ADInfo is a flexible Active Directory reporting tool used for enumerating AD environments via crafted queries against local domain controllers. The ADInfo tool will craft LDAP queries to return pre-built reports containing AD structure information such as user accounts, computer information, domain-connected printers, and user access permissions. This tool has been observed during penetration testing scenarios.
- An internal attacker on a domain-attached machine runs the ADInfo tool with configuration options to enumerate local AD server information.
- The local AD server responds with queried information.
The attacker must have utilized some other mechanism to gain access to the local Windows host and have permissions to execute CJWDev’s ADInfo tool.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
Detection of this threat is provided via the Alert Logic ActiveWatch for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.
Recommendations for Mitigation
Ensure that all public internet-facing hosts have available patches applied and are sufficiently hardened for public access.