Tenable Identity Exposure 2024 Release Notes
These release notes are listed in reverse chronological order.
Tenable Identity Exposure 3.69 (2024-04-18)
- New Indicators of Exposure (IoEs)
Managed Service Accounts Dangerous Misconfigurations — Ensures the proper deployment and configuration of Managed Service Accounts.
Enabled Guest Account — Checks that the built-in guest account is disabled.
-
Indicators of Exposure Enhancements
- Domain Without Computer-Hardening GPOs — Integrated new checks specifically designed to address null sessions, which all domain computers should explicitly deactivate.
-
Native Administrative Group Members — Added "Exchange Servers", "Exchange Windows Permissions", and "Exchange Trusted Subsystem" groups to the allowlist for custom groups. This modification applies to the default security profile only and not to existing custom security profiles.
-
User Account Using Old Password — Added two reasons to distinguish between privileged users and regular users.
-
To boost throughput, LDAP search requests now batch results between the Relay and the Ceti service.
Tenable Identity Exposure version 3.69 contains the following bug fixes:
Bug Fix |
---|
Enhanced detection algorithm in the Golden Ticket Indicator of Attack reduces false negatives and false positives. |
Deviance remediation for the Accounts Using a Pre-Windows 2000 Compatible Access Control IoE now appears correctly. |
The Domain Without Computer-Hardening GPOs IoE now accurately detects findings. |
The Eridanis service no longer returns a 500 error when accessing a deleted directory to flag a new deviance. |
Tenable Identity Exposure 3.68 (2024-04-08)
Indicators of Exposure (IoEs) enhancements:
-
Dormant Accounts — Two new reasons to make a distinction between privileged users and regular users.
-
Computers Running an Obsolete OS — A new value 'lastLogonTimestamp' to show the timestamp of the last successful user logon in the "Inactive obsolete OS" deviances.
-
Domain Without Computer-Hardening GPOs
-
New checks related to hardened UNC paths configured for domain controllers (SYSVOL/NETLOGON shares).
-
New checks related to the print spooler service that should remain disabled on domain controllers.
-
An enhancement to ensure proper Server Message Block (SMB) signing enforcement on domain controllers and other servers. It validates the "Default Domain Controllers Policy" parameter and checks for correct GPO configuration on other servers.
-
-
Resultant Set of Policy (RSoP) IoEs — For the re-execution of RSoP IoEs with up-to-date cache, Tenable Identity Exposure now aggregates the buffered events over a short duration to reduce the number of changes to analyze (by default 1 minute and only for the "Logon Restrictions for Privileged Users" IoE).
Tenable Identity Exposure version 3.68 contains the following bug fixes:
Bug Fix |
---|
It is now possible to update the Indicator of Attack (IoA) option on a customized security profile created before the introduction of new IoA options. |
Public API endpoint /export/profile/:profileId/checkers/:checkerId now work correctly without options. |
Tenable Identity Exposure 3.67 (2024-03-21)
-
Computers cannot appear as deviant due to the reason "Not protected against delegation." Tenable Identity Exposure addresses and resolves any existing deviances related to this issue.
-
Indicator of Exposure (IoE) enhancement — In the Kerberos Configuration on User Account IoE, users with smartcards are immune to the AS-REP Roasting attack and Tenable Identity Exposure no longer flags them as a security issue.
-
Indicators of Attack (IoA) enhancements:
-
Password Guessing — A new option "Password spraying detection time interval" specifies the number of minutes over which each failed login attempt classifies as a potential attack in progress.
-
Enumeration of Local Administrators
-
A new option "Filtered access rights in aggressive mode" considers only specified access rights fetched from the event 'A network share object was checked' to classify a potential attack in progress. This list only applies in aggressive mode.
-
The default value for the option "Heuristic for Domain Controllers using versions before Windows Server 2016" is now "False".
-
-
DCSync — The default value for the option "Allow unknown source" is now "False".
-
NTDS Extraction — New "Deny list" in "Basic mode": diskshadow, ntdsutil, esentutl, esentutldefrag mode, vssown, copy-vss, wmi-based technique, psexec_ntds_grab, wmiprvse, vssadmin, vss, impacket-secretsdump, vss_requestor, VeeamGuestHelper, WMI-based technique.
-
Credential Dumping LSASS Memory — New "Deny list" in "Basic mode": mimikatz, taskmgr, ipconfig, arp, powershell, net, auditpol, whoami, cmd, route, processhacker, net1, csc, procdump, osqueryi.
