This release closes a major security gap in Active Directory by stopping attacker abuse of Active Directory Certificate Services (AD CS) to obtain unauthorized, high-privilege certificates. A single forged certificate can let an attacker authenticate as any user, including domain admins while bypassing most identity-monitoring controls. Threat Prevention 8.0 adds real-time monitoring and blocking of malicious certificate enrollments, preventing attackers from establishing long-term persistence. Combined with the new process-hardening capabilities, this release strengthens your ability to detect and stop modern identity attacks.
Want the full details? Click the link below!
What’s New
Active Directory Certificate Services Monitoring and Blocking
Threat Prevention 8.0 introduces monitoring and real-time blocking for Active Directory Certificate Services (AD CS), closing a major gap that attackers have increasingly exploited to issue unauthorized high-privilege certificates.
Certificate Enrollments: See full request details including template, subject, SAN, key size, and more, while intercepting the CA process before issuance to detect and block anomalous requests in real-time.
Template and CA Configurations: Monitor and track configuration changes to template ACLs, flags, CA flags, enrollment agent settings, and issuance requirements to detect privilege escalation attempts before they succeed.
Certificate Issuance: Gain end-to-end tracking from request to logon, detecting certificate-based logons by unauthorized accounts or weak mappings across your entire environment.
ESC1–ESC7 Attack Prevention
Now includes detection and blocking of all major AD CS exploitation paths:
-
ESC1 – Enrollee-Supplied Subject/SAN: Detect and optionally block certificate requests using templates with arbitrary subject/SAN fields that differ from the requester.
-
ESC2 – Any-Purpose/No EKU Template: Identify and block certificate templates with Any Purpose or missing EKUs and detect when low-privilege users can supply SANs or enroll for others.
-
ESC3 – Enrollment Agent Misuse: Detect and block unauthorized on-behalf-of enrollments to prevent impersonation attempts.
-
ESC4 – Template ACL Tampering: Monitor and block changes to template permissions and settings that introduce misconfigurations like ESC1 or ESC2.
-
ESC5 – CA/Template ACL Abuse: Monitor and prevent CA or template ACL changes that create PKI takeover paths.
-
ESC7 – CA Operational Misconfiguration: Monitor the CA security descriptor and detect when permissions like ManageCA or ManageCertificates are granted inappropriately.
By intercepting malicious enrollments before issuance, organizations can stop certificate-based persistence before an attacker establishes it.
Join the Webinar
See how these AD CS protections work in practice in an upcoming webinar focused on real-world exploitation and defense.
Join us 2026-01-27T18:00:00Z!
LSASS Guardian – New Flags
Threat Prevention 8.0 strengthens LSASS protection by adding new handle-permission controls that block attacker attempts to suspend, terminate, or clone the LSASS process — techniques used to bypass security tooling or extract credentials.
Process Guardian
Applies process-hardening controls, previously available only for LSASS, to any process you choose. By denying suspension, termination, and cloning rights to unauthorized actors, it blocks the techniques attackers use to disable agents or dump memory, preserving the runtime integrity of critical services even under active attack.
Missing hooks alert (Microsoft KBs)
Threat Prevention now alerts administrators when Microsoft updates or environmental conditions prevent the agent from hooking LSASS, certsrv.exe, or other monitored processes. This eliminates silent monitoring gaps after patch cycles.
Global Event Filter – “No Change” Events
Capture attribute rewrites that would normally be filtered out due to unchanged values, enabling investigation of repeated writes, replication anomalies, and change patterns that blend into benign traffic.
New and Updated Policy Templates
Threat Prevention 8.0 introduces several new templates to simplify deployment of AD CS protections and process-hardening controls.
AD CS Templates
Seven new templates support monitoring and blocking across major AD CS abuse paths:
- Block ESC1–3 Template Enrollments
- Block Extracting CA Private Key
- Block Template Modifications (ESC4)
- Detect ESC1–3 Template Enrollments
- Detect Modification of NTAuthCertificates Object
- Detect Template Modifications (ESC4)
- Detect Security Descriptor Change on Certificate Authority Object (ESC7)
Process Guardian Templates for Netwrix Threat Prevention agent protection
- Agent Hardening – Monitor
- Agent Hardening – Protect
- Includes optional protection for the file activity service
- Note: Do not block
PROCESS_SUSPEND_RESUMEforSBTService.exe, which relies on this permission internally
- Note: Do not block
- Includes optional protection for the file activity service
LSASS Guardian Templates
- LSASS Guardian – Monitor
- LSASS Guardian – Protect
Enterprise Password Enforcer (EPE) HIBP Optimization
Reduce the storage footprint of Have I Been Pwned (HIBP) compromised-password data by more than 50% by consolidating 64k files into a single Bloom-filter-based structure.
Store over 2 billion NTLM hashes in roughly 8 GB instead of 20 GB, making it easier to deploy compromised-password checks directly on domain controllers without adding significant disk overhead.
