Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / THREAT HUNT / ACTIVE DIRECTORY / ENUMERATION

RID Cycling

This note documents detection patterns related to RID Cycling within Active Directory environments.

Direct Indicators

LogEvent IDMeaningForensic ValueNotes
Security4624Successful logonLowAuthentication event before enumeration activity.
Security4776NTLM authenticationMediumRID cycling often uses NTLM-based queries against domain controllers.
Security4662Operation performed on objectHighLDAP queries against user or group objects may trigger object access auditing.
Sysmon3Network connectionHighConnections to domain controllers via SMB (445) or LDAP (389/636).
Sysmon1Process creationMediumExecution of tools performing RID enumeration.

Indirect Indicators

IndicatorWhat To Look ForForensic ValueNotes
Sequential RID queriesEnumeration of SIDs with incremental RID valuesCriticalClassic indicator of RID cycling.
Large number of user lookupsHigh volume account discovery requestsHighAttackers mapping domain users.
SMB queries to domain controllerFrequent requests to SAMR or LSARPC endpointsHighTypical mechanism used for RID enumeration.
Enumeration from workstationRID queries originating from non-admin systemHighSuspicious reconnaissance behavior.
Execution of enumeration toolsProcesses like rpcclient or CrackMapExecCriticalDirect evidence of enumeration activity.

Common Tools

ToolUsage
rpcclientEnumerates domain users via RID cycling.
CrackMapExecAutomates RID enumeration across domains.
Impacket samrdump.pyEnumerates accounts using SAMR protocol.
enum4linuxPerforms SMB-based user enumeration.
Nmap smb-enum-usersEnumerates users through SMB scripts.

Relevant Artifacts

  • Domain controller Security logs (4662)
  • SMB / RPC network telemetry
  • Sysmon logs (1, 3)
  • EDR telemetry identifying enumeration tools
  • Prefetch artifacts for rpcclient or enum4linux
  • Network scanning telemetry
  • Authentication logs preceding enumeration
  • SAMR / LSARPC traffic logs

MITRE ATT&CK References

  • T1087 Account Discovery
  • T1018 Remote System Discovery

Decision Tree

  1. Is the suspicious event present?
    • Identify enumeration patterns in SMB or LDAP queries.
  2. What host generated the event?
    • Determine workstation performing RID queries.
  3. Is the account expected to perform this action?
    • Investigate whether account normally enumerates directory objects.
  4. Pivot:
    • Source host → inspect execution of rpcclient, CrackMapExec, or enum4linux.
    • Network → analyze SMB / RPC traffic to domain controllers.
    • Enumeration results → determine which accounts were discovered.
  5. Confirm exploitation
    • Determine whether attacker mapped domain accounts using RID cycling.

Example Detection Templates

KQL

DeviceNetworkEvents
| where RemotePort in (445,389)
| summarize count() by InitiatingProcessAccountName, RemoteIP, bin(TimeGenerated,5m)

SecurityEvent
| where EventID == 4662
| summarize count() by SubjectUserName, bin(TimeGenerated,5m)

EQL

any where event.code == "4662"

Sigma

title: Suspicious RID Enumeration Activity
id: rid-cycling-detection
status: experimental
description: Detects account discovery attempts via RID enumeration
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4662
  condition: selection
fields:
  - SubjectUserName
  - ObjectName
falsepositives:
  - Legitimate administrative enumeration
level: medium
tags:
  - attack.discovery
  - attack.t1087

Mitigation & Hardening

Control AreaMitigationEffectivenessNotes
Network controlsRestrict anonymous SMB enumerationHighPrevents unauthorized RID queries.
MonitoringAlert on repeated SAMR / RPC queriesHighDetects enumeration activity.
Least privilegeLimit access to domain enumeration interfacesMediumReduces reconnaissance surface.
EDR monitoringDetect rpcclient or enum4linux executionHighDirect detection of attacker tools.
Threat huntingReview network scanning patterns regularlyMediumIdentifies abnormal discovery activity.