PSGuerrilla

2.30.1

PSGuerrilla.psd1

                                @{

    RootModule        = 'PSGuerrilla.psm1'

    ModuleVersion     = '2.30.1'

    GUID              = 'f7a3b2c1-4d5e-6f78-9a0b-1c2d3e4f5a6b'

    Author            = 'Jim Tyler, Microsoft MVP'

    CompanyName       = 'Jim Tyler'

    Copyright         = '(c) 2026 Jim Tyler. All rights reserved.'

    Description       = 'Security assessment, threat detection, and continuous monitoring module for Google Workspace, Active Directory, and Microsoft cloud environments. Includes Google Workspace compromise assessment with 23 detection signals, Active Directory reconnaissance (205 security checks across 15 categories including transitive Tier-0 attack-path analysis, NTLM-relay preconditions, Tier-0 hygiene, telemetry posture, and adversary tradecraft indicators), Entra ID / Azure / Intune / M365 infiltration audit (202 checks, including a full 44-control EIDSCA baseline), and continuous monitoring across all four theaters (Entra ID sign-in risk, AD baseline monitoring, M365 audit log monitoring). Supports alerting via SendGrid, Mailgun, Twilio SMS, Teams, Slack, generic webhooks, PagerDuty, Pushover, Syslog (CEF/LEEF), and Windows Event Log.'

    PowerShellVersion = '7.0'

    FunctionsToExport = @(

        'Invoke-Recon'

        'Invoke-Surveillance'

        'Invoke-Watchtower'

        'Invoke-Wiretap'

        'Invoke-Lookout'

        'Get-DeadDrop'

        'Send-Signal'

        'Send-SignalSendGrid'

        'Send-SignalMailgun'

        'Send-SignalTwilio'

        'Send-SignalTeams'

        'Send-SignalSlack'

        'Send-SignalWebhook'

        'Send-SignalPagerDuty'

        'Send-SignalPushover'

        'Send-SignalSyslog'

        'Send-SignalEventLog'

        'Send-SignalDigest'

        'Set-Safehouse'

        'Test-Safehouse'

        'Get-Safehouse'

        'Register-Patrol'

        'Unregister-Patrol'

        'Get-Patrol'

        'Update-ThreatIntel'

        'Invoke-ReconDemo'

        'Invoke-Fortification'

        'Invoke-Reconnaissance'

        'Invoke-Infiltration'

        'Invoke-Campaign'

        'Get-GuerrillaScore'

        'Get-GuerrillaMaturity'

        'Get-QuickWins'

        'Get-ComplianceCrosswalk'

        'Test-GuerrillaConditionalAccess'

        'Export-BudgetJustification'

        'Export-ExecutiveSummary'

        'Export-TechnicalReport'

        'Export-RemediationPlaybook'

        'Export-RemediationScripts'

        'Set-RiskAcceptance'

        'Get-RiskAcceptance'

        'Get-TrendReport'

        'Export-ReportPdf'

        'Export-Dashboard'

        'Export-BloodHoundData'

        'Export-GuerrillaJUnit'

        'Get-GuerrillaCIGate'

        'Show-Guerrilla'

    )

    CmdletsToExport   = @()

    VariablesToExport  = @()

    AliasesToExport    = @(

        # PSRecon -> PSGuerrilla rename aliases

        'Invoke-GoogleRecon'

        'Get-ReconAlerts'

        'Send-ReconAlert'

        'Send-ReconAlertSendGrid'

        'Send-ReconAlertMailgun'

        'Send-ReconAlertTwilio'

        'Set-ReconConfig'

        'Get-ReconConfig'

        'Register-ReconScheduledTask'

        'Unregister-ReconScheduledTask'

        'Get-ReconScheduledTask'

        # Theater-disambiguating aliases

        'Invoke-WorkspaceRecon'

        'Invoke-ADRecon'

        'Invoke-CloudRecon'

    )

    FormatsToProcess   = @('PSGuerrilla.format.ps1xml')

    PrivateData = @{

        PSData = @{

            Tags       = @('GoogleWorkspace', 'ActiveDirectory', 'EntraID', 'AzureAD', 'Intune', 'M365', 'Security', 'CompromiseAssessment', 'IncidentResponse', 'ThreatDetection', 'ADSecurity', 'CloudSecurity', 'NTLMRelay', 'TierZero', 'GUI', 'WPF', 'PSGuerrilla')

            LicenseUri = 'https://creativecommons.org/licenses/by/4.0/'

            ProjectUri = 'https://guerrilla.army'

            ReleaseNotes = 'v2.30.1: Reliability fixes from live validation of the v2.30.0 checks. Fixed AD Tier-0 group resolution (Cert Publishers, Key Admins, Enterprise Key Admins) — a SID-encoding defect caused these checks to report Not Assessed even when the groups resolve; they now evaluate membership correctly. Fixed Entra Connect version-currency and hybrid-identity checks to detect a synchronized (hybrid) tenant via an authorized directory signal instead of misreporting it as cloud-only, and the federation configuration review no longer returns a pass when the sync configuration is unreadable (it reports Not Assessed). Reduced false positives in the shadow-credential check: legitimate Windows Hello for Business / device-registration keys on member computers are reported as review (WARN), while key credentials on privileged accounts or domain controllers still fail. No check-count or public-surface change. v2.30.0: +63 checks (580 total). Expanded Exchange Online coverage with 36 additional CISA SCuBA EXO controls - anti-spam/anti-phishing/malware depth, Safe Links and Safe Attachments, mail-flow and external-forwarding controls, SPF/DKIM/DMARC, connection filtering, mailbox auditing, and audit-log retention. Added 6 Active Directory privileged/credential indicators: Seamless SSO (AZUREADSSOACC) Kerberos key age, shadow credentials (msDS-KeyCredentialLink) on privileged objects, delegated MSA migration escalation (BadSuccessor), Enterprise/Key Admins membership, Cert Publishers membership, and gMSA password-exposure posture. Added 4 Google Workspace SCuBA baselines - Sites, Classroom, Gemini, and Assured Controls - and completed the SCuBA Entra ID control set. New EIDFED-013 evaluates Microsoft Entra Connect sync-client version currency against a minimum-safe baseline (the Connect server is Tier-0; a server-side read gives a definitive verdict, cloud-only runs report Not Assessed). Controls whose data cannot be collected report as Not Assessed rather than passing. Read-only. 580 checks across Active Directory (211), Entra ID / Azure / Intune / M365 (244), and Google Workspace (125); 49 public functions. See CHANGELOG.md for full version history.'

        }

    }

}