UI Rebranding
The product UI has been updated to align with the latest Netwrix branding, ensuring a consistent visual identity across the Netwrix product suite.
Bug Fixes and Miscellaneous Updates
| Build | Fixed issue |
|---|---|
| 7.5.0.267 | 403256: AD events were filtered when attributes were accessed but not changed; new Event Filtering Configuration option added |
| 408453: High CPU utilization due to slow DirRead-based objectClass resolution; resolution moved to the agent | |
| 410279: LSASS crash on Windows Server 2025 with LSA Protection during agent stop; multi-signature approach implemented with a dedicated Server 2025 signature | |
| 410528: Exchange SE SU4 was not supported; Exchange signatures extended to support SU4 | |
| 411172: Installers checked for .NET Framework 4.7.0; NTP console and agent installers now require .NET Framework 4.7.2 | |
| 7.5.0.256 | 407684: Get-SIAgent and other PowerShell commands not working |
| 408756: NTP agent caused server reboot | |
| 408841: Exchange SE support added to 7.5 | |
| 7.5.0.252 | 407212: SUVP 25-11 support |
| 406920: Replication conflict events had NotMapped properties in NTM | |
| 406450: Permission Changed events sent with incorrect attributes to NTM | |
| 7.5.0.247 | 405820: Exchange 25-10 updates support |
| 406602: Expired code signing certificate | |
| 406427: Update Agent Installer error message [PERN] | |
| 7.5.0.245 | 405959: Incorrect ADMonitor version number reported |
| 7.5.0.244 | 400587: Upgrade BouncyCastle |
| 405320: Added utcTimeLogged index to NvEvent table | |
| 7.5.0.242 | 400587: Upgrade BouncyCastle |
| 402819: Preserve localPwnedDB key during agent upgrade | |
| 403356: SUVP 25-10 support | |
| 7.5.0.236 | 401764: AD replication issues after September patch and DLL update |
| 401934: AD replication shared memory IPC overflow alerts | |
| 7.5.0.234 | 391153: SBTService repeatedly stopped on multiple DCs |
| 398094: Missing Start, End, Auth, and Renew dates in rejected TGS tickets | |
| 398101: Host information missing in dcsync events | |
| 398537: Expand Groups setting not saved | |
| 398797: Exchange 25-08 updates support | |
| 400007: SUVP 25-09 support | |
| 7.5.0.227 | 397188: SUVP 25-08 support |
| 398055: DSM post-upgrade showed incorrect oldest database date | |
| 7.5.0.224 | 394634: File system permission change events sent formatted value instead of SDDL |
| 395156: Exchange 25-07 .NET updates support | |
| 396765: No events sent to NAM after enabling TLS for AMQP output | |
| 7.5.0.218 | 393085: Windows Server 2025 – LSASS crash during agent startup with EPE enabled |
| 7.5.0.216 | 393162: SUVP 25-07 support |
| 394105: NTP–NAM CheckControlChannelConnection not implemented error | |
| 391515: TGT events not sent during golden ticket attack | |
| 7.5.0.212 | 391328: EX Mailbox Non-Owner Logons filter did not produce expected results |
| 7.5.0.205 | 389319: Exchange 2025-05 updates support (Microsoft Patch Tuesday) |
| 389320: SUVP 25-06 support | |
| 7.5.0.201 | 342078: SI policy exclusions for NTDS.dit not honored |
| 383698: SI computer permission change | |
| 383913: Updated LDAP filters for service account discovery | |
| 384413: EPE test results showed DCs failing password qualification | |
| 388933: Group membership change events had incorrect sub-operation | |
| 389099: Password enforcement policy issues | |
| 389104: Password enforcement incorrectly blocked accounts | |
| 389698: Incorrect archive database size displayed | |
| 389699: Archive DB maintenance configuration not saved | |
| 7.5.0.188 | 381912: TGS events for custom SPN with RC4_hmac not sent |
| 381900: Agent service could not stop and LSASS consumed CPU | |
| 384877: Exchange 2025-04 updates support | |
| 386437: Investigation node exception when switching to Archive DB | |
| 384868: SUVP 25-05 support |
Plan your upgrade
Netwrix Threat Prevention 7.4 will reach its end of support life on July 8 2026. To learn more, please read the Netwrix End-of-Support Policy.
Need help with this update?
There are many different ways to get help with our products!
| Situation | Action |
|---|---|
| If you feel the product is broken and not working as intended… | Contact Support |
| If you have a question you’d like to ask other experts… | Create a discussion in the community: Threat Prevention > Discussions & Questions |
| If you have a feature request… | Let our product team know directly: Threat Prevention > Ideas |
| If you have something cool to show… | Show everyone what you built: Threat Prevention > Show & Tell |
What are your thoughts?
We are always happy to hear from our users on what you like, and what you hope to see in the future. Please, share your thoughts below!
