CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 09, 2026

Microsoft Defender Now Monitors RPC Protocol Abuse by Hackers

Cybersecurity News Archived Jun 09, 2026 ✓ Full text saved

Microsoft has expanded Microsoft Defender’s capabilities to monitor, detect, and disrupt attacks that abuse Remote Procedure Call (RPC), a core Windows protocol long exploited by threat actors for lateral movement, credential theft, and privilege escalation. Remote Procedure Call (RPC) is a protocol that allows functions residing in a separate process — or even on a […] The post Microsoft Defender Now Monitors RPC Protocol Abuse by Hackers appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security Microsoft Defender Now Monitors RPC Protocol Abuse by Hackers By Guru Baran June 9, 2026 Microsoft has expanded Microsoft Defender’s capabilities to monitor, detect, and disrupt attacks that abuse Remote Procedure Call (RPC), a core Windows protocol long exploited by threat actors for lateral movement, credential theft, and privilege escalation. Remote Procedure Call (RPC) is a protocol that allows functions residing in a separate process — or even on a remote machine — to be invoked as though they were local. Because many foundational Windows and Active Directory features are built on RPC, it has become one of the most attractive attack surfaces in enterprise environments. Key attack techniques that abuse RPC include: Lateral Movement – Remotely creating tasks, services, or invoking WMI via RPC interfaces Credential Theft – DCsync attacks exploit Active Directory replication RPC calls; SecretsDump and similar tools abuse the Windows Remote Registry interface (UUID: 338cd001-2244-31f1-aaaa-900038001003) to extract SAM and LSA secrets Privilege Escalation – Authentication coercion attacks force servers to authenticate to adversary-controlled systems via benign RPC interfaces Discovery – Tools like SharpHound enumerate users, sessions, and shares using RPC calls, mapped to MITRE ATT&CK techniques T1021, T1552.002, T1003.004, and T1003. How Defender’s RPC Auditing Works Traditional network-layer monitoring of RPC traffic is impractical at scale and entirely blind when the underlying transport (such as SMB3) is encrypted. To close this gap, Microsoft’s Defender research and engineering teams extended the existing RPC integration with the Windows Filtering Platform (WFP) to achieve OpNum-level granularity. This means Defender can now identify the exact RPC function being called, not just the interface, without intercepting or disrupting normal traffic. Monitoring is focused on inbound remote RPC calls observed on the server host, specifically targeting attacker-initiated interactions with exposed RPC interfaces. Local and outbound RPC calls are out of scope. Defender dynamically monitors selected remote operations from critical interfaces, including Remote Registry, Service Control Manager, Task Scheduler, and Windows Management Instrumentation (WMI). RPC monitoring is generally available for workstations, with a gradual rollout currently underway for servers. Active detections already shipping include: Ongoing hands-on-keyboard attack via the Impacket toolkit Suspicious remote service creation (mapped to lateral movement) Indication of local security authority (LSA) secrets theft Unusual RPC-based user and session discovery Authentication coercion attacks Security teams can query RPC telemetry directly in the Advanced Hunting tab using the InboundRemoteRpcCall action type in DeviceEvents. The screenshots shared by Microsoft show how analysts can hunt for remote registry key save events (OpNums 20/31 on the interface 338cd001) and remote service creation events (OpNums 12, 24, 44, 45, 60 on interface 367abb81) both commonly associated with credential dumping and lateral movement toolkits such as Impacket. This enhancement gives defenders unprecedented visibility into one of the most abused yet historically opaque attack vectors in Windows environments, directly within the Microsoft Defender portal. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Proofpoint Warns TA4922 Deploys Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT Weaponized ChatGPT Download Site Delivers Malware Via Sponsored Search Results New Weedhack Malware-as-a-Service Targets Minecraft Players to Steal Credentials, and Hijack Accounts Cybercriminals Shift From Fake Login Pages to Infostealer Malware in Phishing Attacks Hackers Exploiting LiteLLM RCE Vulnerability in the Wild to Run Arbitrary Commands Latest News Cyber Security Google Chrome 0-Day Vulnerability Exploited in the Wild — Update Now Cyber Security News New Weedhack Malware-as-a-Service Targets Minecraft Players to Steal Credentials, and Hijack Accounts Cyber Security News New NFCShare Android Malware Delivered via Weaponized Versions of Egitimate Banking Apps Cyber Security Hackers Exploiting LiteLLM RCE Vulnerability in the Wild to Run Arbitrary Commands Cyber Security SAP Security Patch Day – Critical Vulnerabilities in SAP NetWeaver Patched
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 09, 2026
    Archived
    Jun 09, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