PSGuerrilla

2.40.1

Security assessment, threat detection, and continuous monitoring module for Google Workspace, Active Directory, and Microsoft cloud environments. Includes Google Workspace compromise assessment with 23 detection signals, Active Directory reconnaissance (205 security checks across 15 categories including transitive Tier-0 attack-path analysis, NTLM-relay preconditions,
Security assessment, threat detection, and continuous monitoring module for Google Workspace, Active Directory, and Microsoft cloud environments. Includes Google Workspace compromise assessment with 23 detection signals, Active Directory reconnaissance (205 security checks across 15 categories including transitive Tier-0 attack-path analysis, NTLM-relay preconditions, Tier-0 hygiene, telemetry posture, and adversary tradecraft indicators), Entra ID / Azure identity-plane / Intune / M365 infiltration audit (204 checks, including a full 44-control EIDSCA baseline and partner/GDAP delegated-access review), and continuous monitoring across all four theaters (Entra ID sign-in risk, AD baseline monitoring, M365 audit log monitoring). Supports alerting via SendGrid, Mailgun, Twilio SMS, Teams, Slack, generic webhooks, PagerDuty, Pushover, Syslog (CEF/LEEF), and Windows Event Log.
Show more

Minimum PowerShell version

7.0

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name PSGuerrilla -RequiredVersion 2.40.1

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name PSGuerrilla -Version 2.40.1

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

(c) 2026 Jim Tyler. All rights reserved.

Package Details

Author(s)

  • Jim Tyler Microsoft MVP

Tags

GoogleWorkspace ActiveDirectory EntraID AzureAD Intune M365 Security CompromiseAssessment IncidentResponse ThreatDetection ADSecurity CloudSecurity NTLMRelay TierZero GUI WPF PSGuerrilla

Functions

Invoke-Recon Invoke-Surveillance Invoke-Watchtower Invoke-Wiretap Invoke-Lookout Get-DeadDrop Send-Signal Send-SignalSendGrid Send-SignalMailgun Send-SignalTwilio Send-SignalTeams Send-SignalSlack Send-SignalWebhook Send-SignalPagerDuty Send-SignalPushover Send-SignalSyslog Send-SignalEventLog Send-SignalDigest Set-Safehouse Test-Safehouse Get-Safehouse Register-Patrol Unregister-Patrol Get-Patrol Update-ThreatIntel Invoke-ReconDemo Invoke-Fortification Invoke-Reconnaissance Invoke-Infiltration Invoke-Campaign Get-GuerrillaScore Get-GuerrillaMaturity Get-QuickWins Get-ComplianceCrosswalk Test-GuerrillaConditionalAccess Export-BudgetJustification Export-ExecutiveSummary Export-TechnicalReport Export-RemediationPlaybook Export-RemediationScripts Set-RiskAcceptance Get-RiskAcceptance Get-TrendReport Export-ReportPdf Export-Dashboard Export-BloodHoundData Export-GuerrillaJUnit Get-GuerrillaCIGate Show-Guerrilla Get-ZeroTrustScore

Dependencies

This module has no dependencies.

