Update

Release Notes​

• Certificate template checks now allow domain computers to trigger regardless of whether msds-machineaccountquota is set, delivering more comprehensive coverage of certificate authentication configurations across varied domain setups
• Enhanced P-AdminLogin check to include password reset logic, improving detection and reporting of admin accounts with outdated or concerning password patterns
• Added MFA status column to Entra ID reporting
• Restored honeypot exclusion functionality
• Corrected a typo in the LDAP filter affecting BuiltinDomain detection
• Updated documentation links to the external STIG viewer resource which were pointing to invalid URLs
• Fixed detection for MS17-010 (EternalBlue) vulnerability on domain controllers which was previously being reported incorrectly
• Enhanced the PWDNeverExpires check to properly evaluate accounts that have had their password changed recently, reducing false positives
• Clarified delegation reporting in computer analysis to reduce confusion around constrained and unconstrained delegation results
• Optimized knowledge base scanning performance during compute risks evaluation
• Fixed S-AesNotEnabled scoring issues
  • Disabled accounts are now excluded from the risk count as they cannot be AS-REP Roasted
  • Updated information and guidance based on the Microsoft RC4 phase-out
• Fixed configuration file parsing so that settings in appsettings.console.json are correctly loaded at runtime
• Fixed a string mismatch in the exclusion logic that was preventing BUILTIN\Users from being correctly excluded from the A-MembershipEveryone risk assessment
• Rewrote the auto-updater mechanism after versions 3.5.0.37+ were found to corrupt configuration files on affected servers