Changelog

v1.19.1 — Plugin System Refinements

Follow-up improvements to the community plugin architecture:

• Improved plugin isolation: Plugins load in separate AssemblyLoadContexts for safety
• Better error handling: Graceful degradation when a plugin fails to load
• Plugin validation: Schema checks on plugin manifests before loading
• Documentation: Added plugin authoring guide to the wiki

The plugin system is fully open — no license or paid tier required. Build and share audit plugins freely.

v1.19.0 — Plugin Architecture for Community Extensibility

WinSentinel now supports a fully open plugin architecture. Anyone can write custom audit plugins to extend the security scanning engine:

• Open ecosystem: Write your own audit modules using the IAuditPlugin interface
• Drop-in loading: Place plugin DLLs in the plugins directory — auto-discovered at runtime
• Full API access: Plugins get the same finding/severity/fix infrastructure as built-in modules
• Community-driven: Share plugins via NuGet or GitHub — no gatekeeping, no paid tiers required

This release lays the foundation for a vibrant community of security-focused developers building specialized audit modules for their environments.

Other changes

• Plugin discovery and loading infrastructure
• Plugin manifest schema for metadata and versioning
• Sample plugin template included in the repo

v1.18.0 — Threat Horizon Forecaster + machine-readable --version

A focused minor release that adds one new agentic advisor and finally makes

winsentinel --version safe to call from CI, inventory, and packaging scripts.

✨ New: Threat Horizon Forecast Advisor

ThreatHorizonForecastAdvisor is the sixth agentic sibling alongside

FixOrchestrationPlanner, AlertRoutingAdvisor, AttackerProfileSynthesizer,

PostureRegressionExplainer, and PolicyExceptionRiskAdvisor.

It produces a forward-looking 7-day threat-pressure forecast (0–100) by

blending recent attacker-side recon signals with defender-side posture context:

• Attacker signals (8): port scans, brute-force attempts, IOC matches,

phishing waves, rogue DNS, dark-web mentions, anomalous outbound, etc.

Each contribution is weighted by velocity, freshness, and distinct-source

dedup so a single noisy source can't dominate.

• Defender overhang (5): open critical findings, attack-surface size,

recent posture regressions, recently revoked exceptions, exposed assets.

• Risk-appetite shift: Cautious +5 / Aggressive −5.
• Verdict ladder: Calm → Elevated → Imminent → UnderPressure,

graded A–F.

• Per-day forecast curve with attacker-decay modeling.
• P0-first hardening playbook (BLOCK_KNOWN_IOCS, RATE_LIMIT_AUTH,

HARDEN_PERIMETER, war-room convene on 2+ P0s, …).

• Cross-signal insights: network / auth / user heat concentration,

compound pressure, sustained pressure.

• Renderers: Text / Markdown / JSON.

🐛 Fixes

• #194 — Machine-readable --version. Adds two CI/inventory-friendly

variants that compose with the existing 4-line human banner:

• winsentinel --version --quiet → bare version string (e.g. 1.18.0)
• winsentinel --version --json → stable JSON

{ product, version, informationalVersion, runtime, os, machine }

After --version, only --quiet / --json are greedily consumed; any

other trailing flag is rejected with a clear error.

• #192 — --version now reflects the real installed version.

PrintVersion was reading Assembly.GetName().Version, which returns

the static AssemblyVersion attribute (pinned at 1.0.0.0 for binding

stability). With MinVer driving the package version from git tags into

AssemblyInformationalVersion, the printed banner was stuck at v1.0.0

even though the installed tool was 1.16.1+. Switched the banner to read

AssemblyInformationalVersionAttribute (with AssemblyFileVersion +

AssemblyName.Version as fallbacks) and strip the SourceLink

+commitsha metadata so the output stays clean for support tickets.

Covered by 4 new regression tests in ConsoleFormatterTests.