Release Notes

v2.40.1: Fixes the Gemini audit-log derivation. Live-tenant validation showed Google names generative-AI audit settings gen_ai_* (not 'gemini'/'generative') and emits them under CHANGE_CHROME_OS_USER_SETTING, so the 2.40.0 matching found nothing and GWS-GEMINI-002/003/004/005 always SKIPped. Scoping now covers gen_ai/gemini/generative over any *_SETTING change event; a two-level match keeps it safe (no spurious verdicts from unrelated gen_ai settings). Still inference, still labeled as such; the exact Workspace-Gemini literals remain pending one live change event, so it SKIPs safely on no match. v2.40.0: Partner/GDAP delegated-access review + Gemini deep-settings coverage. Two new Entra checks model the partner attack path: EIDTNT-015 fails when a CSP/partner delegated-admin (GDAP) relationship grants a Tier-0 directory role (the Kaseya-class propagation path), EIDTNT-016 flags long-lived auto-extending grants; a failed collection is Not Assessed, never a clean pass. The four Gemini deep settings (Alpha features, conversation history, retention, sharing) are in no config API, so PSGuerrilla now infers them from Google Admin audit-log setting-change events (the source ScubaGoggles uses) and labels every such verdict as inferred with its source timestamp; absent a change event it honestly SKIPs. Also fixes DEVICE-009 false-WARN on tenants with zero Chrome OS devices (empty-array trap). Backed by 18 new golden fixtures, a GDAP collector query-contract test, and a Gemini derivation unit test. v2.39.0: Zero Trust posture is now first-class. Every check declares a CISA ZTMM pillar and a 0-3 weight in its definition, carried onto every finding, so you can filter and score by pillar straight from the pipeline. New public Get-ZeroTrustScore returns a weighted posture score per pillar (PASS/WARN/FAIL credit; Not-Assessed excluded from the denominator) plus a Coverage-Confidence marker (Solid/Moderate/Directional) so a score from a thin pillar discloses that instead of reading as authoritative; the Infiltration HTML report renders the pillar line on its cover. A schema test in CI and the release gate fails the build if any check omits its ZT stance. Description narrowed Azure to Azure identity-plane to match real coverage. v2.38.0: Reliability and correctness fixes from live-tenant validation (read-only; no check-count or public-surface change). Fixed three collector under-fetch defects that produced wrong verdicts on live tenants while passing offline fixtures: cross-tenant access (EIDTNT-005) now collects the default policy so an all-inbound and outbound B2B default is flagged instead of passing; Intune configuration profiles (INTUNE-005) now request assignment data so assigned profiles are no longer reported unassigned; PIM eligibility (EIDPIM-010) now reads eligibility schedule definitions so standing eligible assignments are detected instead of reporting PIM not configured. Fixed an empty-collection dead-branch in about ten checks (Exchange anti-spam, anti-malware, Safe Attachments, Safe Links, transport rules; mobile-device MDM; Google alert rules; AD GPO inventory): a connected tenant with zero policies now returns the correct verdict (for example zero anti-malware policies or zero alert rules now FAIL) instead of being swallowed to SKIP or WARN; Not-Assessed-on-collection-error is preserved. Gave two AD checks a reachable path: AD GPO Restricted Groups (ADGPO-017) now passes in the clean state, and AD CS ESC9 binding enforcement (ADCS-012) reports Not Assessed when the registry value was not collected instead of a permanent WARN. Hardened alerting: Send-Signal no longer crashes when piped monitor results that expose Severity rather than ThreatLevel, signal formatting no longer aborts all channels on a null timestamp, and Register-Patrol no longer reports success when task registration actually failed. Added collector query-contract tests that assert the exact Graph endpoints and parameters the collectors request, plus regression fixtures for the corrected verdicts. v2.37.0: Fixed 7 Entra PIM privileged-account checks (EIDPIM-004/005/006/007/008/009/013) that referenced an undefined variable and threw at runtime instead of returning a verdict. They now evaluate the collected privileged-user set behind a Not Assessed guard and correctly flag guest accounts in privileged roles, on-premises-synced admins, privileged users without MFA or with weak-only MFA, disabled accounts that still hold privileged roles, never-signed-in privileged accounts, and separate-admin naming. Surfaced by the detection-test suite, which now also covers all 44 EIDSCA controls and the repaired PIM checks (1,583 fixtures; test-only, no public-surface change). v2.36.0: Added a golden-fixture detection-test suite for the security checks. 468 of 580 checks (every Critical, High, and Medium control) are now validated by synthetic fixtures that feed known-good, known-bad, and uncollectable data through the real check functions and assert the resulting verdict (PASS / FAIL / WARN / Not Assessed), pinning each check's contract so a regression that silently changes a verdict fails the test run. 1,288 fixtures run under Pester in a few seconds and surfaced several latent verdict defects, which are tracked for fixing. The installable module surface and all check behavior are unchanged — the suite lives in the repository. v2.35.0: Honesty fix across all theaters — a control whose data fails to collect now reports Not Assessed instead of PASS. Previously a Graph throttle/error or an AD enumeration failure could leave a check scoring "clean" on data it never saw. Invoke-GraphApi now fails loud by default so collectors record the failure (continuous-monitoring collectors opt out), a shared Get-NotAssessedFinding guard fronts the checks, and ~285 check sites consult their collector error map before passing on empty. Read-only; no check-count or public-surface change. v2.34.0: GUI — new Signals tab in Show-Guerrilla to manage alert providers. Add / remove / test Microsoft Teams, Slack, generic Webhook, PagerDuty, Pushover, SendGrid, Mailgun, Twilio, Syslog, and Windows Event Log signals (secrets stored in the vault, consistent with the CLI Send-Signal path), set the alert threshold, toggle alerting, and configure duplicate suppression. Each provider has a Test button that sends a synthetic alert through the real send path so you can confirm it works. v2.33.0: Reports — the Professional style is now the default for all HTML reports (Campaign / Reconnaissance / Infiltration / Fortification), and findings now list their affected entities as a bulleted list instead of a comma-separated paragraph across all four theater reports. v2.32.2: Fix — the GUI single-instance guard is now advisory. If the lock is held by a stranded process (a prior launch whose window got lost behind the hidden console), you are prompted to open a new window anyway instead of being blocked outright. The window also comes to the front on launch (Activate + brief Topmost) so it cannot open hidden behind other windows. v2.32.1: Fix — the GUI single-instance guard could falsely report "PSGuerrilla is already open in another window" when a prior launch left the lock held (window closed abnormally, or a still-alive session). The lock is now self-healing: a stale handle from this session is disposed, an abandoned lock from a dead process is reclaimed, and the lock is always released on close. See CHANGELOG.md for v2.32 and earlier.

