IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Incident Response (Version 3.3.0)

From Tanium Knowledge Base
Jump to navigation Jump to search

Thank you for choosing Tanium. These notes are intended to document changes between releases of the Tanium Incident Response module.

Tanium Incident Response 3.3.0

Release Date February 23, 2017

Incident Response Official Version 3.3.0.0001

Features

  • Improved runtime control

The following sensors were rewritten in PowerShell for improved performance and runtime control. Because of the rewrite, they require Tanium Client 1420 or later and have been deprecated on Windows XP and 2K3.

Explicit Logon Security Event Log Search
Logon Security Event Log Search
Service System Event Log Search
Account Lockouts Security Event Log Search

Additionally, existing PowerShell based sensors, listed below, were modified to provide enhanced runtime control. These sensors also require Tanium Client 1420 or later and are not supported on Windows XP and 2K3:

PowerForensics File Record
PowerForensics Master Boot Record
PowerForensics Prefetch -- Windows 10 is currently unsupported
PowerForensics Recently Opened Office Files by User -- not all versions of MS Office are currently supported
PowerForensics Shim Cache
PowerForensics UserAssist
Processes Using Module a Visual Basic Script based sensor was moved from Initial Content to Incident Response and refactored to provide better runtime control and reduced impact on endpoints.

New Sensors

  • AutoRun Files
Retrieves file and hash of AutoRun entries for improved stack analysis of results

Minor Enhancements and Bug Fixes

  • MD5 and SHA1 Hash Match Files Executing sensors now produce consistent output
  • Loaded Modules with MD5 Hash no longer returns extraneous data when it times out
  • Child Processes sensor no longer returns incorrect parent processes due to Windows process id reuse
  • AutoRun Program Details no longer returns subscript out of range
  • Mac DNS Caches and Hosts sensors return valid data
  • Listen Ports on Mac and Linux now fail gracefully when lsof is not found
  • TaniumExecWrapper no longer leaves temporary files in the Tanium Client directory
  • Command Line of Process no longer depends on ListDlls and only returns the process and its command line arguments
  • Loaded Modules of Process now has a limit to the number of rows it can return from each host
  • Running Processes with User now correctly reports "domain\user"
  • Running Processes of User now correctly supports username regular expressions
  • Scheduled Tasks sensor now has a limit to the number of rows it can return from each host
  • Command Line of Process now returns a message when no matches are found
  • Command Line of Process for Mac and Linux returns complete data
  • Loaded Modules of Process for Mac and Linux returns complete data
  • Service System Event Log Search now supports regular expressions for Service Name parameter

Known Issues and Workarounds

  • Child Processes sensor may not return complete list of child processes for a given parent process. Use Trace Executed Process Trees sensor.
  • Running Processes with Parent may report incorrect parent processes due to Windows process id reuse. Use Trace Executed Process sensor.

New Binaries

  • TaniumExecWrapper.exe (SHA-256) -- 9c1372aee1292aac516add66b6531cef2c65138ce98398a4fdeaf2e05ddbffe1
  • TaniumFileInfo.exe (SHA-256) -- 6623b0a1ac7642a1e9625ca744b573f86c75b015f23a56cb216d14f00c85b1c3

Deprecated Content

  • Loaded Modules Matching Exploit List (sensor) -- IOC Detect should be used for this workflow
  • Search Single File For Hex Pattern (sensor)

Notes for future releases

  • grep will be removed from IR Tools
  • yara will be removed from IR Tools

Additional Information