🧹 Maintenance

• Dependabot config: group minor+patch updates (NuGet, GitHub Actions,

Docker) into single PRs per ecosystem, add an analyzers group, expand

the test-stack group, and **ignore semver-major bumps on

mcr.microsoft.com/dotnet/{sdk,runtime,aspnet}** base images. The

Dockerfile is pinned to 8.0-windowsservercore-ltsc2022 to match the

net8.0-windows TFM across every project; major base-image bumps

require a coordinated TFM migration and are now tracked manually

instead of re-opened weekly by Dependabot.

⬆️ Upgrade

dotnet tool update --global WinSentinel.Cli
winsentinel --version --json

Full Changelog: https://github.com/sauravbhattacharya001/WinSentinel/compare/v1.17.0...v1.18.0

What's Changed

• fix(build): retarget Core/Cli to net8.0-windows; unblock CI by @sauravbhattacharya001 in https://github.com/sauravbhattacharya001/WinSentinel/pull/190
• feat: Impact Detector - MITRE ATT&CK TA0040 detection (57 tests) by @sauravbhattacharya001 in https://github.com/sauravbhattacharya001/WinSentinel/pull/183
• fix(ci): unbreak Coverage Gate parser and Dockerfile line continuations by @sauravbhattacharya001 in https://github.com/sauravbhattacharya001/WinSentinel/pull/191
• feat: add Collection Detector (MITRE ATT&CK TA0009) by @sauravbhattacharya001 in https://github.com/sauravbhattacharya001/WinSentinel/pull/179

Full Changelog: https://github.com/sauravbhattacharya001/WinSentinel/compare/v1.16.1...v1.17.0

v1.16.1 — Elevated FixEngine wrapper hardening

🔒 Security

• FixEngine.ExecuteElevatedAsync: escape apostrophes in temp paths before embedding them in the elevated PowerShell wrapper.

The elevated remediation path builds a PowerShell try/catch wrapper around Path.GetTempPath()-derived script/output/error paths and runs it with Verb=runas (UAC). GUID nonces kept the file names safe, but the directory portion (%USERPROFILE%\AppData\Local\Temp by default) is attacker-influenceable — a Windows account display name containing an apostrophe (e.g. O'Brien) or a hijacked TEMP / TMP env var would close the PowerShell single-quoted literal and turn the wrapper into a command-injection sink running with administrator privileges.

The fix adds EscapePowerShellSingleQuoted (doubles every ', matching the PowerShell / SQL single-quoted escape rule) and applies it to the script, output, and error paths before interpolation.

✅ Tests

• New FixEngineTests.EscapePowerShellSingleQuoted_* theory + null case covering plain, empty, normal Windows temp paths, apostrophe-bearing user paths, raw injection payloads, and null.

🧱 Build

• WinSentinel.Core.csproj: switch to the proper <ItemGroup>-scoped <InternalsVisibleTo Include="WinSentinel.Tests" /> form so the test project can exercise the new internal helper.

Full diff: https://github.com/sauravbhattacharya001/WinSentinel/compare/v1.16.0...v1.16.1

WinSentinel v1.16.0

A feature-heavy release expanding MITRE ATT&CK coverage and polishing the agentic analysis layer. 25 commits since v1.15.1.

New: ATT&CK Detector Suite

Five new autonomous detectors stitched into the analysis pipeline:

• Credential Access Detector (TA0006) — LSASS dumping, Kerberoasting, brute-force, password spraying, keylogging, NTLM relay, and more. Builds harvest chains and recommends containment.
• Initial Access Detector (TA0001) — phishing, exploit-public-facing, supply-chain, valid-account abuse.
• Discovery Detector (TA0007) — host/network/account reconnaissance signal extraction.
• Execution Detector (TA0002) — script interpreter abuse, scheduled-task / WMI execution, LOLBin patterns.
• Command & Control Detector (TA0011) — beaconing, encrypted-channel and proxy abuse heuristics.

Performance

• SecurityNerveCenter now sorts audit history once and threads the result through BuildSignals / BuildAlerts instead of re-sorting per call.
• InsiderThreatProfiler.DetectDeviations collapsed 6+ separate Where().Count() passes into a single-pass event bucketing loop.

