Skip to content

PingCastle 3.5.0.37

Choose a tag to compare

View all tags
@JoeDibley JoeDibley released this 03 Feb 14:25
· 9 commits to master since this release
3.5.0.37
5b8a662
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Release Notes

Privileged Mode Updates

  • S-Vuln-MS14-068
  • S-Vuln-MS17-010
    • Detection now checks installed hotfixes on domain controllers.

Without Privileged Mode, these rules will no longer be evaluated.

Rule Updates & Fixes

DNS Zone Rules

A-DnsZoneUpdate1 & A-DnsZoneUpdate2

  • _msdcs.* zones are now classified as critical infrastructure

  • Reporting has been expanded to include:

    • Zone name
    • Domain
    • Distinguished Name
    • Partition

This makes DNS details clearer and simplifies remediation planning.

P-Kerberoasting

  • Fixed duplicate findings when users belonged to multiple privileged groups making findings more focused.

  • The report now shows:

    • One row per vulnerable user
    • All associated groups and SPNs aggregated

T-SIDFiltering

  • Fixed false positives on legacy Windows 2000 intra-forest trusts
  • These trusts often have TrustAttributes = 0 due to historical domain upgrades
  • New CrossRef-based filtering logic correctly identifies within-forest trusts and no longer flags them as insecure

Microsoft Defender Attack Surface Reduction (ASR)

  • Microsoft changed ASR policy locations in Windows Server 2025
  • PingCastle now checks all three possible GPO paths
  • Ensures reliable ASR detection across mixed server versions

Other Rule Fixes

  • A-DnsZoneAUCreateChild

    • Fixed false negatives when no DNS partitions exist on a domain controller
    • Previously, some environments were skipped entirely due to an unreachable code path

  • S-FolderOptions

    • Remediation guidance now points to the correct GPO path

Platform Update: ASP.NET 8 Upgrade

PingCastle has been upgraded to ASP.NET 8 to align with PingCastle Enterprise and to hopefully reduce antivirus false-positive detections seen in some environments over the last few months.

What to expect

  • Larger executable (~200 MB)

    • ASP.NET 8 is bundled directly into the executable to keep execution simple.
    • No external runtime dependencies required

  • Configuration file change

    • Configuration moves from PingCastle.exe.config To: appsettings.console.json

  • Auto-update behavior change

    • If you use the PingCastleAutoUpdater.exe, two executions are required:

      1. First run: Downloads the new version
      2. Second run: Automatically migrates existing configuration to appsettings.console.json

Update (February 5, 2026)
It was identified that PingCastle released with unsigned binaries due to a sequencing issue in the build and release pipelines. Due to that the release version has been updated from 3.5.0.33 to 3.5.0.37. No code changes were made between these versions, only build and release pipeline changes were made.

Assets 3
Loading