Microsoft has introduced enhanced monitoring capabilities in Microsoft Defender for Endpoint to detect and disrupt cyberattacks that abuse the Remote Procedure Call (RPC) protocol, a core Windows communication mechanism that threat actors frequently exploit for lateral movement and credential access.
Announced on June 8, 2026, the update provides granular visibility into inbound remote RPC activity, enabling security teams to identify malicious operations tied to specific RPC functions rather than just high-level interfaces.
Microsoft Defender Adds Monitoring for RPC Protocol
RPC is widely used across Windows environments, particularly within Active Directory, enabling communication between processes locally and across networks.
However, its deep integration into critical services such as the Service Control Manager, Remote Registry, Task Scheduler, and Windows Management Instrumentation (WMI) has made it a prime target for attackers.
Techniques such as lateral movement via remote service creation, credential dumping through registry access, DCsync-based credential theft, and authentication coercion attacks all rely heavily on RPC functionality.
To address this, Microsoft has expanded Defender’s integration with the Windows Filtering Platform (WFP), enabling OpNum-level inspection of RPC calls. OpNum, or operation number, corresponds to a specific function within an RPC interface, allowing Defender to identify exactly which action is being invoked.
This advancement provides significantly improved detection fidelity, enabling security tools to distinguish between benign and suspicious RPC operations within the same interface.
Unlike traditional network-based monitoring approaches, which can be limited by encrypted transport protocols like SMB3 or introduce performance overhead, Defender’s telemetry collection occurs directly on the endpoint using audit-only WFP filters.
This ensures that monitoring does not interfere with legitimate operations while still capturing detailed insights into inbound RPC activity targeting a device. Notably, the capability focuses exclusively on remote inbound RPC calls, excluding local inter-process communication and outbound RPC requests.
Microsoft stated that Defender dynamically monitors selected RPC operations across commonly abused interfaces, including Remote Registry and Service Control Manager.
The feature is already generally available for workstations, while rollout for server environments is ongoing. The collected telemetry is surfaced in Microsoft Defender’s Advanced Hunting interface, enabling threat hunters to query and correlate RPC activity with broader attack patterns.
The update also introduces built-in detections and automated disruption capabilities for several RPC-based attack techniques.
These include detecting hands-on-keyboard attacks using tools such as Impacket, suspicious remote service creation indicative of lateral movement, attempts to extract Local Security Authority (LSA) secrets, unusual account and session enumeration activity, and authentication coercion attacks.
Security teams can leverage Advanced Hunting queries to identify specific RPC abuse scenarios. For example, monitoring Remote Registry operations, such as BaseRegSaveKey, can help detect credential-dumping attempts, while tracking service-creation opcodes, such as RCreateServiceW, can reveal unauthorized lateral movement.
Similarly, analyzing session enumeration calls through the srvsvc interface can uncover reconnaissance activity targeting user sessions across the network.
This enhancement reflects a broader industry trend toward deeper inspection of native protocols commonly abused by attackers, particularly those embedded within enterprise operating systems.
By providing visibility into RPC at the function level, Microsoft aims to close a longstanding gap in endpoint detection that allows attackers to blend malicious activity with legitimate system operations.
As attackers continue to exploit built-in administrative tools and protocols to evade detection, capabilities like RPC monitoring are expected to play a critical role in strengthening endpoint security posture.
Organizations using Microsoft Defender are encouraged to review the new telemetry streams and integrate RPC-based detections into their threat-hunting and incident-response workflows.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
