Microsoft Defender Just Closed a Major Telemetry Gap: Server-Side RPC Monitoring Is Here + Video

By /

Listen to this Post

Featured Image

Introduction:

Remote Procedure Call (RPC) is the backbone of Windows inter-process communication, enabling core functions like remote service management, task scheduling, and WMI operations. Because RPC is foundational to Active Directory and Windows administration, it has long been one of the most attractive—and historically blind—attack surfaces for adversaries performing lateral movement, credential dumping, and privilege escalation. Microsoft has now expanded Microsoft Defender’s capabilities to monitor inbound remote RPC calls at the operation-1umber (OpNum) level, generating telemetry directly on the server side, making it impossible for attackers to kill, evade, or bypass the EDR to prevent generation of this critical data.

Learning Objectives:

  • Understand how Microsoft Defender’s new server-side RPC auditing works at the Windows Filtering Platform (WFP) level and why this closes a major detection gap.
  • Learn to hunt for malicious RPC activity using Advanced Hunting queries and investigate MITRE ATT&CK techniques T1021 (Remote Services), T1003 (Credential Dumping), and T1552 (Unsecured Credentials).
  • Master practical configuration and detection techniques, including enabling RPC audit policies, deploying the RPC Firewall, and using ETW providers for custom monitoring.

You Should Know:

1. Understanding Microsoft Defender’s Server-Side RPC Telemetry

Traditional network-layer monitoring of RPC traffic is impractical at scale and entirely blind when the underlying transport (such as SMB3) is encrypted. Microsoft closed this gap by extending the existing RPC integration with the Windows Filtering Platform (WFP) to achieve OpNum-level granularity—meaning Defender can now identify the exact RPC function being called, not just the interface, without intercepting or disrupting normal traffic. Monitoring is focused on inbound remote RPC calls observed on the server host, specifically targeting attacker-initiated interactions with exposed RPC interfaces like Remote Registry, Service Control Manager, Task Scheduler, and WMI. This telemetry is generated on the server side, which means an attacker cannot kill, evade, or bypass the EDR to prevent its generation.

Step-by-Step Guide to Hunting RPC Telemetry in Microsoft Defender:

  1. Navigate to the Microsoft Defender Portal → Advanced Hunting.
  2. Use the `InboundRemoteRpcCall` action type in the `DeviceEvents` table to query RPC telemetry.
  3. Hunt for remote registry key save events—common in credential dumping—using the interface UUID `338cd001-2244-31f1-aaaa-900038001003` and OpNums 20 or 31.
  4. Hunt for suspicious remote service creation (lateral movement) using interface UUID `367abb81` and OpNums 12, 24, 44, 45, or 60.
  5. Investigate alerts for ongoing hands-on-keyboard attacks via the Impacket toolkit or unusual RPC-based user and session discovery.

2. Configuring RPC Auditing via Windows Audit Policy

Before Microsoft Defender’s native monitoring was available, defenders had to rely on native Windows auditing. This is still valuable for environments not fully onboarded to Defender or for custom SIEM rules.

Step-by-Step Guide to Enable RPC Auditing via Group Policy:

  1. Open Group Policy Management Console (GPMC) and edit a GPO linked to your target servers.
  2. Navigate to: Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Detailed Tracking.
  3. Double-click Audit RPC Events and check both Success and Failure.
  4. Alternatively, use the command line on a local system:

`auditpol /set /subcategory:”RPC Events” /success:enable /failure:enable`

5. Verify the policy is applied:

`auditpol /get /subcategory:”RPC Events”`

  1. Forward these events (Event IDs 5712, 5713, and others) to your SIEM using Windows Event Forwarding (WEF) for centralized analysis and correlation.

  2. Deploying RPC Firewall for High-Fidelity Auditing and Blocking
    For organizations requiring more granular control, the RPC Firewall (an open-source tool by James Forshaw) can be configured to audit or block specific RPC calls based on interface UUID, OpNum, or other properties.

