Microsoft Defender Gains Granular RPC Protocol Abuse Monitoring
Microsoft Defender for Endpoint now offers deep visibility into abuse of the Remote Procedure Call (RPC) protocol, detecting lateral movement, credential theft, and privilege escalation attempts.
Microsoft has significantly enhanced Microsoft Defender for Endpoint's capabilities to monitor, detect, and disrupt attacks that leverage the Remote Procedure Call (RPC) protocol. RPC is a fundamental Windows protocol that threat actors frequently exploit for lateral movement, credential theft, and privilege escalation within enterprise networks. Its widespread use in core Windows and Active Directory functions makes it an attractive attack surface.
Attackers commonly abuse RPC for various malicious activities. These include lateral movement by remotely creating tasks or services and invoking Windows Management Instrumentation (WMI). Credential theft is facilitated through DCsync attacks that exploit Active Directory replication RPC calls, and tools like SecretsDump that abuse the Windows Remote Registry interface to extract SAM and LSA secrets. Privilege escalation can occur via authentication coercion attacks that force servers to authenticate to adversary-controlled systems using benign RPC interfaces. Furthermore, discovery tools such as SharpHound utilize RPC calls to enumerate users, sessions, and shares, mapping to MITRE ATT&CK techniques like T1021, T1552.002, T1003.004, and T1003.
Traditional network-layer monitoring of RPC traffic presents significant challenges. It is often impractical at scale and completely ineffective when the underlying transport, such as SMB3, is encrypted. To address this visibility gap, Microsoft's Defender research and engineering teams have integrated more deeply with the Windows Filtering Platform (WFP). This integration provides OpNum-level granularity, allowing Defender to identify the specific RPC function being called, not just the interface, without intercepting or disrupting legitimate network traffic.
The monitoring focuses on inbound remote RPC calls observed on the server host, specifically targeting interactions initiated by attackers with exposed RPC interfaces. Local and outbound RPC calls are excluded from this monitoring scope. Defender dynamically observes selected remote operations from critical interfaces, including the Service Control Manager, Task Scheduler, Windows Management Instrumentation (WMI), and the Remote Registry.
This new RPC auditing capability is generally available for workstations and is currently undergoing a gradual rollout for servers. Existing detections already incorporate this enhancement, providing alerts for ongoing hands-on-keyboard attacks utilizing the Impacket toolkit, suspicious remote service creation indicative of lateral movement, indications of local security authority (LSA) secrets theft, unusual RPC-based user and session discovery, and authentication coercion attacks.
Security teams can leverage the Advanced Hunting tab within Microsoft Defender to query RPC telemetry directly. By using the InboundRemoteRpcCall action type in DeviceEvents, analysts can hunt for specific malicious activities. For instance, Microsoft has provided examples of how to search for remote registry key save events (OpNums 20/31 on interface 338cd001) and remote service creation events (OpNums 12, 24, 44, 45, 60 on interface 367abb81), both commonly associated with credential dumping and lateral movement toolkits like Impacket.
This advancement offers defenders unprecedented visibility into one of the most historically opaque yet heavily abused attack vectors within Windows environments. By providing detailed insights directly within the Microsoft Defender portal, security teams are better equipped to identify and respond to sophisticated threats that exploit the RPC protocol.