IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Live Response (Version 1.1)

From Tanium Knowledge Base
Jump to navigation Jump to search

Thank you for choosing Tanium. These notes are intended to document changes between releases of the Tanium Incident Response module.

Tanium Live Response 1.1.2

Release Date May 15, 2018

Live Response Official Version 1.1.2.0005

Overview

Live Response (version 1.1.2) is released to general availability to provide a more extensible and customizable method for retrieving forensically relevant data and files. Live Response can collect running process details, module details, driver details, including file hashes, the $MFT, Windows event logs, system memory, user profiles and more. Data collection can be customized using JSON-formatted configuration files. Custom triage or data collection scripts can also be added to the package and configuration file. Live Response is available to any customers holding a license for Tanium Threat Response or the Tanium Incident Response module.

This release of Live Response includes many significant performance improvements and bug fixes. For details, please read below.

Resolved Issues and Improvements

  • improvement: All PowerForensics cmdlets use less memory and execute several orders of magnitude faster.
  • improvement: Raw NTFS parsing is significantly faster.
  • improvement: File data is now streamed from disk, reducing memory overhead.
  • improvement: PowerForensics now supports NTFS file systems where the file record size is not 1024 bytes.
  • improvement: General compatability improvements when sending to SFTP servers.
  • improvement: Live Response logging now occurs using a single stream.
  • improvement: Paths expanded from environment variables are now logged for visibility
  • improvement: Process collector now only parses binary file information once
  • improvement: SMB file transfers no longer require the "Read Attributes" permission. All that is required is "Create files / write data", "Create folders / append data", and "Write Attributes" permissions in order to create a truly write-only SMB file drop.
  • change: LRConnectionTest is now created within session direction on remote system, rather than in the configured base directory.
  • bugfix: Correct typo that caused Custom_Collection.json to fail to parse
  • bugfix: File collections no long attempt to collect directories as though they were files.
  • bugfix: File collections would fail if the configured path or regular expression contained UTF-8 characters
  • bugfix: Live Response would fail on systems that did not have .NET 3.5 with errors about FindSystemTimeZoneById, ConvertTimeFromUtc
  • bugfix: Live Response would fail with an obscure error if another instance was already running.
  • bugfix: PowerForensics would return in valid raw file data for highly fragmented files. Specifically, at some point during the reading of the data, only null bytes would be returned.
  • bugfix: PowerForensics would sometimes fail to parse directories, preventing access to its contents.
  • bugfix: PowerForensics would sometimes incorrectly parse NTFS file record attributes, preventing access to affected file records.
  • bugfix: PowerForensics parsing of resident registry values would always return 4 bytes of data as binary, regardless of the underlying data type or length.
  • bugfix: PowerForensics would throw an exception when trying to parse registry values that were zero bytes in length.
  • bugfix: S3 transfers would fail if the secret key had trailing whitespace
  • bugfix: SFTP transfers to SolarWinds SFTP servers would fail
  • bugfix: SFTP transfers to WS_FTP SFTP servers would fail

Important

Packages

Live Response - Windows
Live Response currently only supports versions of Windows running PowerShell 2.0 or greater. If PowerShell 2.0 or later is installed on on Windows XP and 2003 systems, Live Response might work. However, Live Response is not officially supported on those platforms.

New Binaries

Operating System Binary Name Binary Version SHA256 Hash
Windows x86
PowerForensics.dll 1.3.0 b72f1213a8bd468ce0b2fddb9553a9821b482c2eff8eced7157239f71d56a448
PSTaniumFileTransfer.dll 1.1.13 a5807270d1d9ab838c5783e751d07bae2982f75820a5db6b333b3a7998f71ad4
taniumfiletransfer.exe 1.1.13 23d8e982b39379621fce43b3636e3438dfc9860ad67f11fb9ea86ca482c92a71
Windows x64
PowerForensics.dll 1.3.0 b72f1213a8bd468ce0b2fddb9553a9821b482c2eff8eced7157239f71d56a448
PSTaniumFileTransfer.dll 1.1.13 0d27e188f9c2943dfd409d67c053895ee6a6d371a2d4bdf13c5285545aed8c14
taniumfiletransfer.exe 1.1.13 ca2a79b35cfa1ea9728111b1f9e35fa4406e93e034f8e73b47304a2d23dcf2fb

Known Issues

  • PowerForensics does not currently support the reading of sparse NTFS file data. Support is planned for a future release.
  • Attempts to acquire the USN Journal ($Extend\$UsnJrnl) as a file will fail as PowerForensics currently lacks support for NTFS sparse files. The USN Journal may be parsed, though, using the Get-ForensicUsnJrnl cmdlet.

Additional Information

Tanium Live Response 1.1.1

Release Date April 11, 2018

Live Response Official Version 1.1.1.0001

Overview

Live Response (version 1.1.1) is released to general availability to provide a more extensible and customizable method for retrieving forensically relevant data and files. Live Response can collect running process details, module details, driver details, including file hashes, the $MFT, Windows event logs, system memory, user profiles and more. Data collection can be customized using JSON-formatted configuration files. Custom triage or data collection scripts can also be added to the package and configuration file. Live Response is available to any customers holding a license for Tanium Threat Response or the Tanium Incident Response module.

Live Response supports the following transfer protocols or destinations for collected data:

  • SCP
  • SFTP
  • SMB
  • S3

Important

Packages

Live Response - Windows
Live Response currently only supports versions of Windows running PowerShell 2.0 or greater. If PowerShell 2.0 or later is installed on on Windows XP and 2003 systems, Live Response might work. However, Live Response is not officially supported on those platforms.

New Binaries

Operating System Binary Name Binary Version SHA256 Hash
Windows x86
PowerForensics.dll 1.2.2 cd17e1054616dc1b8e1e1dcbb64f03ecc692d903c59c1625ddabdb35972699b2
TaniumHandle.exe 3.1.100 738eff48cc62bec4b757942dab9a05c1d7965143c4ba69ae4c825ca728f2295e
PSTaniumFileTransfer.dll 1.1.5 bfb6c0519fe9fb58b9e48344fcfc4aadab288012bb411cd454cd6f484d97ee04
taniumfiletransfer.exe 1.1.5 5037efdc2d42e1cf48b27e6073b03f2d238aa5c46ec8d670a530dafacb65c982
Windows x64
TaniumHandle.exe 3.1.100 4b33816dc04b935c4f017568ff271e5000210056bb54ecbdd663467fb93e555a
PSTaniumFileTransfer.dll 1.1.5 235ccc8923df7c73cbf33893727141f4f94109acaac454b38f840241c9e7ed7c
taniumfiletransfer.exe 1.1.5 3c728e2d56166273b8292bee06d3cfab72205dcfe0130b31ff608a0777ffe08a

Additional Information