Microsoft Defender Now Monitors RPC Protocol Abuse by Hackers

Microsoft has expanded Microsoft Defender’s capabilities to monitor, detect, and disrupt attacks that abuse Remote Procedure Call (RPC), a core Windows protocol long exploited by threat actors for lateral movement, credential theft, and privilege escalation.

Remote Procedure Call (RPC) is a protocol that allows functions residing in a separate process — or even on a remote machine — to be invoked as though they were local.

Because many foundational Windows and Active Directory features are built on RPC, it has become one of the most attractive attack surfaces in enterprise environments. Key attack techniques that abuse RPC include:

• Lateral Movement – Remotely creating tasks, services, or invoking WMI via RPC interfaces
• Credential Theft – DCsync attacks exploit Active Directory replication RPC calls; SecretsDump and similar tools abuse the Windows Remote Registry interface (UUID: 338cd001-2244-31f1-aaaa-900038001003) to extract SAM and LSA secrets
• Privilege Escalation – Authentication coercion attacks force servers to authenticate to adversary-controlled systems via benign RPC interfaces
• Discovery – Tools like SharpHound enumerate users, sessions, and shares using RPC calls, mapped to MITRE ATT&CK techniques T1021, T1552.002, T1003.004, and T1003.

How Defender’s RPC Auditing Works

Traditional network-layer monitoring of RPC traffic is impractical at scale and entirely blind when the underlying transport (such as SMB3) is encrypted.

To close this gap, Microsoft’s Defender research and engineering teams extended the existing RPC integration with the Windows Filtering Platform (WFP) to achieve OpNum-level granularity.

This means Defender can now identify the exact RPC function being called, not just the interface, without intercepting or disrupting normal traffic.

Monitoring is focused on inbound remote RPC calls observed on the server host, specifically targeting attacker-initiated interactions with exposed RPC interfaces. Local and outbound RPC calls are out of scope.

Defender dynamically monitors selected remote operations from critical interfaces, including Remote Registry, Service Control Manager, Task Scheduler, and Windows Management Instrumentation (WMI).

RPC monitoring is generally available for workstations, with a gradual rollout currently underway for servers. Active detections already shipping include:

• Ongoing hands-on-keyboard attack via the Impacket toolkit
• Suspicious remote service creation (mapped to lateral movement)
• Indication of local security authority (LSA) secrets theft
• Unusual RPC-based user and session discovery
• Authentication coercion attacks

Security teams can query RPC telemetry directly in the Advanced Hunting tab using the InboundRemoteRpcCall action type in DeviceEvents.

The screenshots shared by Microsoft show how analysts can hunt for remote registry key save events (OpNums 20/31 on the interface 338cd001) and remote service creation events (OpNums 12, 24, 44, 45, 60 on interface 367abb81) both commonly associated with credential dumping and lateral movement toolkits such as Impacket.

This enhancement gives defenders unprecedented visibility into one of the most abused yet historically opaque attack vectors in Windows environments, directly within the Microsoft Defender portal.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.