions, Tier-0 hygiene, telemetry posture, and adversary tradecraft indicators), Entra ID / Azure / Intune / M365 infiltration audit (202 checks, including a full 44-control EIDSCA baseline), and continuous monitoring across all four theaters (Entra ID sign-in risk, AD baseline monitoring, M365 audit log monitoring). Supports alerting via SendGrid, Mailgun, Twilio SMS, Teams, Slack, generic webhooks, PagerDuty, Pushover, Syslog (CEF/LEEF), and Windows Event Log.'

    PowerShellVersion = '7.0'

    FunctionsToExport = @(

        'Invoke-Recon'

        'Invoke-Surveillance'

        'Invoke-Watchtower'

        'Invoke-Wiretap'

        'Invoke-Lookout'

        'Get-DeadDrop'

        'Send-Signal'

        'Send-SignalSendGrid'

        'Send-SignalMailgun'

        'Send-SignalTwilio'

        'Send-SignalTeams'

        'Send-SignalSlack'

        'Send-SignalWebhook'

        'Send-SignalPagerDuty'

        'Send-SignalPushover'

        'Send-SignalSyslog'

        'Send-SignalEventLog'

        'Send-SignalDigest'

        'Set-Safehouse'

        'Test-Safehouse'

        'Get-Safehouse'

        'Register-Patrol'

        'Unregister-Patrol'

        'Get-Patrol'

        'Update-ThreatIntel'

        'Invoke-ReconDemo'

        'Invoke-Fortification'

        'Invoke-Reconnaissance'

        'Invoke-Infiltration'

        'Invoke-Campaign'

        'Get-GuerrillaScore'

        'Get-GuerrillaMaturity'

        'Get-QuickWins'

        'Get-ComplianceCrosswalk'

        'Test-GuerrillaConditionalAccess'

        'Export-BudgetJustification'

        'Export-ExecutiveSummary'

        'Export-TechnicalReport'

        'Export-RemediationPlaybook'

        'Export-RemediationScripts'

        'Set-RiskAcceptance'

        'Get-RiskAcceptance'

        'Get-TrendReport'

        'Export-ReportPdf'

        'Export-Dashboard'

        'Export-BloodHoundData'

        'Export-GuerrillaJUnit'

        'Show-Guerrilla'

    )

    CmdletsToExport   = @()

    VariablesToExport  = @()

    AliasesToExport    = @(

        # PSRecon -> PSGuerrilla rename aliases

        'Invoke-GoogleRecon'

        'Get-ReconAlerts'

        'Send-ReconAlert'

        'Send-ReconAlertSendGrid'

        'Send-ReconAlertMailgun'

        'Send-ReconAlertTwilio'

        'Set-ReconConfig'

        'Get-ReconConfig'

        'Register-ReconScheduledTask'

        'Unregister-ReconScheduledTask'

        'Get-ReconScheduledTask'

        # Theater-disambiguating aliases

        'Invoke-WorkspaceRecon'

        'Invoke-ADRecon'

        'Invoke-CloudRecon'

    )

    FormatsToProcess   = @('PSGuerrilla.format.ps1xml')

    PrivateData = @{

        PSData = @{

            Tags       = @('GoogleWorkspace', 'ActiveDirectory', 'EntraID', 'AzureAD', 'Intune', 'M365', 'Security', 'CompromiseAssessment', 'IncidentResponse', 'ThreatDetection', 'ADSecurity', 'CloudSecurity', 'NTLMRelay', 'TierZero', 'GUI', 'WPF', 'PSGuerrilla')

            LicenseUri = 'https://creativecommons.org/licenses/by/4.0/'

            ProjectUri = 'https://guerrilla.army'

            ReleaseNotes = 'v2.26.0: New Export-GuerrillaJUnit - security config as code. Converts any theater findings (AD/Entra/M365/Google Workspace) to JUnit XML, the format GitHub Actions/Azure DevOps/GitLab render natively as pass/fail, so PSGuerrilla drops into the same CI pipelines as Maester (across all four theaters, not just M365/Entra). One testsuite per category, one testcase per check: FAIL -> failure (typed by severity), SKIP/ERROR -> skipped (Not Assessed, never a silent pass), WARN passes with output (or -WarningsAsFailures to gate on it). Returns Tests/Failures/Skipped/Passed for pipeline gating (exit non-zero on Failures). Copy-paste GitHub Actions/Azure DevOps/GitLab templates available; dedicated Action is a follow-on. 48 public functions; check counts unchanged (517). Test verify-junit.ps1 (14/14). Maester roadmap M1 (EIDSCA) + M2 (CA what-if) + M4 (CI/CD) done; remaining M3 (interactive report + Indicators of Exposure, also closes Purple Knight) and M6 (EXO/email depth). v2.25.0: New Conditional Access what-if simulation - the free answer to Maester Test-MtConditionalAccessWhatIf. Test-GuerrillaConditionalAccess simulates a sign-in against live CA policies via POST /beta/identity/conditionalAccess/evaluate (same request shape as Maester) and normalizes applied policies into one verdict (Block/MfaRequired/CompliantDeviceRequired/PasswordChangeRequired/Grant/NotApplied/Unknown). Invoke-Infiltration -WhatIfUserId runs a pre-built attack-scenario matrix (legacy-auth, no-MFA, high sign-in/user risk, unmanaged device) graded PASS/FAIL - more opinionated than Maester BYO tests - driving EIDCA-015 (was a placeholder/inference, now a real simulation when a user is supplied; without it, falls back to clearly-labeled policy-config inference). Beta API: empty/unrecognised response -> Unknown -> grader SKIP = Not Assessed, never false PASS. 47 public functions; check counts unchanged (517). Test verify-ca-whatif.ps1 (19/19). Maester roadmap M1 (EIDSCA) + M2 (CA what-if) done; remaining M6 EXO/email depth. See CHANGELOG.md for v2.25.0 and earlier.'

        }

    }

}