PSGuerrilla.psd1
|
@{ RootModule = 'PSGuerrilla.psm1' ModuleVersion = '2.40.0' GUID = 'f7a3b2c1-4d5e-6f78-9a0b-1c2d3e4f5a6b' Author = 'Jim Tyler, Microsoft MVP' CompanyName = 'Jim Tyler' Copyright = '(c) 2026 Jim Tyler. All rights reserved.' Description = 'Security assessment, threat detection, and continuous monitoring module for Google Workspace, Active Directory, and Microsoft cloud environments. Includes Google Workspace compromise assessment with 23 detection signals, Active Directory reconnaissance (205 security checks across 15 categories including transitive Tier-0 attack-path analysis, NTLM-relay preconditions, Tier-0 hygiene, telemetry posture, and adversary tradecraft indicators), Entra ID / Azure identity-plane / Intune / M365 infiltration audit (204 checks, including a full 44-control EIDSCA baseline and partner/GDAP delegated-access review), and continuous monitoring across all four theaters (Entra ID sign-in risk, AD baseline monitoring, M365 audit log monitoring). Supports alerting via SendGrid, Mailgun, Twilio SMS, Teams, Slack, generic webhooks, PagerDuty, Pushover, Syslog (CEF/LEEF), and Windows Event Log.' PowerShellVersion = '7.0' FunctionsToExport = @( 'Invoke-Recon' 'Invoke-Surveillance' 'Invoke-Watchtower' 'Invoke-Wiretap' 'Invoke-Lookout' 'Get-DeadDrop' 'Send-Signal' 'Send-SignalSendGrid' 'Send-SignalMailgun' 'Send-SignalTwilio' 'Send-SignalTeams' 'Send-SignalSlack' 'Send-SignalWebhook' 'Send-SignalPagerDuty' 'Send-SignalPushover' 'Send-SignalSyslog' 'Send-SignalEventLog' 'Send-SignalDigest' 'Set-Safehouse' 'Test-Safehouse' 'Get-Safehouse' 'Register-Patrol' 'Unregister-Patrol' 'Get-Patrol' 'Update-ThreatIntel' 'Invoke-ReconDemo' 'Invoke-Fortification' 'Invoke-Reconnaissance' 'Invoke-Infiltration' 'Invoke-Campaign' 'Get-GuerrillaScore' 'Get-GuerrillaMaturity' 'Get-QuickWins' 'Get-ComplianceCrosswalk' 'Test-GuerrillaConditionalAccess' 'Export-BudgetJustification' 'Export-ExecutiveSummary' 'Export-TechnicalReport' 'Export-RemediationPlaybook' 'Export-RemediationScripts' 'Set-RiskAcceptance' 'Get-RiskAcceptance' 'Get-TrendReport' 'Export-ReportPdf' 'Export-Dashboard' 'Export-BloodHoundData' 'Export-GuerrillaJUnit' 'Get-GuerrillaCIGate' 'Show-Guerrilla' 'Get-ZeroTrustScore' ) CmdletsToExport = @() VariablesToExport = @() AliasesToExport = @( 'Invoke-GoogleRecon' 'Get-ReconAlerts' 'Send-ReconAlert' 'Send-ReconAlertSendGrid' 'Send-ReconAlertMailgun' 'Send-ReconAlertTwilio' 'Set-ReconConfig' 'Get-ReconConfig' 'Register-ReconScheduledTask' 'Unregister-ReconScheduledTask' 'Get-ReconScheduledTask' 'Invoke-WorkspaceRecon' 'Invoke-ADRecon' 'Invoke-CloudRecon' ) FormatsToProcess = @('PSGuerrilla.format.ps1xml') PrivateData = @{ PSData = @{ Tags = @('GoogleWorkspace', 'ActiveDirectory', 'EntraID', 'AzureAD', 'Intune', 'M365', 'Security', 'CompromiseAssessment', 'IncidentResponse', 'ThreatDetection', 'ADSecurity', 'CloudSecurity', 'NTLMRelay', 'TierZero', 'GUI', 'WPF', 'PSGuerrilla') LicenseUri = 'https://creativecommons.org/licenses/by/4.0/' ProjectUri = 'https://guerrilla.army' ReleaseNotes = 'v2.40.0: Partner/GDAP delegated-access review + Gemini deep-settings coverage. Two new Entra checks model the partner attack path: EIDTNT-015 fails when a CSP/partner delegated-admin (GDAP) relationship grants a Tier-0 directory role (the Kaseya-class propagation path), EIDTNT-016 flags long-lived auto-extending grants; a failed collection is Not Assessed, never a clean pass. The four Gemini deep settings (Alpha features, conversation history, retention, sharing) are in no config API, so PSGuerrilla now infers them from Google Admin audit-log setting-change events (the source ScubaGoggles uses) and labels every such verdict as inferred with its source timestamp; absent a change event it honestly SKIPs. Also fixes DEVICE-009 false-WARN on tenants with zero Chrome OS devices (empty-array trap). Backed by 18 new golden fixtures, a GDAP collector query-contract test, and a Gemini derivation unit test. v2.39.0: Zero Trust posture is now first-class. Every check declares a CISA ZTMM pillar and a 0-3 weight in its definition, carried onto every finding, so you can filter and score by pillar straight from the pipeline. New public Get-ZeroTrustScore returns a weighted posture score per pillar (PASS/WARN/FAIL credit; Not-Assessed excluded from the denominator) plus a Coverage-Confidence marker (Solid/Moderate/Directional) so a score from a thin pillar discloses that instead of reading as authoritative; the Infiltration HTML report renders the pillar line on its cover. A schema test in CI and the release gate fails the build if any check omits its ZT stance. Description narrowed Azure to Azure identity-plane to match real coverage. v2.38.0: Reliability and correctness fixes from live-tenant validation (read-only; no check-count or public-surface change). Fixed three collector under-fetch defects that produced wrong verdicts on live tenants while passing offline fixtures: cross-tenant access (EIDTNT-005) now collects the default policy so an all-inbound and outbound B2B default is flagged instead of passing; Intune configuration profiles (INTUNE-005) now request assignment data so