Microsoft has expanded Microsoft Defender with new capabilities that monitor Remote Procedure Call activity, giving security teams deeper visibility into one of the most commonly abused Windows protocols used in cyberattacks.
Quick Summary – TLDR:
- Microsoft Defender can now monitor inbound Remote Procedure Call (RPC) activity.
- The new capability helps detect credential theft, lateral movement, privilege escalation, and reconnaissance attacks.
- Defender now provides OpNum level visibility, allowing security teams to see specific RPC functions being executed.
- RPC monitoring is available for workstations, while server support is currently rolling out.
What Happened?
Microsoft announced new Microsoft Defender capabilities that enable organizations to monitor and detect malicious activity involving Remote Procedure Call (RPC). The update closes a long standing visibility gap that attackers have frequently exploited to move across networks, steal credentials, and gain elevated privileges inside Windows environments.
The new feature allows Defender to monitor inbound remote RPC calls and surface related telemetry directly within the Advanced Hunting experience.
‼️𝗠𝗜𝗖𝗥𝗢𝗦𝗢𝗙𝗧 𝗗𝗘𝗙𝗘𝗡𝗗𝗘𝗥 𝗝𝗨𝗦𝗧 𝗚𝗢𝗧 𝗔 𝗠𝗔𝗝𝗢𝗥 𝗩𝗜𝗦𝗜𝗕𝗜𝗟𝗜𝗧𝗬 𝗕𝗢𝗢𝗦𝗧
— CyberX (@CyberXlx9q) June 9, 2026
Microsoft Defender can now monitor Remote Procedure Call (RPC) activity—one of the most commonly abused mechanisms for lateral movement, credential theft, and stealthy…
Why RPC Is a Popular Target?
RPC is a core Windows protocol that allows applications and services to execute functions on another process or remote system as if those functions were running locally.
Many important Windows and Active Directory services depend on RPC, including:
- Service Control Manager
- Task Scheduler
- Remote Registry
- Windows Management Instrumentation (WMI)
- Active Directory replication services
Because of its deep integration into Windows, RPC has become a favored target for threat actors.
Microsoft highlighted several attack techniques that frequently abuse RPC functionality:
- Lateral movement through remote service creation, scheduled tasks, and WMI execution.
- Credential theft through DCsync attacks and tools such as SecretsDump.
- Privilege escalation through authentication coercion attacks.
- Network discovery using tools such as SharpHound to enumerate users, sessions, and shared resources.
These attack methods are commonly associated with MITRE ATT&CK techniques including credential access, remote service execution, and account discovery.
How Microsoft Defender Monitors RPC Activity?
Monitoring RPC traffic has traditionally been difficult for defenders. Network based monitoring often becomes expensive at scale and can lose visibility when protocols such as SMB3 encryption are used.
To address this challenge, Microsoft expanded Defender’s integration with the Windows Filtering Platform (WFP).
The enhancement provides OpNum level granularity, allowing Defender to identify the exact RPC function being called instead of only identifying the broader RPC interface.
For security monitoring, two RPC components are especially important:
- Interface: A logical collection of functions exposed by an RPC server and identified by a UUID.
- OpNum: The operation number that identifies a specific function within an interface.
This level of visibility helps security teams better understand attacker behavior and identify suspicious remote actions.
Microsoft said telemetry is collected using audit only WFP filters that observe activity without disrupting normal operations. Monitoring focuses exclusively on inbound remote RPC calls, while local and outbound RPC activity remain outside the scope of the feature.
New Detection Capabilities
Microsoft Defender already uses the new RPC telemetry to power several active detections.
These include:
- Hands on keyboard attacks using the Impacket toolkit.
- Suspicious remote service creation.
- Local Security Authority secrets theft attempts.
- Unusual RPC based user and session discovery.
- Authentication coercion attacks.
The telemetry is exposed through the InboundRemoteRpcCall action type within the DeviceEvents table in Advanced Hunting.
Security teams can use this data to investigate activities linked to credential dumping, lateral movement, and reconnaissance operations.
Microsoft also demonstrated how analysts can hunt for:
- Remote registry save events associated with credential theft.
- Remote service creation linked to lateral movement.
- Session enumeration activity commonly used by SharpHound and similar reconnaissance tools.
Why This Matters?
RPC has long been one of the most important yet least visible attack surfaces in Windows environments. Attackers have repeatedly leveraged RPC-based techniques because defenders often lacked detailed insight into the specific operations being executed.
With OpNum level monitoring now built into Microsoft Defender, organizations gain significantly better visibility into suspicious remote activity. The update enables security teams to detect attacks earlier and investigate potentially compromised systems with greater precision.
Microsoft recommends that defenders review RPC activity within the Advanced Hunting portal and watch for additional updates as server-side deployment continues across customer environments.
SQ Magazine Takeaway
I think this is one of Microsoft’s most practical Defender improvements in recent months. Attackers have relied on RPC for years because it sits at the center of many Windows management functions and has traditionally been difficult to monitor. Giving defenders visibility into the exact RPC operations being executed could make it much harder for threat actors to hide lateral movement and credential theft activities. For organizations heavily invested in Windows and Active Directory, this update adds a valuable new layer of detection without requiring additional infrastructure.
