Microsoft Defender Adds Monitoring for RPC Protocol Abuse in Cyberattacks

[harlan4096]

Microsoft has introduced enhanced monitoring capabilities in Microsoft Defender for Endpoint to detect and disrupt cyberattacks that abuse the Remote Procedure Call (RPC) protocol, a core Windows communication mechanism that threat actors frequently exploit for lateral movement and credential access.

Announced on June 8, 2026, the update provides granular visibility into inbound remote RPC activity, enabling security teams to identify malicious operations tied to specific RPC functions rather than just high-level interfaces.

Microsoft Defender Adds Monitoring for RPC Protocol

RPC is widely used across Windows environments, particularly within Active Directory, enabling communication between processes locally and across networks.

However, its deep integration into critical services such as the Service Control Manager, Remote Registry, Task Scheduler, and Windows Management Instrumentation (WMI) has made it a prime target for attackers.

Techniques such as lateral movement via remote service creation, credential dumping through registry access, DCsync-based credential theft, and authentication coercion attacks all rely heavily on RPC functionality.

To address this, Microsoft has expanded Defender’s integration with the Windows Filtering Platform (WFP), enabling OpNum-level inspection of RPC calls. OpNum, or operation number, corresponds to a specific function within an RPC interface, allowing Defender to identify exactly which action is being invoked.

Continue Reading...