Source: Microsoft Defender for Endpoint Blog articles
Author: EdanZwick
URL: https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/microsoft-defender-now-monitors-rpc-activity/4523368
ONE SENTENCE SUMMARY:
Microsoft Defender now audits inbound remote RPC calls at OpNum granularity to detect, disrupt, and hunt common Windows attacks.
MAIN POINTS:
- Remote procedure call enables invoking remote functions as if executed locally.
- Windows and Active Directory rely heavily on RPC, making it a frequent attacker target.
- RPC interfaces group server functionality and are identified by UUIDs.
- OpNum uniquely identifies the specific function invoked within an RPC interface.
- Lateral movement commonly abuses RPC for remote tasks, services, and WMI execution.
- Credential theft includes DCSync replication abuse and remote registry-based secrets dumping.
- Privilege escalation can involve authentication coercion through legitimate RPC interfaces.
- Discovery tooling like SharpHound enumerates users, sessions, and shares via RPC calls.
- Defender uses Windows Filtering Platform integration to audit remote RPC even with encrypted transports.
- Telemetry targets inbound server-side remote RPC only; local and outbound RPC are excluded.
TAKEAWAYS:
- OpNum-level visibility improves detection precision beyond interface-only monitoring.
- Audit-only WFP filters provide scalable RPC telemetry without disrupting normal traffic.
- Hunting data enables investigations of remote registry saves, service creation, and session discovery.
- Built-in detections cover Impacket activity, secrets theft indicators, and coercion attempts.
- Workstation RPC monitoring is GA, while server coverage is gradually rolling out.