Skip to content

WinSentinel v1.13.0 — Process Lineage Audit, Beacon Detection & Regression Prediction

Choose a tag to compare

View all tags
@sauravbhattacharya001 sauravbhattacharya001 released this 29 Apr 04:42
· 170 commits to main since this release
v1.13.0
aed927f

What's New in v1.13.0

🔍 Process Lineage Audit

Autonomous parent-child process chain analysis that detects suspicious process relationships mapped to MITRE ATT&CK techniques:

  • 12 detection rules covering Office macro exploitation (T1204.002), browser exploitation chains (T1189), LOLBin abuse (T1218), WMI lateral movement (T1047), malicious service installation (T1543.003), scheduled task persistence (T1053.005), and more
  • Orphaned process detection for parent-PID spoofing indicators
  • Auto-remediation commands for critical findings
  • \winsentinel lineage [--json] [--quiet] [-o report.json]\

📡 Network Beacon Detector

Detects C2 (Command & Control) beaconing patterns by analyzing network connection timing regularity:

  • Statistical jitter analysis — low jitter + consistent intervals flag likely C2 beacons
  • Signature matching against 10 known C2 framework profiles (Cobalt Strike, Metasploit, Sliver, Empire, Havoc, Brute Ratel, PoshC2, etc.)
  • Confidence classification (Low/Medium/High/Critical) with risk scores
  • MITRE ATT&CK T1071 mapping with prioritized remediation recommendations
  • \winsentinel beacon [--json] [--quiet] [-o output.json]\

🔄 Security Regression Predictor

Analyzes audit history to identify findings that keep returning after fixes, predicts which recent fixes are most likely to regress:

  • Finding lifecycle tracking across audit runs with pattern classification (Chronic/Periodic/Sporadic)
  • Root cause inference heuristics (superficial fix, config drift, periodic revert)
  • Per-module stability profiling (Stable/Shaky/Volatile)
  • Composite regression score (0–100) with risk level classification
  • \winsentinel --regression [--regression-days 90] [--regression-top 15] [--regression-module ] [--json]\

🐛 Fixes

  • Docker attestation: Fixed \�ttest-build-provenance\ using tag string instead of sha256 digest — now captures correct digest after push
  • Weekly vulnerability rescan: New \docker-rescan.yml\ workflow for scheduled Trivy scans of published container images with SARIF upload to GitHub Security tab

Full Changelog: v1.12.0...v1.13.0

Assets 2
Loading