Conversation
tunelko
commented
May 30, 2026
tunelko
commented
Owner
- PrivescPage carrier handoff banner translated end-to-end (header, observation, attack steps, section titles).
- RuntimeTracePage "discard previous trace" confirmation dialog translated.
- Re-publishes v1.1.18 installer asset with these fixes folded in.
… ci] The TryLateAdopt path was probing every unknown PID via Win32 and adopting on name/path match, causing collateral pickups of unrelated processes (git-bash etc.) during long traces. Drop it: keep only the strict ProcessStart-time adoption (consent.exe + tracked-target image/ name match). bcrypt-style detection still works via ProcessStart for consent.exe. Also tighten ElevationTransitionDetectorTests carrier seed to use UsersWrite=true (DACL signal) instead of CurrentUserWrite=true (probe signal). The new IsUserWritable drops CurrentUserWrite under host elevation, so the probe-based seed failed on CI runners which run as Administrator. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…uncher false positives [skip ci] Battle.net and similar launchers spawn same-name children with strict temporal ordering but no UAC handoff. The pure-heuristic detector flagged these as transitions. Add an optional pidIntegrity map: when present (live ETW + EtwResultConverter paths), require child PID at High/System IL AND strictly above parent IL. CSV-only path keeps the heuristic since ProcMon doesn't expose token IL. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…g [skip ci] PrivescPage carrier handoff banner (header fields, observation, attack steps, "+N more" suffix, "EXPLOITATION CHAIN" / "ATTACK STEPS" section titles) and the RuntimeTracePage "discard previous trace" confirmation dialog were still in Spanish. All translated to English so the UI is consistent end to end. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
tunelko
added a commit
that referenced
this pull request
Jun 9, 2026
…ation (#39) * feat(evasion): B.2 elevation detector + privesc surface handoff (#31) * ci: trigger CI for v1.1.18 PR (one-off no skip-ci) * fix(etw): drop late-adoption in OnFileCreate; tighten test seed [skip ci] The TryLateAdopt path was probing every unknown PID via Win32 and adopting on name/path match, causing collateral pickups of unrelated processes (git-bash etc.) during long traces. Drop it: keep only the strict ProcessStart-time adoption (consent.exe + tracked-target image/ name match). bcrypt-style detection still works via ProcessStart for consent.exe. Also tighten ElevationTransitionDetectorTests carrier seed to use UsersWrite=true (DACL signal) instead of CurrentUserWrite=true (probe signal). The new IsUserWritable drops CurrentUserWrite under host elevation, so the probe-based seed failed on CI runners which run as Administrator. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * ci: trigger CI for v1.1.18 PR fix (one-off no skip-ci) * fix(etw): IL gate in ElevationTransitionDetector to drop same-name launcher false positives [skip ci] Battle.net and similar launchers spawn same-name children with strict temporal ordering but no UAC handoff. The pure-heuristic detector flagged these as transitions. Add an optional pidIntegrity map: when present (live ETW + EtwResultConverter paths), require child PID at High/System IL AND strictly above parent IL. CSV-only path keeps the heuristic since ProcMon doesn't expose token IL. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * ci: trigger CI for v1.1.18 PR after IL gate fix (one-off no skip-ci) * fix(ui): translate Spanish strings in privesc handoff and trace dialog [skip ci] PrivescPage carrier handoff banner (header fields, observation, attack steps, "+N more" suffix, "EXPLOITATION CHAIN" / "ATTACK STEPS" section titles) and the RuntimeTracePage "discard previous trace" confirmation dialog were still in Spanish. All translated to English so the UI is consistent end to end. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * ci: trigger CI for PR #33 Spanish-text fix (one-off no skip-ci) * release: v1.1.19 — strict ACL writability decoupled from process elevation [skip ci] Unified writability criterion across all surfaces (Scan, Wizard, AttackPath, RuntimeTrace, Scorer, Procmon, AttackPath badge, VerdictBadge). Single source of truth: DACL inspection via well-known SIDs + owner SID, decoupled from the DllSidecar process token. Fixes false "Y" / "Open" on Program Files when DllSidecar runs elevated. - DirectoryPermissions: 3-tier WriteTier (AdminOnly/OwnerOnly/Open) + OwnerHasWrite - DirectoryAclChecker: tightened WriteRights mask (was matching RX rules via FullControl/Modify aggregates that share read bits); filter TrustedInstaller (S-1-5-80-*), AppContainer (S-1-15-*), CREATOR OWNER/GROUP; capture owner SID - ExploitabilityScorer: OwnerOnlyWritable +2 / +1 path (per-user portable) - UI: OPEN / OWNER / LOCKED badges in Wizard, LOW-PRIV / owner / admin labels in Scan & AttackPath, W column tooltip explaining strict semantics Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * ci: trigger CI for v1.1.19 release PR (one-off no skip-ci) --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.