Refactors / Reliability

• InsiderThreatProfiler risk-tier classification cleanup: removed an unreachable Critical arm in the first ternary that was immediately shadowed by a corrective if/else ladder; collapsed both into a single highest-first ClassifyInsiderRiskLevel helper with a named CriticalRiskThreshold = 85 constant.
• NuGet publish workflow fix.
• Preview package CI for pre-release builds.

CI / Release Plumbing

• nuget.yml triggers on published releases and packs both WinSentinel.Core and WinSentinel.Cli against the release tag version.
• Version-sync workflow keeps csproj <Version> aligned with MinVer-derived tags.

Install

dotnet tool install --global WinSentinel.Cli --version 1.16.0

---

_Tag-driven release; NuGet publish workflow will run automatically on publish._

Bug Fix

🐛 Fixed: Stack Overflow crash in EventLogAudit module

Impact: WinSentinel crashed with a StackOverflowException every time an audit was run (--audit, --score, or any command that triggers the EventLog module).

Root Cause: The AddFinding and AddFindings helper methods in EventLogAudit.cs were calling themselves recursively inside a lock block instead of calling esult.Findings.Add(). This caused infinite recursion (19,234+ calls) until the stack overflowed.

Fix: Replaced recursive self-calls with direct esult.Findings.Add(finding) operations.

This was introduced in v1.11.0 and affected all subsequent versions through v1.15.0.

What's New in v1.15.0

🕵️ Insider Threat Behavioral Profiler

Autonomous user risk analysis engine that profiles insider threat indicators:

• Behavioral pattern scoring across access, data movement, and temporal anomalies
• User risk classification with confidence-weighted threat levels
• CLI integration with formatted insider threat reports

🔀 Lateral Movement Detector (MITRE ATT&CK TA0008)

Detects lateral movement techniques across the network:

• SMB/WMI/RDP/PsExec/SSH hop chain detection
• Movement graph construction with source-destination-technique edges
• Autonomous pivot point identification and path analysis
• 486 tests covering detection accuracy and edge cases

⚡ Privilege Escalation Detector (MITRE ATT&CK TA0004)

Identifies privilege escalation attempts matching MITRE ATT&CK TA0004:

• Token manipulation, service abuse, UAC bypass, and scheduled task detection
• Group policy audit integration for misconfiguration-based escalation paths
• 378 tests validating detection coverage

📊 Security Posture Momentum Analyzer

Tracks the trajectory of security posture over time:

• Momentum scoring with velocity and acceleration metrics
• Trend detection (improving, degrading, stagnant) with configurable windows
• Posture delta analysis between assessment periods

🏗️ Infrastructure

• Coverage gate workflow with per-component thresholds and Codecov integration
• 21 new files, ~5,962 lines of production + test code

Test Coverage

| Component | Tests |

|-----------|-------|

| Insider Threat Profiler | 345 |

| Lateral Movement Detector | 486 |

| Posture Momentum Analyzer | 236 |

| Privilege Escalation Detector | 378 |

Full Changelog: https://github.com/sauravbhattacharya001/WinSentinel/compare/v1.14.0...v1.15.0

What's New

🔗 Kill Chain Reconstructor

Autonomous attack phase mapping and progression detection. Maps security audit findings to 14 MITRE ATT&CK kill chain phases, detects multi-phase attack progressions across 10 templates (ransomware, APT, credential theft, insider threat, etc.), predicts next likely phases using Markov-based transition probabilities, and generates prioritized response plans.

\\\ash

winsentinel --kill-chain [--json] [-o report.json]

\\\

🧬 Threat DNA Profiler

Generates a unique vulnerability fingerprint for a system by analyzing historical audit findings. Extracts threat 'genes' (recurring vulnerability patterns), tracks frequency/persistence/resistance to fixes, maps to MITRE ATT&CK techniques, and detects mutations over time.

