Microsoft has significantly expanded its Defender platform to monitor inbound Remote Procedure Call (RPC) activity, introducing detection, attack disruption, and advanced hunting capabilities that close a long-standing visibility gap attackers have routinely exploited across enterprise environments.
Remote Procedure Call (RPC) is a foundational Windows protocol that allows functions in a separate process or on a remote machine entirely to be invoked as if they were local.
Because core Windows components, including the Service Control Manager, Task Scheduler, Remote Registry, and Active Directory replication, all rely on RPC, it has long served as a reliable abuse vector for threat actors.
Two components define RPC communication from a monitoring perspective. The Interface, identified by a UUID, represents a logical grouping of functionality exposed by an RPC server (such as Remote Registry or WMI). The OpNum (Operation Number) identifies the specific function called within that interface, for example, BaseRegQueryValue (OpNum 17) or RCreateServiceW (OpNum 12).
High-Impact Attack Techniques Abusing RPC
Several well-documented attack techniques weaponize RPC in the wild:
- Lateral movement — Attackers remotely create tasks, services, or invoke WMI over RPC
- Credential theft — DCsync abuses Active Directory replication RPC; tools like SecretsDump remotely query the registry via the Windows Remote Registry interface
- Privilege escalation — Authentication coercion attacks abuse legitimate RPC interfaces to force servers to authenticate against attacker-controlled resources
- Discovery — Tools like SharpHound enumerate users, sessions, and shares using RPC calls
Monitoring raw RPC traffic via network sensors is both expensive and ineffective when transport encryption such as SMB3 is in use.
Microsoft took a different approach, extending Defender’s existing integration with the Windows Filtering Platform (WFP) to achieve OpNum-level granularity, enabling the platform to pinpoint the exact RPC function being called rather than just the interface.
Telemetry is collected using audit-only WFP filters that passively observe inbound remote RPC calls on the server host without interfering with legitimate traffic.
The design requires no visibility into the source device, making it practical at enterprise scale. Local RPC calls and outbound client calls are explicitly out of scope.
Security teams can leverage active detections powered by the new RPC telemetry, including:
- Ongoing hands-on-keyboard attacks via the Impacket toolkit
- Suspicious remote service creation
- LSA secrets theft, mapped to MITRE ATT&CK T1003.004
- Unusual RPC-based user and session discovery
- Authentication coercion attacks
The new InboundRemoteRpcCall action type surfaces monitored data directly in Defender’s Advanced Hunting interface via the DeviceEvents table.
Security teams can query for remote registry save events (OpNums 20 and 31) indicative of credential dumping, remote service creation events (OpNums 12, 24, 44, 45, 60) signaling lateral movement, and session discovery via NetrSessionEnum (OpNum 12 on the srvsvc interface) to flag reconnaissance tools like SharpHound.
According to Microsoft, RPC monitoring for workstations is now generally available, while server-side monitoring is currently undergoing a gradual rollout. Microsoft recommends that security teams review monitored RPC activity via the Advanced Hunting tab and monitor for further updates as the server rollout progresses.
No Comment! Be the first one.