-
Tenable Identity Exposure version 3.67 contains the following bug fixes:
Bug Fix |
---|
Tenable Identity Exposure now correctly updates security profiles when you modify the following options for the following IoA configurations:
|
If you have a Tenable One license, the user creation takes place in Tenable Vulnerability Management and propagates to Tenable Identity Exposure. In this case, when you click the "Create user" button in Tenable Identity Exposure, a message appears to direct you to Tenable Vulnerability Management to create users. |
Tenable Identity Exposure now shows all Entra ID IoEs on the IoE pane. |
The MSI log file is now available in C:\Tenable\Logs after the installation or an upgrade. |
Tenable Identity Exposure 3.66 (2024-03-11)
Indicators of Attack (IoA) — New options for the following IoAs to limit false positives. For more information, see the Indicators of Attack Reference Guide.
Note: Beginning with this release, all IoAs on every security profile have the "Aggressive mode" option set to "False" by default. You can switch this option to "True" for each IoA in individual security profiles.
-
Suspicious DC Password Change — New options:
-
"Aggressive mode":
-
True: Detects the attack whether or not the user is authenticated.
- False (default): Detects only authenticated users.
"Password change interval": In "Aggressive mode", this option specifies the period between two password changes (30 days by default).
-
DCSync — New option:
"Aggressive mode":
True: Triggers all attacks based on the IoA rules that can generate numerous false positives.
False (default): Triggers an attack only if the machine is not in the domain. This detects fewer attacks but avoids false positives.
Enhancements
-
Optimized the computation duration for Indicators of Exposure dependent on Resultant Set of Policy (RSoP), resulting in slower deviance computation related to the RSoP. For more information, see RSoP-Based Indicators of Exposure in the Tenable Identity Exposure User Guide.
-
Added support for limiting data visibility for Entra ID tenants in roles permissions management.
Tenable Identity Exposure version 3.66 contains the following bug fixes:
Bug Fix |
---|
OS Credential Dumping LSASS IoA — Tenable Identity Exposure now takes into account the allowlist specified for the "Aggressive mode" option. |
Tenable Identity Exposure implemented a new mechanism to enhance the database's resilience in handling numerous modifications to the badPwdCount attribute using throttling measures to limit changes. |
Tenable Identity Exposure updated the naming conventions for the Chinese language. |
Tenable Identity Exposure 3.65 (2024-02-27)
Indicators of Attack (IoA) — New default values for the following IoAs to limit false positives. For more information, see the Indicators of Attack Reference Guide.
-
Golden Ticket — New "Aggressive Mode" option:
-
False (basic, default): Triggers an attack only if the targeted user is a domain controller or a user belonging to the Domain Admins group.
-
True: Allows attacks even if the target username is not a member of the "Domain Admins" group or a domain controller. It also allows attacks even if some domain controllers are not monitored (in other words, they do not emit any Windows Event Log).
-
-
SAMAccountName Impersonation — New "Aggressive Mode" option:
-
False (basic, default): Does not trigger an attack if the TargetUserName is not a domain controller (DC).
-
True: Triggers all attacks based on the IoA rules that can generate numerous false positives.
-
-
OS Credential Dumping: LSASS Memory — New options:
-
"Aggressive Mode":
-
False (basic, default): The IoA recognizes the tool and considers only the predefined processes as non-legitimate.
-
True: The IoA considers all attack tools as non-legitimate unless they are in the allowlist.
-
"Allowed processes in aggressive mode": Optional and applies only if the "Aggressive Mode" option = True.
-
"Basic Mode - Deny list": In basic mode, only the specified tools can trigger attacks.
-
-
NTDS Extraction— New options:
-
"Aggressive Mode":
-
False (basic, default): The IoA recognizes the tool and considers only the predefined processes as non-legitimate.
True: The IoA considers all attack tools as non-legitimate unless they are in the allowlist.
"Basic Mode - Deny list": On basic mode, only the specified tools can trigger attacks.
"Basic Mode Attack Whitelisted Processes" (formerly "Whitelisted Processes"): Optional and applies only if the "Aggressive Mode" option = True.
-
Massive Computers Reconnaissance— New default values for options:
-
Number of computers — 5000
-
Minimum number of computers — 100
-
Percentage of computers — 95
-
Sliding window — 240
-
Waiting time between attacks — 240
-
-
Password Guessing— New default value for option:
-
Number of accounts with failed attempts — 10 000
-
-
Enumeration of Local Administrators — The option "Heuristic for Domain Controllers using versions prior to Windows Server 2016" is now set to "False" by default.