assigned profiles are no longer reported unassigned; PIM eligibility (EIDPIM-010) now reads eligibility schedule definitions so standing eligible assignments are detected instead of reporting PIM not configured. Fixed an empty-collection dead-branch in about ten checks (Exchange anti-spam, anti-malware, Safe Attachments, Safe Links, transport rules; mobile-device MDM; Google alert rules; AD GPO inventory): a connected tenant with zero policies now returns the correct verdict (for example zero anti-malware policies or zero alert rules now FAIL) instead of being swallowed to SKIP or WARN; Not-Assessed-on-collection-error is preserved. Gave two AD checks a reachable path: AD GPO Restricted Groups (ADGPO-017) now passes in the clean state, and AD CS ESC9 binding enforcement (ADCS-012) reports Not Assessed when the registry value was not collected instead of a permanent WARN. Hardened alerting: Send-Signal no longer crashes when piped monitor results that expose Severity rather than ThreatLevel, signal formatting no longer aborts all channels on a null timestamp, and Register-Patrol no longer reports success when task registration actually failed. Added collector query-contract tests that assert the exact Graph endpoints and parameters the collectors request, plus regression fixtures for the corrected verdicts. v2.37.0: Fixed 7 Entra PIM privileged-account checks (EIDPIM-004/005/006/007/008/009/013) that referenced an undefined variable and threw at runtime instead of returning a verdict. They now evaluate the collected privileged-user set behind a Not Assessed guard and correctly flag guest accounts in privileged roles, on-premises-synced admins, privileged users without MFA or with weak-only MFA, disabled accounts that still hold privileged roles, never-signed-in privileged accounts, and separate-admin naming. Surfaced by the detection-test suite, which now also covers all 44 EIDSCA controls and the repaired PIM checks (1,583 fixtures; test-only, no public-surface change). v2.36.0: Added a golden-fixture detection-test suite for the security checks. 468 of 580 checks (every Critical, High, and Medium control) are now validated by synthetic fixtures that feed known-good, known-bad, and uncollectable data through the real check functions and assert the resulting verdict (PASS / FAIL / WARN / Not Assessed), pinning each check''s contract so a regression that silently changes a verdict fails the test run. 1,288 fixtures run under Pester in a few seconds and surfaced several latent verdict defects, which are tracked for fixing. The installable module surface and all check behavior are unchanged — the suite lives in the repository. v2.35.0: Honesty fix across all theaters — a control whose data fails to collect now reports Not Assessed instead of PASS. Previously a Graph throttle/error or an AD enumeration failure could leave a check scoring "clean" on data it never saw. Invoke-GraphApi now fails loud by default so collectors record the failure (continuous-monitoring collectors opt out), a shared Get-NotAssessedFinding guard fronts the checks, and ~285 check sites consult their collector error map before passing on empty. Read-only; no check-count or public-surface change. v2.34.0: GUI — new Signals tab in Show-Guerrilla to manage alert providers. Add / remove / test Microsoft Teams, Slack, generic Webhook, PagerDuty, Pushover, SendGrid, Mailgun, Twilio, Syslog, and Windows Event Log signals (secrets stored in the vault, consistent with the CLI Send-Signal path), set the alert threshold, toggle alerting, and configure duplicate suppression. Each provider has a Test button that sends a synthetic alert through the real send path so you can confirm it works. v2.33.0: Reports — the Professional style is now the default for all HTML reports (Campaign / Reconnaissance / Infiltration / Fortification), and findings now list their affected entities as a bulleted list instead of a comma-separated paragraph across all four theater reports. v2.32.2: Fix — the GUI single-instance guard is now advisory. If the lock is held by a stranded process (a prior launch whose window got lost behind the hidden console), you are prompted to open a new window anyway instead of being blocked outright. The window also comes to the front on launch (Activate + brief Topmost) so it cannot open hidden behind other windows. v2.32.1: Fix — the GUI single-instance guard could falsely report "PSGuerrilla is already open in another window" when a prior launch left the lock held (window closed abnormally, or a still-alive session). The lock is now self-healing: a stale handle from this session is disposed, an abandoned lock from a dead process is reclaimed, and the lock is always released on close. v2.32.0: Operations Console (Show-Guerrilla) redesigned to a light, modern, clean enterprise theme — white cards, a blue accent, rounded corners, refined typography, and corrected dropdown/grid contrast. The host PowerShell console is now hidden while the GUI is open and restored when it closes; pass -KeepConsole to keep the terminal visible. Windows-only GUI; the CLI is unchanged. See CHANGELOG.md for v2.31 and earlier.' } } } |