PSGuerrilla

2.34.0

PSGuerrilla.psd1

                                @{

    RootModule        = 'PSGuerrilla.psm1'

    ModuleVersion     = '2.34.0'

    GUID              = 'f7a3b2c1-4d5e-6f78-9a0b-1c2d3e4f5a6b'

    Author            = 'Jim Tyler, Microsoft MVP'

    CompanyName       = 'Jim Tyler'

    Copyright         = '(c) 2026 Jim Tyler. All rights reserved.'

    Description       = 'Security assessment, threat detection, and continuous monitoring module for Google Workspace, Active Directory, and Microsoft cloud environments. Includes Google Workspace compromise assessment with 23 detection signals, Active Directory reconnaissance (205 security checks across 15 categories including transitive Tier-0 attack-path analysis, NTLM-relay preconditions, Tier-0 hygiene, telemetry posture, and adversary tradecraft indicators), Entra ID / Azure / Intune / M365 infiltration audit (202 checks, including a full 44-control EIDSCA baseline), and continuous monitoring across all four theaters (Entra ID sign-in risk, AD baseline monitoring, M365 audit log monitoring). Supports alerting via SendGrid, Mailgun, Twilio SMS, Teams, Slack, generic webhooks, PagerDuty, Pushover, Syslog (CEF/LEEF), and Windows Event Log.'

    PowerShellVersion = '7.0'

    FunctionsToExport = @(

        'Invoke-Recon'

        'Invoke-Surveillance'

        'Invoke-Watchtower'

        'Invoke-Wiretap'

        'Invoke-Lookout'

        'Get-DeadDrop'

        'Send-Signal'

        'Send-SignalSendGrid'

        'Send-SignalMailgun'

        'Send-SignalTwilio'

        'Send-SignalTeams'

        'Send-SignalSlack'

        'Send-SignalWebhook'

        'Send-SignalPagerDuty'

        'Send-SignalPushover'

        'Send-SignalSyslog'

        'Send-SignalEventLog'

        'Send-SignalDigest'

        'Set-Safehouse'

        'Test-Safehouse'

        'Get-Safehouse'

        'Register-Patrol'

        'Unregister-Patrol'

        'Get-Patrol'

        'Update-ThreatIntel'

        'Invoke-ReconDemo'

        'Invoke-Fortification'

        'Invoke-Reconnaissance'

        'Invoke-Infiltration'

        'Invoke-Campaign'

        'Get-GuerrillaScore'

        'Get-GuerrillaMaturity'

        'Get-QuickWins'

        'Get-ComplianceCrosswalk'

        'Test-GuerrillaConditionalAccess'

        'Export-BudgetJustification'

        'Export-ExecutiveSummary'

        'Export-TechnicalReport'

        'Export-RemediationPlaybook'

        'Export-RemediationScripts'

        'Set-RiskAcceptance'

        'Get-RiskAcceptance'

        'Get-TrendReport'

        'Export-ReportPdf'

        'Export-Dashboard'

        'Export-BloodHoundData'

        'Export-GuerrillaJUnit'

        'Get-GuerrillaCIGate'

        'Show-Guerrilla'

    )

    CmdletsToExport   = @()

    VariablesToExport  = @()

    AliasesToExport    = @(

        # PSRecon -> PSGuerrilla rename aliases

        'Invoke-GoogleRecon'

        'Get-ReconAlerts'

        'Send-ReconAlert'

        'Send-ReconAlertSendGrid'

        'Send-ReconAlertMailgun'

        'Send-ReconAlertTwilio'

        'Set-ReconConfig'

        'Get-ReconConfig'

        'Register-ReconScheduledTask'

        'Unregister-ReconScheduledTask'

        'Get-ReconScheduledTask'

        # Theater-disambiguating aliases

        'Invoke-WorkspaceRecon'

        'Invoke-ADRecon'

        'Invoke-CloudRecon'

    )

    FormatsToProcess   = @('PSGuerrilla.format.ps1xml')

    PrivateData = @{

        PSData = @{

            Tags       = @('GoogleWorkspace', 'ActiveDirectory', 'EntraID', 'AzureAD', 'Intune', 'M365', 'Security', 'CompromiseAssessment', 'IncidentResponse', 'ThreatDetection', 'ADSecurity', 'CloudSecurity', 'NTLMRelay', 'TierZero', 'GUI', 'WPF', 'PSGuerrilla')

            LicenseUri = 'https://creativecommons.org/licenses/by/4.0/'

            ProjectUri = 'https://guerrilla.army'