\\\ash

winsentinel threat-dna [--threat-dna-days 90] [--threat-dna-top 15] [--json]

\\\

Features:

• Evolutionary tracking with snapshot history and mutation detection
• Resilience scoring (0–100) with phase detection (Emerging → Stabilizing → Hardening → Resilient)
• SHA256-based DNA hash fingerprint for quick comparison
• Targeted hardening plan with priority, effort, and resilience gain estimates

🐳 Docker Orchestration Improvements

• Build ARGs for VERSION, BUILD_DATE, VCS_REF with OCI image labels
• Dedicated test stage (\--target test\) for CI integration
• HEALTHCHECK for CLI and Service runtime stages
• docker-compose.yml with cli/service/scheduled-audit services

📖 Security Operations Runbook

Comprehensive operational guide covering daily operations, incident response (4-phase), scheduled maintenance, compliance workflows, fleet management, alert configuration, escalation matrix, and integration patterns.

🔧 CI/CD

• Removed redundant build.yml (consolidated into ci.yml matrix)
• Added dependency-review on PRs (actions/dependency-review-action@v4)
• Added SBOM generation (SPDX) via Microsoft.Sbom.DotNetTool

Full Changelog

https://github.com/sauravbhattacharya001/WinSentinel/compare/v1.13.0...v1.14.0

What's New in v1.13.0

🔍 Process Lineage Audit

Autonomous parent-child process chain analysis that detects suspicious process relationships mapped to MITRE ATT&CK techniques:

• 12 detection rules covering Office macro exploitation (T1204.002), browser exploitation chains (T1189), LOLBin abuse (T1218), WMI lateral movement (T1047), malicious service installation (T1543.003), scheduled task persistence (T1053.005), and more
• Orphaned process detection for parent-PID spoofing indicators
• Auto-remediation commands for critical findings
• \winsentinel lineage [--json] [--quiet] [-o report.json]\

📡 Network Beacon Detector

Detects C2 (Command & Control) beaconing patterns by analyzing network connection timing regularity:

• Statistical jitter analysis — low jitter + consistent intervals flag likely C2 beacons
• Signature matching against 10 known C2 framework profiles (Cobalt Strike, Metasploit, Sliver, Empire, Havoc, Brute Ratel, PoshC2, etc.)
• Confidence classification (Low/Medium/High/Critical) with risk scores
• MITRE ATT&CK T1071 mapping with prioritized remediation recommendations
• \winsentinel beacon [--json] [--quiet] [-o output.json]\

🔄 Security Regression Predictor

Analyzes audit history to identify findings that keep returning after fixes, predicts which recent fixes are most likely to regress:

• Finding lifecycle tracking across audit runs with pattern classification (Chronic/Periodic/Sporadic)
• Root cause inference heuristics (superficial fix, config drift, periodic revert)
• Per-module stability profiling (Stable/Shaky/Volatile)
• Composite regression score (0–100) with risk level classification
• \winsentinel --regression [--regression-days 90] [--regression-top 15] [--regression-module <mod>] [--json]\

🐛 Fixes

• Docker attestation: Fixed \ttest-build-provenance\ using tag string instead of sha256 digest — now captures correct digest after push
• Weekly vulnerability rescan: New \docker-rescan.yml\ workflow for scheduled Trivy scans of published container images with SARIF upload to GitHub Security tab

---

Full Changelog: https://github.com/sauravbhattacharya001/WinSentinel/compare/v1.12.0...v1.13.0

What&#39;s New

🎯 Autonomous Threat Hunt Engine

Proactive, hypothesis-driven threat hunting that automatically generates and validates security hypotheses against system telemetry — shifting from reactive alerting to active threat pursuit.

🐦 Security Canary Command (\--canary\)

Honeypot tripwire network that deploys decoy files, registry keys, and network listeners across the system. Any interaction with these canaries triggers immediate alerts, catching lateral movement and insider threats.

⚔️ Security War Game Command (\--wargame\)

Interactive adversarial simulation that models attack scenarios against the current security posture, helping identify defensive gaps before real attackers do.

🔍 Shadow IT Detector (\--shadow\)

Discovers unauthorized software, services, and cloud integrations running outside IT governance — surfacing hidden risk from unapproved tools.

💓 Vitals Dashboard (\--vitals\)

Medical-monitor-style real-time security health dashboard with vital signs, heartbeat monitoring, and at-a-glance system security status.

📚 Documentation & Testing

• Comprehensive CONTRIBUTING.md with architecture overview, chat command guide, service catalog, and helper reference
• 58 new tests for SecurityCompassService and VitalSignsService
• Documentation for all 30 audit modules (expanded from 13)
• Removed duplicate test files superseded by comprehensive versions

🔧 Dependency Updates

• Bump MinVer 6.0.0 → 7.0.0
• Bump actions/checkout 4 → 6
• Bump actions/upload-artifact 4 → 7
• Bump Microsoft.SourceLink.GitHub 10.0.202 → 10.0.203
• Bump aquasecurity/trivy-action 0.35.0 → 0.36.0

Full Changelog: https://github.com/sauravbhattacharya001/WinSentinel/compare/v1.11.0...v1.12.0

What&#39;s New

✈️ Security Flight Recorder CLI (\--flightrecorder\)

Continuous security event recording with black-box-style replay capability. Captures real-time security events, system state changes, and threat indicators into a persistent flight log that can be reviewed after incidents — like an airplane&#39;s flight recorder but for your Windows security posture.

Full Changelog: https://github.com/sauravbhattacharya001/WinSentinel/compare/v1.10.0...v1.11.0

What&#39;s New

🔁 Security Replay CLI (\--replay\)

Time-travel security debugger that lets you snapshot, bisect, and diff security states across scan runs. Pinpoint exactly when a vulnerability was introduced or resolved by replaying historical scan data.

🗺️ Security Topology CLI (\--topology\)

Visualize relationships and dependencies between security findings, attack surfaces, and defensive controls. Maps out how vulnerabilities connect across system components.

🛡️ Security Fixes

• CWE-78 Command Injection fix in \ScheduledTaskAudit\ — \FixCommands\ now properly sanitizes inputs to prevent OS command injection via crafted task names.

⚡ Performance

• Pre-computed per-run finding key sets in \FindingPersistenceAnalyzer\, eliminating redundant set construction during cross-run comparisons.

🧪 Tests

• 23 new tests for \SecurityReplayService\ covering snapshot creation, bisect search, and state diffing.

Full Changelog: https://github.com/sauravbhattacharya001/WinSentinel/compare/v1.9.0...v1.10.0

What&#39;s New in v1.9.0

🧭 Security Compass (--compass)

Navigate your security posture with a compass-style directional analysis. Identifies the strongest and weakest security vectors across your system, giving you clear guidance on where to focus hardening efforts.

🔮 Security Prophecy (--prophecy)

Predictive threat forecasting powered by historical pattern analysis. Anticipates likely attack vectors and security events before they materialize, enabling proactive defense posture adjustments.

🎵 Security Rhythm Analyzer (--rhythm)

Detects cyclical patterns in security events — daily login surges, weekly backup windows, monthly patch cycles. Identifies anomalous deviations from established rhythms that may indicate compromise.

🤝 Security Negotiator (--negotiate)

Interactive conflict resolution for competing security policies. When hardening rules conflict (e.g., usability vs. lockdown), the negotiator evaluates trade-offs and suggests balanced configurations.

⚡ Performance

• Eliminated string allocations in ProcessMonitorModule hot-path \IsKnownAppDataApp\ and \IsExpectedSystemProcess\ checks — replaced \ToLowerInvariant()\ with \OrdinalIgnoreCase\ comparisons to reduce GC pressure on high-frequency WMI process start events.

---

Full Changelog: https://github.com/sauravbhattacharya001/WinSentinel/compare/v1.8.0...v1.9.0

What&#39;s New

🔬 Security Autopsy (--autopsy)

Post-incident forensic analysis command that reconstructs attack timelines, identifies affected systems, and generates remediation playbooks.