Step-by-Step Guide to Deploy and Configure RPC Firewall:

  1. Download the `RpcFirewall.exe` binary and its configuration file from the official GitHub repository (JohnLaTwc/rpcfirewall).
  2. Place the binary in a secure directory on the target server (e.g., C:\Tools\RpcFirewall).
  3. Edit the configuration file (RpcFirewall.config) to define rules. For example, to log but not block remote registry access, add:

`

  1. Install the RPC Firewall as a Windows service:

`RpcFirewall.exe –install`

5. Start the service:

`sc start RpcFirewall`

  1. When configured to audit, RPC events are written to the Windows Event Log under Applications and Services Logs/RPCFW. Forward this log to your SIEM and use it to create baselines of remote RPC traffic for your servers.

4. Using ETW to Capture Low-Level RPC Telemetry

Event Tracing for Windows (ETW) provides the lowest-level access to RPC events. This is useful for custom detection engineering or when you need to validate Defender’s telemetry.

Step-by-Step Guide to Capture RPC ETW Events:

  1. Identify the `Microsoft-Windows-RPC` ETW provider GUID (e.g., {6ad52b32-d609-4be9-ae07-ce3d5caa6c3c}) or use the provider name.
  2. Use `logman` to start a real-time trace session capturing this provider:

`logman start RPCtrace -p Microsoft-Windows-RPC 0xffffffffffffffff 0xff -ets`

  1. Reproduce the RPC activity you wish to monitor.
  2. Stop the trace and save it to an `.etl` file:

`logman stop RPCtrace -ets`

  1. Convert the `.etl` file to a human-readable format using tracerpt:

`tracerpt RPCtrace.etl -o rpc_events.csv`

  1. For real-time monitoring on a single system, use the `wtrace` command-line tool:

`wtrace -p Microsoft-Windows-RPC -f rpc_output.txt`

  1. Investigating RPC Lateral Movement with MITRE ATT&CK Mapping
    Adversaries abuse RPC for lateral movement (T1021), credential theft (T1003), privilege escalation, and discovery. Microsoft’s new telemetry directly maps to these techniques, enabling defenders to detect specific malicious operations.

Step-by-Step Guide to Detect and Respond to RPC-Based Lateral Movement:

  1. In Microsoft Defender’s Advanced Hunting, query for inbound RPC calls from unexpected source IP addresses, especially during off-hours:
    `DeviceEvents | where ActionType == “InboundRemoteRpcCall” | where RemoteIP not in (known_admin_subnets)`
    2. Correlate RPC calls with process creation events (Event ID 4688) to identify suspicious parent-child relationships, such as `services.exe` spawning a child process (e.g., `cmd.exe` or powershell.exe).
  2. Use the MSRPC to ATT&CK mapping project (GitHub: jsecurity101/MSRPC-to-ATTACK) to understand which RPC interfaces and operations correspond to specific techniques. For example, the Service Control Manager Remote Protocol (UUID: 367abb81) is commonly used for lateral movement.
  3. When an alert fires, isolate the affected host using Microsoft Defender for Endpoint’s live response feature:

`DeviceIsolate` from the Microsoft 365 Defender API.

  1. Perform an offline investigation: capture memory, collect RPC logs, and analyze the attack chain using timeline analysis.

6. Hardening Windows Against RPC Abuse

Prevention is always better than detection. Hardening RPC configurations significantly reduces the attack surface.

Step-by-Step Guide to Harden RPC Configurations:

  1. Use Group Policy to restrict anonymous RPC access: Navigate to `Computer Configuration → Administrative Templates → System → Remote Procedure Call` and set Restrict Unauthenticated RPC clients to “Authenticated.”
  2. Restrict RPC endpoints using Windows Firewall: Create inbound firewall rules to allow RPC only from trusted management subnets. RPC uses ports 135 (endpoint mapper) and dynamically allocated high ports (49152-65535).
  3. Disable unnecessary RPC interfaces if not required for business operations. For example, the Remote Registry service can be disabled entirely: `sc config RemoteRegistry start= disabled`
    4. For Microsoft Defender for Identity users, apply the Unified Sensor RPC Audit tag to domain controllers onboarded with the v3.x sensor. This enables WFP-based RPC monitoring for advanced identity detections.
  4. Regularly review RPC configuration health alerts: Microsoft Defender for Identity will roll out a new RPC Configuration Health Alert starting early 2026 to monitor RPC settings and improve detection accuracy.

  5. Practical Validation: Simulating RPC Attacks in a Lab
    To test your detections, you must simulate malicious RPC activity in a safe, isolated lab environment.

Step-by-Step Guide to Simulate RPC Attacks:

  1. Set up two Windows lab VMs: one as a “compromised” attacker machine and one as a target server.
  2. On the attacker machine, install Impacket, a collection of Python tools for RPC abuse:

`pip install impacket`

  1. Use `impacket-services` to remotely create a service on the target server:
    `impacket-services -action start -1ame testservice -path “cmd.exe /c calc.exe” -remote-ip TARGET_IP -username DOMAIN\user -password pass`
    4. Use `impacket-secretsdump` to extract credentials via the Remote Registry interface:

`impacket-secretsdump DOMAIN/user:pass@TARGET_IP`

  1. Observe the generated telemetry in Microsoft Defender’s Advanced Hunting using the `InboundRemoteRpcCall` action type. Validate that OpNums for service creation (12, 24, 44, 45, 60) and registry key save (20, 31) are present.
  2. Tune your detection rules based on the observed telemetry to reduce false positives and improve alert fidelity.

What Undercode Say:

  • Key Takeaway 1: The game-changing aspect of this new telemetry is its server-side, EDR-bypass-resistant nature. By generating data directly at the Windows Filtering Platform (WFP) level, defenders now have visibility into malicious RPC activity that attackers cannot simply kill or evade by terminating the EDR agent.
  • Key Takeaway 2: The shift from interface-level to operation-1umber (OpNum) granularity transforms RPC detection from vague indications to precise, actionable alerts. Security teams can now distinguish between a benign administrative task and a malicious credential dumping attempt with far higher confidence.

Analysis: Microsoft’s server-side RPC monitoring fundamentally alters the detection landscape for Windows-based attacks. Historically, RPC was a “blind spot” for many EDRs because RPC traffic often moves over encrypted channels (like SMB3), evading traditional network monitoring. By hooking into the kernel-level Windows Filtering Platform, Defender gains access to the raw RPC calls before they are encrypted or transmitted, providing unparalleled visibility. However, security teams must act: this feature is currently in gradual rollout for servers, so it is critical to verify that your Defender for Endpoint configuration includes RPC monitoring and that you have enabled Advanced Hunting queries. The combination of Microsoft’s native telemetry, the open-source RPC Firewall for granular control, and the MITRE mapping provided by projects like MSRPC to ATT&CK gives defenders a multi-layered approach to finally tame one of Windows’ most abused protocols.

Prediction:

  • +1 Expect a surge in open-source detection rules and Sigma rules targeting specific RPC OpNums, enabling the broader security community to build custom alerts for even the most obscure attack techniques.
  • -1 Adversaries will quickly adapt by shifting to living-off-the-land techniques that still abuse RPC but attempt to mimic legitimate admin traffic patterns, increasing the need for advanced behavioral analytics and user baselining.
  • +1 Cloud-focused attackers may move to hybrid environments, but the same WFP-based telemetry will likely be extended to cloud workloads, providing consistent visibility across on-premises and cloud assets.
  • -1 Organizations that fail to enable or validate server-side RPC monitoring will remain blind to one of the most common lateral movement vectors, leaving themselves vulnerable to ransomware and nation-state intrusions.
  • +1 Microsoft will likely integrate this RPC telemetry into broader Microsoft Sentinel and Defender XDR analytics, enabling automated response playbooks that can isolate compromised hosts the moment a suspicious RPC call is detected.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Mehmetergene This – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: