github netwrix/pingcastle 3.5.0.33
PingCastle 3.5.0.33
on GitHub

10 hours ago

Release Notes

Privileged Mode Updates

  • S-Vuln-MS14-068
  • S-Vuln-MS17-010
    • Detection now checks installed hotfixes on domain controllers.

Without Privileged Mode, these rules will no longer be evaluated.

Rule Updates & Fixes

DNS Zone Rules

A-DnsZoneUpdate1 & A-DnsZoneUpdate2

  • _msdcs.* zones are now classified as critical infrastructure

  • Reporting has been expanded to include:

    • Zone name
    • Domain
    • Distinguished Name
    • Partition

This makes DNS details clearer and simplifies remediation planning.

P-Kerberoasting

  • Fixed duplicate findings when users belonged to multiple privileged groups making findings more focused.

  • The report now shows:

    • One row per vulnerable user
    • All associated groups and SPNs aggregated

T-SIDFiltering

  • Fixed false positives on legacy Windows 2000 intra-forest trusts
  • These trusts often have TrustAttributes = 0 due to historical domain upgrades
  • New CrossRef-based filtering logic correctly identifies within-forest trusts and no longer flags them as insecure

Microsoft Defender Attack Surface Reduction (ASR)

  • Microsoft changed ASR policy locations in Windows Server 2025
  • PingCastle now checks all three possible GPO paths
  • Ensures reliable ASR detection across mixed server versions

Other Rule Fixes

  • A-DnsZoneAUCreateChild

    • Fixed false negatives when no DNS partitions exist on a domain controller
    • Previously, some environments were skipped entirely due to an unreachable code path

  • S-FolderOptions

    • Remediation guidance now points to the correct GPO path

Platform Update: ASP.NET 8 Upgrade

PingCastle has been upgraded to ASP.NET 8 to align with PingCastle Enterprise and to hopefully reduce antivirus false-positive detections seen in some environments over the last few months.

What to expect

  • Larger executable (~200 MB)

    • ASP.NET 8 is bundled directly into the executable to keep execution simple.
    • No external runtime dependencies required

  • Configuration file change

    • Configuration moves from PingCastle.exe.config To: appsettings.console.json

  • Auto-update behavior change

    • If you use the PingCastleAutoUpdater.exe, two executions are required:

      1. First run: Downloads the new version
      2. Second run: Automatically migrates existing configuration to appsettings.console.json
Check out latest releases or
releases around netwrix/pingcastle 3.5.0.33

Don't miss a new pingcastle release

NewReleases is sending notifications on new releases.

Get notifications