Tenable.ad 3.19 — On-premise (2022-04-20)

New Features

  • Scalability — Dynamic activation and deactivation of Indicators of Exposure.

  • LDAP authentication — The ability to enable/disable SASL bindings. For more information, see Authentication using LDAP in the Tenable.ad Administrator Guide.

  • Memory cacheTenable.adhas greatly improved its memory consumption to benefit Indicators of Attack (IoAs).

  • New Indicators of Attack:

    • DPAPI Domain Backup Key Extraction Indicator of Attack can detect a wide variety of attack tools that use LSA RPC calls to access backup keys. For more information, see DPAPI Domain Backup Key Extraction in the Tenable.ad Administrator Guide.

    • Massive Computers Reconnaissance: Detects reconnaissance attacks that generate a massive number of authentication requests to Active Directory targets. For more information, see Massive Computers Reconnaissance in the Tenable.ad Administrator Guide.

    • Enumeration of Local Administrators: Detects Active Directory data enumeration attacks. For more information, see Enumeration of Local Administrators in the Tenable.ad Administrator Guide.

    • NTDS Extraction: NTDS exfiltration refers to the technique that attackers use to retrieve the NTDS.dit database that stores Active Directory secrets such as password hashes and Kerberos keys. For more information, see NTDS Extraction in the Tenable.ad Administrator Guide.

    • SAM Name Impersonation: This Indicator of Attack detects an attacker who tries to exploit two vulnerabilities that can lead to an elevation of privileges on the domain from a standard account without any security skills. For more information, see SAM Name Impersonation in the Tenable.ad Administrator Guide.

    • Kerberoasting IoA to detect and alert to Kerberoasting attacks targeting Active Directory service account credentials. For more information, see Kerberoasting Indicator of Attack in the Tenable.ad Administrator Guide.

  • Windows Server 2022 — On-premise support for Windows Server 2022.

  • Retirement of the Caroli component — Retired to optimize platform performance.

  • Retirement of InfluxDB & Equuleus — Retired to optimize platform performance and data consistency.

    Note: For on-premises installations, the change in Tenable.ad's database implementation will cause the loss of historical data in the dashboards during upgrade. On-premises platforms will lose the history of statistics in the User, Deviances, and Compliance Score. Widgets for Users/Deviance count and Compliance Score will recover their most recent values after reinitialization; however, line chart widgets will only have one data point and will recover their values progressively.
  • Domain connectivity tests — Allows you to test a domain connectivity (LDAP and SYSVOL) before you add or modify it.

  • Scalability Tenable.ad considers resolved deviances as no longer useful and clears them from the database after 6 months.
  • Indicator of Exposure — Improvements to the Indicator of Exposure Logon restrictions for privileged users.
  • Workload quota — New ability to adjust the limit on the number of Indicators of Attack running simultaneously. For more information, see Workload Quota in the Tenable.ad Administrator Guide.

  • Attack Path: New graphical representations to explore Active Directory relationships:

    • Blast Radius: Evaluates lateral movements in the AD from a potentially compromised asset.

    • Attack Path: Anticipates privilege escalation techniques to reach an asset from a specific entry point.

    • Asset Exposure: Measures an asset's vulnerability using asset exposure visualization and tackles all escalation paths.

  • Honey Accounts — Allows the Kerberoasting Indicator of Attack to detect login or service requests. For more information, see Honey Accounts in the Tenable.ad Administrator Guide.

  • API Endpoint — Retrieval of Active Directory objects from the database using the API.

  • Tenable.ad propagates changes — such as a move or rename — on an LDAP container to the container children.

Bug Fixes