Tenable.ad 3.19 — On-premise (2022-04-20)
New Features
-
Scalability — Dynamic activation and deactivation of Indicators of Exposure.
-
LDAP authentication — The ability to enable/disable SASL bindings. For more information, see Authentication using LDAP in the Tenable.ad Administrator Guide.
-
Memory cache — Tenable.adhas greatly improved its memory consumption to benefit Indicators of Attack (IoAs).
-
New Indicators of Attack:
-
DPAPI Domain Backup Key Extraction Indicator of Attack can detect a wide variety of attack tools that use LSA RPC calls to access backup keys. For more information, see DPAPI Domain Backup Key Extraction in the Tenable.ad Administrator Guide.
-
Massive Computers Reconnaissance: Detects reconnaissance attacks that generate a massive number of authentication requests to Active Directory targets. For more information, see Massive Computers Reconnaissance in the Tenable.ad Administrator Guide.
-
Enumeration of Local Administrators: Detects Active Directory data enumeration attacks. For more information, see Enumeration of Local Administrators in the Tenable.ad Administrator Guide.
-
NTDS Extraction: NTDS exfiltration refers to the technique that attackers use to retrieve the NTDS.dit database that stores Active Directory secrets such as password hashes and Kerberos keys. For more information, see NTDS Extraction in the Tenable.ad Administrator Guide.
-
SAM Name Impersonation: This Indicator of Attack detects an attacker who tries to exploit two vulnerabilities that can lead to an elevation of privileges on the domain from a standard account without any security skills. For more information, see SAM Name Impersonation in the Tenable.ad Administrator Guide.
-
Kerberoasting IoA to detect and alert to Kerberoasting attacks targeting Active Directory service account credentials. For more information, see Kerberoasting Indicator of Attack in the Tenable.ad Administrator Guide.
-
-
Windows Server 2022 — On-premise support for Windows Server 2022.
-
Retirement of the Caroli component — Retired to optimize platform performance.
-
Retirement of InfluxDB & Equuleus — Retired to optimize platform performance and data consistency.
Note: For on-premises installations, the change in Tenable.ad's database implementation will cause the loss of historical data in the dashboards during upgrade. On-premises platforms will lose the history of statistics in the User, Deviances, and Compliance Score. Widgets for Users/Deviance count and Compliance Score will recover their most recent values after reinitialization; however, line chart widgets will only have one data point and will recover their values progressively. -
Domain connectivity tests — Allows you to test a domain connectivity (LDAP and SYSVOL) before you add or modify it.
- Scalability — Tenable.ad considers resolved deviances as no longer useful and clears them from the database after 6 months.
- Indicator of Exposure — Improvements to the Indicator of Exposure Logon restrictions for privileged users.
-
Workload quota — New ability to adjust the limit on the number of Indicators of Attack running simultaneously. For more information, see Workload Quota in the Tenable.ad Administrator Guide.
-
Attack Path: New graphical representations to explore Active Directory relationships:
-
Blast Radius: Evaluates lateral movements in the AD from a potentially compromised asset.
-
Attack Path: Anticipates privilege escalation techniques to reach an asset from a specific entry point.
-
Asset Exposure: Measures an asset's vulnerability using asset exposure visualization and tackles all escalation paths.
-
-
Honey Accounts — Allows the Kerberoasting Indicator of Attack to detect login or service requests. For more information, see Honey Accounts in the Tenable.ad Administrator Guide.
-
API Endpoint — Retrieval of Active Directory objects from the database using the API.
-
Tenable.ad propagates changes — such as a move or rename — on an LDAP container to the container children.
