Tenable Identity Exposure 2024 Release Notes

• New Indicators of Exposure (IoEs)

  • Managed Service Accounts Dangerous Misconfigurations — Ensures the proper deployment and configuration of Managed Service Accounts.

  • Enabled Guest Account — Checks that the built-in guest account is disabled.

• Indicators of Exposure Enhancements

  • Domain Without Computer-Hardening GPOs — Integrated new checks specifically designed to address null sessions, which all domain computers should explicitly deactivate.

  • Native Administrative Group Members — Added "Exchange Servers", "Exchange Windows Permissions", and "Exchange Trusted Subsystem" groups to the allowlist for custom groups. This modification applies to the default security profile only and not to existing custom security profiles.

  • User Account Using Old Password — Added two reasons to distinguish between privileged users and regular users.

• To boost throughput, LDAP search requests now batch results between the Relay and the Ceti service.

Tenable Identity Exposure version 3.69 contains the following bug fixes:

Indicators of Exposure (IoEs) enhancements:

• Dormant Accounts — Two new reasons to make a distinction between privileged users and regular users.

• Computers Running an Obsolete OS — A new value 'lastLogonTimestamp' to show the timestamp of the last successful user logon in the "Inactive obsolete OS" deviances.

• Domain Without Computer-Hardening GPOs

  • New checks related to hardened UNC paths configured for domain controllers (SYSVOL/NETLOGON shares).

  • New checks related to the print spooler service that should remain disabled on domain controllers.

  • An enhancement to ensure proper Server Message Block (SMB) signing enforcement on domain controllers and other servers. It validates the "Default Domain Controllers Policy" parameter and checks for correct GPO configuration on other servers.

• Resultant Set of Policy (RSoP) IoEs — For the re-execution of RSoP IoEs with up-to-date cache, Tenable Identity Exposure now aggregates the buffered events over a short duration to reduce the number of changes to analyze (by default 1 minute and only for the "Logon Restrictions for Privileged Users" IoE).

Tenable Identity Exposure version 3.68 contains the following bug fixes:

• Computers cannot appear as deviant due to the reason "Not protected against delegation." Tenable Identity Exposure addresses and resolves any existing deviances related to this issue.

• Indicator of Exposure (IoE) enhancement — In the Kerberos Configuration on User Account IoE, users with smartcards are immune to the AS-REP Roasting attack and Tenable Identity Exposure no longer flags them as a security issue.

• Indicators of Attack (IoA) enhancements:

  • Password Guessing — A new option "Password spraying detection time interval" specifies the number of minutes over which each failed login attempt classifies as a potential attack in progress.

  • Enumeration of Local Administrators

    • A new option "Filtered access rights in aggressive mode" considers only specified access rights fetched from the event 'A network share object was checked' to classify a potential attack in progress. This list only applies in aggressive mode.

    • The default value for the option "Heuristic for Domain Controllers using versions before Windows Server 2016" is now "False".

  • DCSync — The default value for the option "Allow unknown source" is now "False".

  • NTDS Extraction — New "Deny list" in "Basic mode": diskshadow, ntdsutil, esentutl, esentutldefrag mode, vssown, copy-vss, wmi-based technique, psexec_ntds_grab, wmiprvse, vssadmin, vss, impacket-secretsdump, vss_requestor, VeeamGuestHelper, WMI-based technique.

  • Credential Dumping LSASS Memory — New "Deny list" in "Basic mode": mimikatz, taskmgr, ipconfig, arp, powershell, net, auditpol, whoami, cmd, route, processhacker, net1, csc, procdump, osqueryi.

Tenable Identity Exposure version 3.67 contains the following bug fixes:

Indicators of Attack (IoA) — New options for the following IoAs to limit false positives. For more information, see the Indicators of Attack Reference Guide.

Note: Beginning with this release, all IoAs on every security profile have the "Aggressive mode" option set to "False" by default. You can switch this option to "True" for each IoA in individual security profiles.

• Suspicious DC Password Change — New options:

  • "Aggressive mode":

• True: Detects the attack whether or not the user is authenticated.

• False (default): Detects only authenticated users.

• "Password change interval": In "Aggressive mode", this option specifies the period between two password changes (30 days by default).

