Microsoft has significantly expanded Microsoft Defender’s capabilities to monitor, detect, and disrupt attacks that abuse Remote Procedure Call (RPC) a core Windows protocol that has long been a prime target for threat actors seeking lateral movement, credential theft, and privilege escalation within enterprise networks.
Remote Procedure Call is a protocol that allows functions residing in a separate process or even on a remote machine to be invoked as though they were local. Because many foundational Windows and Active Directory features are built on top of RPC, it has become one of the most attractive attack surfaces in enterprise environments.
Key attack techniques that abuse RPC include:
- Lateral Movement – Remotely creating tasks, services, or invoking WMI via RPC interfaces
- Credential Theft – DCsync attacks exploit Active Directory replication RPC calls; tools like SecretsDump abuse the Windows Remote Registry interface (UUID: 338cd001-2244-31f1-aaaa-900038001003) to extract SAM and LSA secrets
- Privilege Escalation – Authentication coercion attacks force servers to authenticate to adversary-controlled systems through benign RPC interfaces
- Discovery – Tools like SharpHound enumerate users, sessions, and shares using RPC calls, mapped to MITRE ATT&CK techniques T1021, T1552.002, T1003.004, and T1003
Traditional network-layer monitoring of RPC traffic is both impractical at scale and entirely blind when the underlying transport such as SMB3 is encrypted. To close this critical visibility gap, Microsoft’s Defender research and engineering teams extended the existing RPC integration with the Windows Filtering Platform (WFP) to achieve OpNum-level granularity.
This means Defender can now identify the exact RPC function being called, not just the interface, without intercepting or disrupting normal traffic flow. Monitoring is focused on inbound remote RPC calls observed on the server host, specifically targeting attacker-initiated interactions with exposed RPC interfaces. Local and outbound RPC calls remain out of scope.
Defender dynamically monitors selected remote operations from critical interfaces, including:
- Remote Registry
- Service Control Manager
- Task Scheduler
- Windows Management Instrumentation (WMI)
RPC monitoring is generally available for workstations, with a gradual rollout currently underway for servers. Active detections already shipping include:
- Ongoing hands-on-keyboard attacks via the Impacket toolkit
- Suspicious remote service creation (mapped to lateral movement)
- Indication of Local Security Authority (LSA) secrets theft
- Unusual RPC-based user and session discovery
- Authentication coercion attacks
Security teams can query RPC telemetry directly in Microsoft Defender’s Advanced Hunting tab using the InboundRemoteRpcCall action type within DeviceEvents.
Analysts can hunt for remote registry key save events (OpNums 20/31 on interface 338cd001) and remote service creation events (OpNums 12, 24, 44, 45, 60 on interface 367abb81) both commonly associated with credential dumping and lateral movement toolkits such as Impacket.
This enhancement gives defenders unprecedented visibility into one of the most abused yet historically opaque attack vectors in Windows environments, directly within the Microsoft Defender portal raising the cost of RPC-based intrusion significantly for threat actors.
About the Author