Bug Fixes
In addition to performance improvements, Tenable.ad version 3.19 contains the following bug fixes:
| Bug Fix | Defect ID |
|---|---|
| Tenable.ad returns the API Score information again. | N/A |
| The widget edition now takes into account previously selected domains. | N/A |
| Tenable.ad now provides better analytics performances thanks to new SQL index. | N/A |
| Tenable.ad displays attacks that occur on the 1st day of the month in the correct month. | N/A |
| When you remove a GPO, Tenable.ad only displays the deleted event. | N/A |
| When the SYSVOL connection breaks, Tenable.ad renews the connection to allow the listener to fetch new events. | N/A |
| The allow lists for Credentials Roaming users and groups now accept the samAccountName format. | N/A |
| Tenable.ad considers resolved deviances as no longer useful and clears them from the database after 6 months. | N/A |
| Tenable.ad now counts users with an unknown userAccountControl attribute as active AD users. This can happen when the account provided in Tenable.ad does not have the right to read this attribute or a corresponding attribute set. This can lead to an increase in the total number of users in the dashboard or the license. For more information, see User Accounts in the Technical Prerequisites document. | N/A |
| Tenable.ad propagates changes — such as a move or rename — on an LDAP container to the container children. | N/A |
| Connection to the SYSVOL share succeeds even if you change the credentials. | N/A |
| Kerberos dangerous delegation now resolves after privileged path is corrected by deleting and recreating the domain. | N/A |
| The whitelist now clearly specifies the expected format. | N/A |
| The SQL server functions correctly after Attack Path activation. | N/A |
| The notification email contains the correct image format. | N/A |
| Control Path relations now consider the source and target type. | N/A |
| Tenable.ad updates the children DN when it detects when a container move. | N/A |
| It is no longer possible to delete the last user with an administrative role using the public API. | N/A |
|
Indicator of Exposure (IoE) C-PKI-DANG-ACCESS:
|
N/A |
| The C-DC-ACCESS-CONSISTENCY IoE takes into account the "Keep deleted DCs" toggle update. | N/A |
| The IoA/IoE service restarts after a toggle update. | N/A |
| The C-PASSWORD-POLICY IoE now allows all non-global security groups. | N/A |
| Tenable.ad limits dashboard names to 30 characters and truncates existing names exceeding this limit to 30 characters. | N/A |
| Tenable.ad stabilized the retrieval of AD objects from the SQL server when it encounters a low number of objects with many changes. | N/A |
| The Dangerous Delegation RBCD Backdoor now resolves the account SID. | N/A |
| Tenable.ad does not keep attempting to process large messages. | N/A |
| Native administrative group members IoE (C-NATIVE-ADM-GROUP-MEMBERS): Placing built-in administrative groups in the custom group option no longer creates inconsistent behaviors. | N/A |
| The Logon restrictions for privileged users IoE (C-ADMIN-RESTRICT-AUTH) now resolves when you remove a computer from a sub-organizational unit. | N/A |
| The Sleeping Accounts IoE no longer counts deleted users. | N/A |
| The Tenable.ad API now sends a 400 error when there is no active provided at user creation. | N/A |
| Tenable.ad now supports Windows LTS versions. | N/A |
| Deleted sites no longer appear in deviances. | N/A |
| Tenable.ad updates group members when they change OUs. | N/A |
| When the Active Directory is slow, the regular crawling no longer starts if a crawling is already in progress. | N/A |
| Migration from 3.1 to 3.11 does not generate false positives deviances on GPOs. | N/A |
| The Tenable.ad crawling phase supports more edge cases. | N/A |
| Tenable.ad's on-premise installer now ensures that it uses up-to-date NodeJs modules. | N/A |
| Tenable.ad's analytics service successfully reconnects to the RabbitMQ server after failures. | N/A |
| The partial recrawling of groupPolicyContainers objects takes all attributes into account. | N/A |
Patches
Tenable.ad 3.19.12
Tenable.ad version 3.19.12 contains the following patches.
| Patch | Defect ID |
|---|---|
| Fixed CVE-2022-37026 by upgrading the RabbitMQ library dependency. | N/A |
| Windows Server 2022 — The server no longer needs to reboot when installing Indicators of Attack on a Windows 2022 Domain Controller. | N/A |
Tenable.ad 3.19.10
Tenable.ad version 3.19.10 contains the following patches.
| Patch | Defect ID |
|---|---|
| Tenable.ad no longer collects the AD attribute msds-revealedusers and no longer shows it in the Trail Flow. It was not useful in the security analysis. | N/A |
| The RabbitMq channel connection improved in resiliency. | N/A |
| In IoE page, filtering one given domain no more shows unexpected compliant "No Domain" IoEs. | N/A |
Tenable.ad 3.19.9
Tenable.ad version 3.19.9 contains the following patches.
| Patch | Defect ID |
|---|---|
| Tenable.ad no longer does the Server Authentication EKU check on the SecProbe. | N/A |
| On partially-domain-joined machines, Tenable.ad now successfully decodes any SDDL bi-grams related to the domain (e.g. DA for Domain Admins). | N/A |
| The IoE Dangerous sensitive privileges is correct when an AdObjectGptTmpl object that disables the UAC comes last. | N/A |
Tenable.ad 3.19.7
Tenable.ad version 3.19.7 contains the following patches.
| Patch | Defect ID |
|---|---|
| Tenable.ad improved the efficiency of the internal message consumption. | N/A |
| Tenable.ad improved the RabbitMQ channel connection resiliency. | N/A |
| Tenable.ad no longer collects the userCertificate attribute. | N/A |
| RabbitMQ consumers now keep retrying to connect on an exclusive queue. | N/A |
| The Indicator of Attack Enumeration of Local Administrators IoA now filters out the enumeration of local admins when done locally as this is most likely a legitimate action. | N/A |
| Tenable.ad automatically resolves deviances related to a removed domain or security profile in internal calls. | N/A |
| The installer now takes into account the locale when checking the expiration date of custom certificates. | N/A |