Indicators of Exposure (IoE)
-
New IoEs
- Privileged Authentication Silo Configuration — Provides a step-by-step guide on the configuration of an authentication silo for privileged (Tier-0) accounts.
Privileged AD User Accounts Synchronized to Microsoft Entra ID — Checks that privileged Active Directory user accounts are not synchronized to Microsoft Entra ID.
-
Enhancements
-
Dangerous Kerberos Delegation IoE — Introduces a new reason to detect the current configuration of Kerberos delegation on Microsoft Entra Connect account (AZUREADSSOACC).
-
Reversible Passwords IoE — Validates passwords configured for storage in a reversible format based on the settings defined by the msDS-PasswordReversibleEncryptionEnabled attribute within the Password Settings Object (PSO).
-
Local Administrative Account Management IoE — Adds support for the new Microsoft Local Administrator Password Solution (LAPS) with a new option called "LAPS version installed" and validates the LAPS version configuration based on the user's selections.
-
Tenable Identity Exposure version 3.65 contains the following bug fixes:
Bug Fix |
---|
Tenable Identity Exposure addressed an issue related to Microsoft Entra ID tenant deletion. Previously, when clicking on the deletion bin icon, certain previously acquired assets might persist. The current resolution ensures the complete deletion of all assets during this process. |
Tenable Identity Exposure resolved an injection vulnerability in which a low-privileged local user could modify application files on the Tenable Identity Exposure Secure Relay host. |
Tenable Identity Exposure fixed an issue with unsuccessful queries due to a null value, likely stemming from data inconsistency in the database. For instance, this could occur if a compact entitlement is directed at an asset that has not yet reached the necessary Software Factory (SF). |
Tenable Identity Exposure enhanced the attack path functionality to prevent potential crashes during the initialization process in certain rare scenarios. |
Tenable Identity Exposure implemented a new mechanism to ensure the database can handle multiple modifications to the badPwdCount attribute without compromising its integrity or performance. |
Tenable Identity Exposure 3.64 (2024-02-07)
Tenable Identity Exposure version 3.64 contains the following bug fixes:
Bug Fix |
---|
The Indicator of Attack Suspicious DC Password Change resolved false positives related to Windows Server 2008 R2 systems that change their passwords every 30 days by default. |
Tenable Identity Exposure 3.63 (2024-01-24)
-
Indicators of Attack — The "Allowed Processes" option in the Indicators of Attack Credential Dumping: LSASS Memory and NTDS Extraction includes processes known to raise false positives.
Tenable Identity Exposure version 3.63 contains the following bug fixes:
Bug Fix |
---|
Tenable Identity Exposure no longer shows topology domains after the removal of their associated domain. |
Microsoft Entra ID's current scan status now indicates the error for a scan failure, even if previous scans were successful. |
Tenable Identity Exposure now correctly refreshes CA certificates following a Syslog alert configuration update. |
Tenable Identity Exposure's internal technical data no longer gets transmitted as assets to Tenable Cloud when this feature is active. |
Deviances related to password reuse from the Detection of Password Weaknesses Indicator of Exposure now expose the incriminating password hash prefixes. |
When analyzing a 4776 event lacking a hostname resulting in an "Unknown" source, Tenable Identity Exposure now filters out this deviance according to the "Allow Unknown Source" option in the Password Spraying Indicator of Attack. |
Tenable Identity Exposure 3.62 (2024-01-10)
Tenable Identity Exposure version 3.62 contains the following bug fixes:
Bug Fix |
---|
Tenable Identity Exposure now computes SYSVOL files when creating an attribute with a name exceeding 500 characters. |
The Secure Relay now reflects the modifications made to SYSLOG configurations to re-enable the flow of SYSLOG messages to the SIEM. |
The Indicator of Exposure (IoE) Insufficient Hardening Against Ransomware now correctly manages allowlist exclusions. |
Tenable Identity Exposure resolved an issue that was impacting the accurate qualification of Privileged Groups in these IoEs: AdminCount Attribute Set on Standard Users, Disabled Accounts in Privileged Groups, Privileged Accounts Running Kerberos Services, and Mapped Certificates on Accounts. |
Microsoft EntraID scan statuses are now more accurate, providing clearer indications when an issue arises. |