Conversation
… ci] The TryLateAdopt path was probing every unknown PID via Win32 and adopting on name/path match, causing collateral pickups of unrelated processes (git-bash etc.) during long traces. Drop it: keep only the strict ProcessStart-time adoption (consent.exe + tracked-target image/ name match). bcrypt-style detection still works via ProcessStart for consent.exe. Also tighten ElevationTransitionDetectorTests carrier seed to use UsersWrite=true (DACL signal) instead of CurrentUserWrite=true (probe signal). The new IsUserWritable drops CurrentUserWrite under host elevation, so the probe-based seed failed on CI runners which run as Administrator. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…uncher false positives [skip ci] Battle.net and similar launchers spawn same-name children with strict temporal ordering but no UAC handoff. The pure-heuristic detector flagged these as transitions. Add an optional pidIntegrity map: when present (live ETW + EtwResultConverter paths), require child PID at High/System IL AND strictly above parent IL. CSV-only path keeps the heuristic since ProcMon doesn't expose token IL. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…g [skip ci] PrivescPage carrier handoff banner (header fields, observation, attack steps, "+N more" suffix, "EXPLOITATION CHAIN" / "ATTACK STEPS" section titles) and the RuntimeTracePage "discard previous trace" confirmation dialog were still in Spanish. All translated to English so the UI is consistent end to end. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…ation [skip ci] Unified writability criterion across all surfaces (Scan, Wizard, AttackPath, RuntimeTrace, Scorer, Procmon, AttackPath badge, VerdictBadge). Single source of truth: DACL inspection via well-known SIDs + owner SID, decoupled from the DllSidecar process token. Fixes false "Y" / "Open" on Program Files when DllSidecar runs elevated. - DirectoryPermissions: 3-tier WriteTier (AdminOnly/OwnerOnly/Open) + OwnerHasWrite - DirectoryAclChecker: tightened WriteRights mask (was matching RX rules via FullControl/Modify aggregates that share read bits); filter TrustedInstaller (S-1-5-80-*), AppContainer (S-1-15-*), CREATOR OWNER/GROUP; capture owner SID - ExploitabilityScorer: OwnerOnlyWritable +2 / +1 path (per-user portable) - UI: OPEN / OWNER / LOCKED badges in Wizard, LOW-PRIV / owner / admin labels in Scan & AttackPath, W column tooltip explaining strict semantics Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes in this version
Unified writability criterion across all surfaces (Scan, Wizard, AttackPath, RuntimeTrace, Scorer, Procmon, VerdictBadge). The DACL inspection is now the single source of truth — decoupled from the DllSidecar process token, so the answer is the same whether DllSidecar runs elevated or not.
Fixes the long-standing false "writable" tag on
C:\Program Files\…directories: the previousWriteRightsmask includedFullControl/Modify, both of which carry read bits — any READ-only ACE (e.g.BUILTIN\Users:(RX)) matched it and falsely flippedUsersWrite=true. The new mask checks only the bits that actually grant write or the ability to grant oneself write (CreateFiles / CreateDirectories / Delete / ChangePermissions / TakeOwnership / GENERIC_ALL / GENERIC_WRITE).The 3-tier classification —
AdminOnly/OwnerOnly/Open— is now visible everywhere asLOCKED/OWNER/OPEN(Wizard),admin/owner/LOW-PRIV(Scan, AttackPath), and the strict Y/blank in the Runtime Trace W column.