Microsoft has enhanced Defender’s detection capabilities to monitor abuse of the Remote Procedure Call (RPC) protocol, a communication mechanism frequently exploited by threat actors for lateral movement and privilege escalation. This update addresses a long-standing blind spot in Windows security monitoring, enabling organizations to detect malicious RPC activity that previously evaded traditional defenses. The enhancement is particularly significant given RPC’s deep integration into Windows infrastructure and its popularity among advanced persistent threat groups and ransomware operators.
Introduction
The Remote Procedure Call protocol has been a cornerstone of Windows networking for decades, enabling programs to execute procedures on remote systems as if they were local. However, this powerful functionality has made RPC an attractive target for adversaries seeking to move laterally within compromised networks while blending in with legitimate administrative traffic.
Microsoft’s latest enhancement to Defender addresses this security gap by implementing comprehensive RPC monitoring and behavioral analysis capabilities. This development represents a significant advancement in endpoint detection and response, particularly for organizations struggling to identify sophisticated attacks that leverage legitimate Windows protocols for malicious purposes.
The timing of this enhancement is critical, as recent threat intelligence reports indicate a substantial increase in RPC abuse across multiple threat actor categories, from ransomware groups to nation-state operators.
Background & Context
RPC is a fundamental Windows protocol that enables inter-process communication between clients and servers across network boundaries. The protocol supports numerous Windows services, including file sharing, domain authentication, and administrative tasks. This ubiquity makes RPC traffic extremely common in enterprise environments, creating significant challenges for security teams attempting to distinguish malicious activity from legitimate operations.
Historically, attackers have exploited RPC in several ways. The protocol can be leveraged for remote code execution through vulnerable interfaces, used as a conduit for lateral movement via legitimate Windows services, and abused for reconnaissance by enumerating available services on target systems. Notable examples include the use of RPC in WMI-based attacks, DCOM exploitation, and the abuse of Task Scheduler for remote execution.
Previous security solutions struggled with RPC monitoring because the protocol’s legitimate use patterns vary significantly across organizations, making baseline establishment difficult. Additionally, the encrypted nature of some RPC communications and the protocol’s deep kernel-level integration complicated inspection efforts.
Microsoft’s internal telemetry revealed that RPC-based attack techniques appeared in over 60% of advanced intrusions detected in enterprise environments during 2024, underscoring the urgency of this detection capability enhancement.
Technical Breakdown
Microsoft Defender’s new RPC monitoring capability operates through multiple detection layers integrated into the security stack. The enhancement leverages kernel-level instrumentation to intercept and analyze RPC calls before they reach their destination, examining both the metadata and behavioral context of each request.
The monitoring system tracks several key indicators of suspicious RPC activity:
Endpoint Mapper Queries: Excessive enumeration attempts against the RPC Endpoint Mapper service (port 135), which attackers use to discover available RPC interfaces on target systems.
Unusual RPC Interface Access: Connections to rarely-used or security-sensitive RPC interfaces, particularly those associated with service management, scheduled tasks, or Windows Management Instrumentation.
Authentication Anomalies: RPC requests using unexpected credentials, particularly when service accounts or administrative identities are used from unusual source systems.
Behavioral Sequencing: Patterns of RPC calls that match known attack techniques, such as the specific sequence used by PsExec, WMI-based lateral movement, or remote service creation.
The detection engine correlates RPC activity with other endpoint telemetry, including process creation events, network connections, and authentication logs. This correlation enables the system to differentiate between legitimate administrative actions and malicious abuse patterns.
Implementation occurs at the Windows Filtering Platform (WFP) layer, allowing inspection without significant performance overhead. The system maintains a reputation database of known-good RPC patterns learned through machine learning models trained on Microsoft’s global telemetry data.
Detection alerts are classified by severity based on the combination of indicators present, with critical-severity alerts generated when multiple high-confidence indicators align with active exploitation patterns observed in Microsoft’s threat intelligence feeds.
Impact & Risk Assessment
The introduction of RPC monitoring addresses several critical security gaps that have plagued Windows environments for years. Organizations gain visibility into a protocol layer previously exploited with minimal detection risk, significantly raising the cost and complexity of lateral movement operations for attackers.
The impact is particularly significant for detecting advanced persistent threats and ransomware operations. These threat actors routinely rely on RPC-based techniques to spread across networks after initial compromise. Early detection of RPC abuse can interrupt attack chains before encryption operations commence or sensitive data exfiltration occurs.
Organizations without this capability remain vulnerable to several high-impact scenarios:
Lateral Movement Campaigns: Attackers moving from initially compromised endpoints to critical infrastructure using WMI, DCOM, or Task Scheduler over RPC.
Privilege Escalation: Exploitation of vulnerable RPC interfaces to elevate permissions and gain system-level access.