• DCSync — New option:

• "Aggressive mode":

  • True: Triggers all attacks based on the IoA rules that can generate numerous false positives.

  • False (default): Triggers an attack only if the machine is not in the domain. This detects fewer attacks but avoids false positives.

Enhancements

• Optimized the computation duration for Indicators of Exposure dependent on Resultant Set of Policy (RSoP), resulting in slower deviance computation related to the RSoP. For more information, see RSoP-Based Indicators of Exposure in the Tenable Identity Exposure User Guide.

• Added support for limiting data visibility for Entra ID tenants in roles permissions management.

Tenable Identity Exposure version 3.66 contains the following bug fixes:

Indicators of Attack (IoA) — New default values for the following IoAs to limit false positives. For more information, see the Indicators of Attack Reference Guide.

• Golden Ticket — New "Aggressive Mode" option:

  • False (basic, default): Triggers an attack only if the targeted user is a domain controller or a user belonging to the Domain Admins group.

  • True: Allows attacks even if the target username is not a member of the "Domain Admins" group or a domain controller. It also allows attacks even if some domain controllers are not monitored (in other words, they do not emit any Windows Event Log).

• SAMAccountName Impersonation — New "Aggressive Mode" option:

  • False (basic, default): Does not trigger an attack if the TargetUserName is not a domain controller (DC).

  • True: Triggers all attacks based on the IoA rules that can generate numerous false positives.

• OS Credential Dumping: LSASS Memory — New options:

  • "Aggressive Mode":

  • False (basic, default): The IoA recognizes the tool and considers only the predefined processes as non-legitimate.

  • True: The IoA considers all attack tools as non-legitimate unless they are in the allowlist.

  • "Allowed processes in aggressive mode": Optional and applies only if the "Aggressive Mode" option = True.

  • "Basic Mode - Deny list": In basic mode, only the specified tools can trigger attacks.

• NTDS Extraction— New options:

  • "Aggressive Mode":

• False (basic, default): The IoA recognizes the tool and considers only the predefined processes as non-legitimate.

• True: The IoA considers all attack tools as non-legitimate unless they are in the allowlist.

• "Basic Mode - Deny list": On basic mode, only the specified tools can trigger attacks.

• "Basic Mode Attack Whitelisted Processes" (formerly "Whitelisted Processes"): Optional and applies only if the "Aggressive Mode" option = True.

• Massive Computers Reconnaissance— New default values for options:

  • Number of computers — 5000

  • Minimum number of computers — 100

  • Percentage of computers — 95

  • Sliding window — 240

  • Waiting time between attacks — 240

• Password Guessing— New default value for option:

  • Number of accounts with failed attempts — 10 000

• Enumeration of Local Administrators — The option "Heuristic for Domain Controllers using versions prior to Windows Server 2016" is now set to "False" by default.

Indicators of Exposure (IoE)

• New IoEs

• Privileged Authentication Silo Configuration — Provides a step-by-step guide on the configuration of an authentication silo for privileged (Tier-0) accounts.

• Privileged AD User Accounts Synchronized to Microsoft Entra ID — Checks that privileged Active Directory user accounts are not synchronized to Microsoft Entra ID.

• Enhancements

  • Dangerous Kerberos Delegation IoE — Introduces a new reason to detect the current configuration of Kerberos delegation on Microsoft Entra Connect account (AZUREADSSOACC).

  • Reversible Passwords IoE — Validates passwords configured for storage in a reversible format based on the settings defined by the msDS-PasswordReversibleEncryptionEnabled attribute within the Password Settings Object (PSO).

  • Local Administrative Account Management IoE — Adds support for the new Microsoft Local Administrator Password Solution (LAPS) with a new option called "LAPS version installed" and validates the LAPS version configuration based on the user's selections.

Tenable Identity Exposure version 3.65 contains the following bug fixes:

Tenable Identity Exposure version 3.64 contains the following bug fixes:

• Indicators of Attack — The "Allowed Processes" option in the Indicators of Attack Credential Dumping: LSASS Memory and NTDS Extraction includes processes known to raise false positives.

Tenable Identity Exposure version 3.63 contains the following bug fixes: