Microsoft Defender Now Monitors RPC Protocol Abuse by Hackers
Cybersecurity NewsArchived Jun 09, 2026✓ Full text saved
Microsoft has expanded Microsoft Defender’s capabilities to monitor, detect, and disrupt attacks that abuse Remote Procedure Call (RPC), a core Windows protocol long exploited by threat actors for lateral movement, credential theft, and privilege escalation. Remote Procedure Call (RPC) is a protocol that allows functions residing in a separate process — or even on a […] The post Microsoft Defender Now Monitors RPC Protocol Abuse by Hackers appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
Microsoft Defender Now Monitors RPC Protocol Abuse by Hackers
By Guru Baran
June 9, 2026
Microsoft has expanded Microsoft Defender’s capabilities to monitor, detect, and disrupt attacks that abuse Remote Procedure Call (RPC), a core Windows protocol long exploited by threat actors for lateral movement, credential theft, and privilege escalation.
Remote Procedure Call (RPC) is a protocol that allows functions residing in a separate process — or even on a remote machine — to be invoked as though they were local.
Because many foundational Windows and Active Directory features are built on RPC, it has become one of the most attractive attack surfaces in enterprise environments. Key attack techniques that abuse RPC include:
Lateral Movement – Remotely creating tasks, services, or invoking WMI via RPC interfaces
Credential Theft – DCsync attacks exploit Active Directory replication RPC calls; SecretsDump and similar tools abuse the Windows Remote Registry interface (UUID: 338cd001-2244-31f1-aaaa-900038001003) to extract SAM and LSA secrets
Privilege Escalation – Authentication coercion attacks force servers to authenticate to adversary-controlled systems via benign RPC interfaces
Discovery – Tools like SharpHound enumerate users, sessions, and shares using RPC calls, mapped to MITRE ATT&CK techniques T1021, T1552.002, T1003.004, and T1003.
How Defender’s RPC Auditing Works
Traditional network-layer monitoring of RPC traffic is impractical at scale and entirely blind when the underlying transport (such as SMB3) is encrypted.
To close this gap, Microsoft’s Defender research and engineering teams extended the existing RPC integration with the Windows Filtering Platform (WFP) to achieve OpNum-level granularity.
This means Defender can now identify the exact RPC function being called, not just the interface, without intercepting or disrupting normal traffic.
Monitoring is focused on inbound remote RPC calls observed on the server host, specifically targeting attacker-initiated interactions with exposed RPC interfaces. Local and outbound RPC calls are out of scope.
Defender dynamically monitors selected remote operations from critical interfaces, including Remote Registry, Service Control Manager, Task Scheduler, and Windows Management Instrumentation (WMI).
RPC monitoring is generally available for workstations, with a gradual rollout currently underway for servers. Active detections already shipping include:
Ongoing hands-on-keyboard attack via the Impacket toolkit
Suspicious remote service creation (mapped to lateral movement)
Indication of local security authority (LSA) secrets theft
Unusual RPC-based user and session discovery
Authentication coercion attacks
Security teams can query RPC telemetry directly in the Advanced Hunting tab using the InboundRemoteRpcCall action type in DeviceEvents.
The screenshots shared by Microsoft show how analysts can hunt for remote registry key save events (OpNums 20/31 on the interface 338cd001) and remote service creation events (OpNums 12, 24, 44, 45, 60 on interface 367abb81) both commonly associated with credential dumping and lateral movement toolkits such as Impacket.
This enhancement gives defenders unprecedented visibility into one of the most abused yet historically opaque attack vectors in Windows environments, directly within the Microsoft Defender portal.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Proofpoint Warns TA4922 Deploys Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT
Weaponized ChatGPT Download Site Delivers Malware Via Sponsored Search Results
New Weedhack Malware-as-a-Service Targets Minecraft Players to Steal Credentials, and Hijack Accounts
Cybercriminals Shift From Fake Login Pages to Infostealer Malware in Phishing Attacks
Hackers Exploiting LiteLLM RCE Vulnerability in the Wild to Run Arbitrary Commands
Latest News
Cyber Security
Google Chrome 0-Day Vulnerability Exploited in the Wild — Update Now
Cyber Security News
New Weedhack Malware-as-a-Service Targets Minecraft Players to Steal Credentials, and Hijack Accounts
Cyber Security News
New NFCShare Android Malware Delivered via Weaponized Versions of Egitimate Banking Apps
Cyber Security
Hackers Exploiting LiteLLM RCE Vulnerability in the Wild to Run Arbitrary Commands
Cyber Security
SAP Security Patch Day – Critical Vulnerabilities in SAP NetWeaver Patched