Tenable.ad 3.19 On-premise (2022-04-20)
New Features
-
Scalability — Dynamic activation and deactivation of Indicators of Exposure.
-
LDAP authentication — The ability to enable/disable SASL bindings. For more information, see Authentication using LDAP in the Tenable Identity Exposure Administrator Guide.
-
Memory cache — Tenable Identity Exposurehas greatly improved its memory consumption to benefit Indicators of Attack (IoAs).
-
New Indicators of Attack (For more information, see the Tenable Identity Exposure Indicators of Attack Reference Guide.)
-
DPAPI Domain Backup Key Extraction Indicator of Attack can detect a wide variety of attack tools that use LSA RPC calls to access backup keys.
-
Massive Computers Reconnaissance: Detects reconnaissance attacks that generate a massive number of authentication requests to Active Directory targets.
-
Enumeration of Local Administrators: Detects Active Directory data enumeration attacks.
-
NTDS Extraction: NTDS exfiltration refers to the technique that attackers use to retrieve the NTDS.dit database that stores Active Directory secrets such as password hashes and Kerberos keys.
-
SAM Name Impersonation: This Indicator of Attack detects an attacker who tries to exploit two vulnerabilities that can lead to an elevation of privileges on the domain from a standard account without any security skills.
-
Kerberoasting IoA to detect and alert to Kerberoasting attacks targeting Active Directory service account credentials.
-
-
Windows Server 2022 — On-premise support for Windows Server 2022.
-
Retirement of the Caroli component — Retired to optimize platform performance.
-
Retirement of InfluxDB & Equuleus — Retired to optimize platform performance and data consistency.
Note: For on-premises installations, the change in Tenable Identity Exposure's database implementation will cause the loss of historical data in the dashboards during upgrade. On-premises platforms will lose the history of statistics in the User, Deviances, and Compliance Score. Widgets for Users/Deviance count and Compliance Score will recover their most recent values after reinitialization; however, line chart widgets will only have one data point and will recover their values progressively. -
Domain connectivity tests — Allows you to test a domain connectivity (LDAP and SYSVOL) before you add or modify it.
- Scalability — Tenable Identity Exposure considers resolved deviances as no longer useful and clears them from the database after 6 months.
- Indicator of Exposure — Improvements to the Indicator of Exposure Logon restrictions for privileged users.
-
Workload quota — New ability to adjust the limit on the number of Indicators of Attack running simultaneously.
-
Attack Path: New graphical representations to explore Active Directory relationships:
-
Blast Radius: Evaluates lateral movements in the AD from a potentially compromised asset.
-
Attack Path: Anticipates privilege escalation techniques to reach an asset from a specific entry point.
-
Asset Exposure: Measures an asset's vulnerability using asset exposure visualization and tackles all escalation paths.
-
-
Honey Accounts — Allows the Kerberoasting Indicator of Attack to detect login or service requests. For more information, see Honey Accounts in the Tenable.ad Administrator Guide.
-
API Endpoint — Retrieval of Active Directory objects from the database using the API.
-
Tenable Identity Exposure propagates changes — such as a move or rename — on an LDAP container to the container children.
Bug Fixes
In addition to performance improvements, Tenable Identity Exposure version 3.19 contains the following bug fixes:
| Bug Fix | Defect ID |
|---|---|
| Tenable Identity Exposure returns the API Score information again. | N/A |
| The widget edition now takes into account previously selected domains. | N/A |
| Tenable Identity Exposure now provides better analytics performances thanks to new SQL index. | N/A |
| Tenable Identity Exposure displays attacks that occur on the 1st day of the month in the correct month. | N/A |
| When you remove a GPO, Tenable Identity Exposure only displays the deleted event. | N/A |
| When the SYSVOL connection breaks, Tenable Identity Exposure renews the connection to allow the listener to fetch new events. | N/A |
| The allow lists for Credentials Roaming users and groups now accept the samAccountName format. | N/A |
| Tenable Identity Exposure considers resolved deviances as no longer useful and clears them from the database after 6 months. | N/A |
| Tenable Identity Exposure now counts users with an unknown userAccountControl attribute as active AD users. This can happen when the account provided in Tenable Identity Exposure does not have the right to read this attribute or a corresponding attribute set. This can lead to an increase in the total number of users in the dashboard or the license. For more information, see User Accounts in the Technical Prerequisites document. | N/A |
| Tenable Identity Exposure propagates changes — such as a move or rename — on an LDAP container to the container children. | N/A |