            ReleaseNotes = 'v2.34.0: GUI — new Signals tab in Show-Guerrilla to manage alert providers. Add / remove / test Microsoft Teams, Slack, generic Webhook, PagerDuty, Pushover, SendGrid, Mailgun, Twilio, Syslog, and Windows Event Log signals (secrets stored in the vault, consistent with the CLI Send-Signal path), set the alert threshold, toggle alerting, and configure duplicate suppression. Each provider has a Test button that sends a synthetic alert through the real send path so you can confirm it works. v2.33.0: Reports — the Professional style is now the default for all HTML reports (Campaign / Reconnaissance / Infiltration / Fortification), and findings now list their affected entities as a bulleted list instead of a comma-separated paragraph across all four theater reports. v2.32.2: Fix — the GUI single-instance guard is now advisory. If the lock is held by a stranded process (a prior launch whose window got lost behind the hidden console), you are prompted to open a new window anyway instead of being blocked outright. The window also comes to the front on launch (Activate + brief Topmost) so it cannot open hidden behind other windows. v2.32.1: Fix — the GUI single-instance guard could falsely report "PSGuerrilla is already open in another window" when a prior launch left the lock held (window closed abnormally, or a still-alive session). The lock is now self-healing: a stale handle from this session is disposed, an abandoned lock from a dead process is reclaimed, and the lock is always released on close. v2.32.0: Operations Console (Show-Guerrilla) redesigned to a light, modern, clean enterprise theme — white cards, a blue accent, rounded corners, refined typography, and corrected dropdown/grid contrast. The host PowerShell console is now hidden while the GUI is open and restored when it closes; pass -KeepConsole to keep the terminal visible. Windows-only GUI; the CLI is unchanged. v2.31.0: Three Active Directory collectors that turn previously Not-Assessed checks into real verdicts on a domain controller. (1) NT-hash password quality via DSInternals replication — blank-password and duplicate-password detection (ADPWD-010/011) and privileged-account weak passwords (ADPRIV-016); HIBP/dictionary remain Not Assessed unless a dataset is supplied; hashes are analysed in memory and never stored. (2) Replication health (ADDOM-007; a single domain controller is reported healthy). (3) Domain Controllers user-rights parsing from the security template for local-logon and RDP rights (ADPRIV-026/027). Each collector degrades to Not Assessed when its data, rights, or module are unavailable — never a false pass. v2.30.3: Honesty fix — stop reporting PASS without actually assessing. Six AD checks could report "clean" without performing the analysis: the five DSInternals NT-hash password checks (ADPWD-010 through ADPWD-014) treated module-presence as analysis-complete and passed on an unpopulated result, and the AD CS ESC6 check (ADCS-009) read an LDAP flags attribute that cannot carry the EDITF_ATTRIBUTESUBJECTALTNAME2 registry bit. All six now report Not Assessed with guidance when the underlying data is not actually collected, and still PASS/FAIL correctly once a real hash dataset or CA-registry source is present. Surfaced via live-domain lab validation. v2.30.2: Live-domain reliability fix. Corrected AD well-known group resolution (Cert Publishers, Key Admins, Enterprise Key Admins): the SID-to-binary conversion called a method that does not exist on SecurityIdentifier, which threw and was silently swallowed, so ADTRADE-008/009 and other SID-based lookups reported Not Assessed even when the groups exist. Now uses GetBinaryForm; confirmed against a live domain controller (the groups resolve and the checks return real verdicts). v2.30.1: Reliability fixes from live validation of the v2.30.0 checks. Fixed AD Tier-0 group resolution (Cert Publishers, Key Admins, Enterprise Key Admins) — a SID-encoding defect caused these checks to report Not Assessed even when the groups resolve; they now evaluate membership correctly. Fixed Entra Connect version-currency and hybrid-identity checks to detect a synchronized (hybrid) tenant via an authorized directory signal instead of misreporting it as cloud-only, and the federation configuration review no longer returns a pass when the sync configuration is unreadable (it reports Not Assessed). Reduced false positives in the shadow-credential check: legitimate Windows Hello for Business / device-registration keys on member computers are reported as review (WARN), while key credentials on privileged accounts or domain controllers still fail. No check-count or public-surface change. v2.30.0: +63 checks (580 total). Expanded Exchange Online coverage with 36 additional CISA SCuBA EXO controls - anti-spam/anti-phishing/malware depth, Safe Links and Safe Attachments, mail-flow and external-forwarding controls, SPF/DKIM/DMARC, connection filtering, mailbox auditing, and audit-log retention. Added 6 Active Directory privileged/credential indicators: Seamless SSO (AZUREADSSOACC) Kerberos key age, shadow credentials (msDS-KeyCredentialLink) on privileged objects, delegated MSA migration escalation (BadSuccessor), Enterprise/Key Admins membership, Cert Publishers membership, and gMSA password-exposure posture. Added 4 Google Workspace SCuBA baselines - Sites, Classroom, Gemini, and Assured Controls - and completed the SCuBA Entra ID control set. New EIDFED-013 evaluates Microsoft Entra Connect sync-client version currency against a minimum-safe baseline (the Connect server is Tier-0; a server-side read gives a definitive verdict, cloud-only runs report Not Assessed). Controls whose data cannot be collected report as Not Assessed rather than passing. Read-only. 580 checks across Active Directory (211), Entra ID / Azure / Intune / M365 (244), and Google Workspace (125); 49 public functions. See CHANGELOG.md for full version history.'

        }

    }

}