FileList

Version History

Version Downloads Last updated
2.46.3 4 7/8/2026
2.40.1 (current version) 6 7/7/2026
2.40.0 6 7/7/2026
2.39.0 8 7/7/2026
2.38.0 13 6/28/2026
2.37.0 7 6/27/2026
2.36.0 8 6/27/2026
2.35.0 7 6/26/2026
2.34.0 6 6/25/2026
2.33.0 4 6/25/2026
2.32.2 6 6/25/2026
2.32.1 6 6/25/2026
2.32.0 7 6/25/2026
2.31.0 9 6/24/2026
2.30.3 6 6/24/2026
2.30.2 6 6/24/2026
2.30.1 7 6/24/2026
2.30.0 7 6/24/2026
2.29.1 8 6/22/2026
2.29.0 5 6/22/2026
2.28.1 5 6/22/2026
2.28.0 5 6/22/2026
2.27.0 6 6/22/2026
2.26.0 8 6/22/2026
2.25.0 6 6/22/2026
2.24.0 9 6/22/2026
2.23.0 7 6/21/2026
2.22.0 10 6/21/2026
2.21.0 8 6/21/2026
2.20.1 6 6/21/2026
2.20.0 5 6/21/2026
2.19.0 7 6/21/2026
2.18.0 8 6/21/2026
2.17.0 6 6/21/2026
2.16.0 6 6/21/2026
2.15.0 10 6/21/2026
2.14.1 9 6/20/2026
2.14.0 9 6/20/2026
2.13.0 8 6/20/2026
2.12.1 7 6/20/2026
2.12.0 10 6/20/2026
2.11.1 7 6/20/2026
2.11.0 6 6/19/2026
2.10.8 12 6/19/2026
2.10.7 17 6/19/2026
2.10.6 6 6/19/2026
2.10.5 7 6/19/2026
2.10.4 14 6/18/2026
2.10.3 9 6/18/2026
2.10.2 8 6/18/2026
2.10.1 7 6/18/2026
2.10.0 6 6/18/2026
2.9.4 7 6/18/2026
2.9.3 7 6/18/2026
2.9.2 5 6/18/2026
2.9.1 5 6/18/2026
2.9.0 15 6/17/2026
2.8.1 13 6/17/2026
2.8.0 13 6/17/2026
2.7.0 17 6/17/2026
2.6.0 6 6/16/2026
2.5.2 7 6/16/2026
2.5.1 6 6/16/2026
2.5.0 6 6/16/2026
2.4.4 6 6/16/2026
2.4.3 6 6/16/2026
2.4.2 7 6/16/2026
2.4.1 8 6/15/2026
2.4.0 9 6/11/2026
2.3.1 15 5/28/2026
2.3.0 8 5/28/2026
2.2.1 13 5/15/2026
2.2.0 5 5/15/2026
Show more