| Connection to the SYSVOL share succeeds even if you change the credentials. | N/A |
| Kerberos dangerous delegation now resolves after privileged path is corrected by deleting and recreating the domain. | N/A |
| The whitelist now clearly specifies the expected format. | N/A |
| The SQL server functions correctly after Attack Path activation. | N/A |
| The notification email contains the correct image format. | N/A |
| Control Path relations now consider the source and target type. | N/A |
| Tenable Identity Exposure updates the children DN when it detects when a container move. | N/A |
| It is no longer possible to delete the last user with an administrative role using the public API. | N/A |
|
Indicator of Exposure (IoE) C-PKI-DANG-ACCESS:
|
N/A |
| The C-DC-ACCESS-CONSISTENCY IoE takes into account the "Keep deleted DCs" toggle update. | N/A |
| The IoA/IoE service restarts after a toggle update. | N/A |
| The C-PASSWORD-POLICY IoE now allows all non-global security groups. | N/A |
| Tenable Identity Exposure limits dashboard names to 30 characters and truncates existing names exceeding this limit to 30 characters. | N/A |
| Tenable Identity Exposure stabilized the retrieval of AD objects from the SQL server when it encounters a low number of objects with many changes. | N/A |
| The Dangerous Delegation RBCD Backdoor now resolves the account SID. | N/A |
| Tenable Identity Exposure does not keep attempting to process large messages. | N/A |
| Native administrative group members IoE (C-NATIVE-ADM-GROUP-MEMBERS): Placing built-in administrative groups in the custom group option no longer creates inconsistent behaviors. | N/A |
| The Logon restrictions for privileged users IoE (C-ADMIN-RESTRICT-AUTH) now resolves when you remove a computer from a sub-organizational unit. | N/A |
| The Sleeping Accounts IoE no longer counts deleted users. | N/A |
| The Tenable Identity Exposure API now sends a 400 error when there is no active provided at user creation. | N/A |
| Tenable Identity Exposure now supports Windows LTS versions. | N/A |
| Deleted sites no longer appear in deviances. | N/A |
| Tenable Identity Exposure updates group members when they change OUs. | N/A |
| When the Active Directory is slow, the regular crawling no longer starts if a crawling is already in progress. | N/A |
| Migration from 3.1 to 3.11 does not generate false positives deviances on GPOs. | N/A |
| The Tenable Identity Exposure crawling phase supports more edge cases. | N/A |
| Tenable Identity Exposure's on-premise installer now ensures that it uses up-to-date NodeJs modules. | N/A |
| Tenable Identity Exposure's analytics service successfully reconnects to the RabbitMQ server after failures. | N/A |
| The partial recrawling of groupPolicyContainers objects takes all attributes into account. | N/A |
Patches
Tenable Identity Exposure 3.19.12
Tenable Identity Exposure version 3.19.12 contains the following patches.
| Patch | Defect ID |
|---|---|
| Fixed CVE-2022-37026 by upgrading the RabbitMQ library dependency. | N/A |
| Windows Server 2022 — The server no longer needs to reboot when installing Indicators of Attack on a Windows 2022 Domain Controller. | N/A |
Tenable Identity Exposure 3.19.10
Tenable Identity Exposure version 3.19.10 contains the following patches.
| Patch | Defect ID |
|---|---|
| Tenable Identity Exposure no longer collects the AD attribute msds-revealedusers and no longer shows it in the Trail Flow. It was not useful in the security analysis. | N/A |
| The RabbitMq channel connection improved in resiliency. | N/A |
| In IoE page, filtering one given domain no more shows unexpected compliant "No Domain" IoEs. | N/A |
Tenable Identity Exposure 3.19.9
Tenable Identity Exposure version 3.19.9 contains the following patches.
| Patch | Defect ID |
|---|---|
| Tenable Identity Exposure no longer does the Server Authentication EKU check on the SecProbe. | N/A |
| On partially-domain-joined machines, Tenable Identity Exposure now successfully decodes any SDDL bi-grams related to the domain (e.g. DA for Domain Admins). | N/A |
| The IoE Dangerous sensitive privileges is correct when an AdObjectGptTmpl object that disables the UAC comes last. | N/A |
Tenable Identity Exposure 3.19.7
Tenable Identity Exposure version 3.19.7 contains the following patches.
| Patch | Defect ID |
|---|---|
| Tenable Identity Exposure improved the efficiency of the internal message consumption. | N/A |
| Tenable Identity Exposure improved the RabbitMQ channel connection resiliency. | N/A |
| Tenable Identity Exposure no longer collects the userCertificate attribute. | N/A |
| RabbitMQ consumers now keep retrying to connect on an exclusive queue. | N/A |
| The Indicator of Attack Enumeration of Local Administrators IoA now filters out the enumeration of local admins when done locally as this is most likely a legitimate action. | N/A |
| Tenable Identity Exposure automatically resolves deviances related to a removed domain or security profile in internal calls. | N/A |
| The installer now takes into account the locale when checking the expiration date of custom certificates. | N/A |