🌦️ Security Weather Report (--weather)

Real-time security posture dashboard that summarizes threat conditions, active alerts, and risk forecasts in a weather-metaphor format.

🧠 Security Nerve Center (--nerve)

Centralized monitoring command that aggregates signals from all security subsystems into a unified situational awareness view.

🔒 Security Hardening

• Block PowerShell dot-source operator bypass in InputSanitizer
• Reject Windows reserved device names (CON, PRN, AUX, etc.) in ValidateFilePath
• Fix command injection via toast notification — now uses -EncodedCommand

🧪 Testing

• 27 new tests for SecuritySwarmIntelligence swarm analysis

🛠️ Internal

• Hoist pattern arrays to static fields and extract SeverityExtensions helper

Full Changelog: https://github.com/sauravbhattacharya001/WinSentinel/compare/v1.7.0...v1.8.0

What&#39;s New in v1.7.0

🐝 Security Swarm Intelligence (New Feature)

• Added \--swarm\ CLI command for distributed security analysis using swarm intelligence algorithms
• Enables collaborative threat detection across multiple security agents

🔒 Security Fix

• CWE-94: Prevented scriptblock injection vulnerability in \HardenScriptGenerator\ — user-supplied values are now properly sanitized before embedding in PowerShell scriptblocks

⚡ Performance

• Single-pass \BuildSummary\ in \AgentJournal\ — eliminates redundant multi-pass aggregation when generating journal summaries

---

Full Changelog: https://github.com/sauravbhattacharya001/WinSentinel/compare/v1.6.0...v1.7.0

What&#39;s New

🛡️ Security Immune System (\--immune\)

Adaptive threat memory with vaccination records, antibodies, and proactive immunity recommendations. The immune system learns from past security events and builds defenses against recurring threats — like a biological immune system for your Windows security posture.

Dependencies

• Bump Microsoft.SourceLink.GitHub from 10.0.201 to 10.0.202
• Bump testing group (2 updates)
• Bump actions/upload-pages-artifact from 4 to 5

Full Changelog: https://github.com/sauravbhattacharya001/WinSentinel/compare/v1.5.1...v1.6.0

What&#39;s Changed

Refactoring

• Extracted \TryConsumeDouble\ helper for consistent double/float argument parsing across all CLI commands, eliminating duplicated parsing logic and improving error handling consistency.

Full Changelog

https://github.com/sauravbhattacharya001/WinSentinel/compare/v1.5.0...v1.5.1

What&#39;s New in v1.5.0

🔗 Security Correlation Engine (\--correlate\)

New CLI command that cross-references findings across multiple security scanners to surface correlated attack patterns and reduce false positives. Identifies relationships between seemingly unrelated vulnerabilities.

🧬 Security Genome Command (\--genome\)

Generates a comprehensive security DNA profile of your system — a fingerprint of your security posture that can be compared over time or across machines to track drift and improvements.

🛡️ Path & Process Sanitization

Fix commands now sanitize file paths and process names to prevent injection attacks when applying automated remediations.

📚 Documentation Improvements

• Added debugging guide to CONTRIBUTING.md
• Docker development environment setup instructions
• Compliance profile authoring documentation
• New FAQ and Upgrade Guide in docs site

---

Full Changelog: https://github.com/sauravbhattacharya001/WinSentinel/compare/v1.4.5...v1.5.0

What&#39;s Changed

🚀 Performance

• Reduce allocations in ThreatCorrelator hot path — lowered GC pressure in the threat correlation engine by eliminating unnecessary object allocations during event processing

🧪 Testing

• Comprehensive SecurityHabitTracker tests — added full test coverage for the security habit tracking module

📖 Documentation

• FAQ and Upgrade Guide — added FAQ section and upgrade guide to the documentation site, helping users troubleshoot common issues and migrate between versions

Full Changelog: https://github.com/sauravbhattacharya001/WinSentinel/compare/v1.4.4...v1.4.5