Reconnaissance Operations: Systematic enumeration of network resources through RPC queries, mapping the environment for subsequent attacks.
The risk reduction is substantial but not absolute. Determined attackers may adapt by throttling RPC activity to avoid behavioral thresholds or by compromising systems with legitimate administrative credentials that bypass authentication anomaly detection. However, these adaptations increase operational complexity and create additional detection opportunities at other security layers.
Vendor Response
Microsoft has deployed this enhancement through regular Defender definition updates, making it available to all Microsoft Defender for Endpoint customers without requiring manual configuration or additional licensing. The feature is enabled by default, with automatic tuning based on organizational baselines.
The update includes integration with Microsoft 365 Defender’s broader XDR platform, enabling correlation of RPC-based detections with alerts from identity, email, and cloud application security products. This integration provides security operations teams with comprehensive attack timelines that span multiple attack vectors.
Microsoft has also updated its threat hunting capabilities in Advanced Hunting, adding new schema tables and query templates specifically designed for investigating RPC-based threats. These queries enable proactive threat hunting for indicators that may not reach automated alert thresholds.
Documentation and detection guidance have been published in Microsoft’s security resources portal, including example queries, investigation playbooks, and recommended response procedures for common RPC abuse scenarios.
Mitigations & Workarounds
Organizations should verify that Microsoft Defender for Endpoint is deployed across all Windows systems and that definition updates are current. The RPC monitoring capability requires minimum platform version 4.18.2107.4 or later.
To maximize protection effectiveness, implement these complementary controls:
Network Segmentation: Restrict RPC communications to only necessary paths using host-based firewalls or network access controls. Block TCP port 135 at network boundaries where cross-segment RPC is not required.
# Block RPC Endpoint Mapper except from management networks
New-NetFirewallRule -DisplayName "Block RPC Mapper" -Direction Inbound -Protocol TCP -LocalPort 135 -Action Block -RemoteAddress AnyRPC Interface Restrictions: Disable unnecessary RPC interfaces on endpoints using registry modifications or group policy settings.
# Disable Remote Registry service
Set-Service -Name RemoteRegistry -StartupType Disabled
Stop-Service -Name RemoteRegistryAuthentication Hardening: Implement RPC authentication level requirements to enforce packet privacy and integrity.
# Require RPC authentication
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" -Name "EnableAuthEpResolution" -Value 1Detection & Monitoring
Security operations teams should establish monitoring procedures for RPC-related alerts generated by Defender. Configure alert routing to ensure security analysts review high-severity RPC detections within defined response time objectives.
Key detection queries for Microsoft 365 Defender Advanced Hunting:
// Detect unusual RPC interface access
DeviceNetworkEvents
| where RemotePort == 135 or RemotePort >= 49152
| where ActionType == "ConnectionSuccess"
| summarize ConnectionCount=count(), TargetCount=dcount(RemoteIP) by DeviceId, InitiatingProcessFileName
| where ConnectionCount > 50 or TargetCount > 10
kusto
// Identify RPC-based lateral movement patterns
DeviceProcessEvents
| where ProcessCommandLine has_any ("wmic", "schtasks", "at.exe")
| where ProcessCommandLine has "/node:" or ProcessCommandLine has "\\\\*"
| join kind=inner (DeviceNetworkEvents | where RemotePort == 135) on DeviceId
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, RemoteIPEstablish baseline RPC activity patterns during normal business operations to tune detection thresholds and reduce false positives. Monitor trends in RPC-related alerts to identify emerging attack techniques before they achieve widespread adoption.
Best Practices
Organizations should adopt a layered approach to RPC security that extends beyond detection capabilities:
Principle of Least Privilege: Restrict administrative credentials that could be used for RPC-based lateral movement. Implement tiered administrative models where privileged accounts cannot access standard user endpoints.
Application Whitelisting: Deploy application control policies that prevent unauthorized tools from initiating RPC connections, particularly utilities like PsExec or custom RPC clients.
Regular Auditing: Periodically review RPC firewall rules, interface configurations, and authentication settings to ensure they align with current security policies.
Incident Response Planning: Develop specific playbooks for responding to RPC abuse detections, including procedures for isolating affected systems, credential rotation, and forensic evidence collection.
Threat Intelligence Integration: Correlate internal RPC detections with external threat intelligence feeds to identify connections to known threat actor techniques or active campaigns.
Security Awareness: Train system administrators on secure RPC usage patterns and the security implications of enabling RPC access across network segments.
Key Takeaways
- Microsoft Defender now provides comprehensive monitoring of RPC protocol abuse, addressing a significant blind spot in Windows security
- RPC monitoring detects lateral movement, privilege escalation, and reconnaissance activities that previously evaded detection
- The capability is available to all Microsoft Defender for Endpoint customers through automatic updates
- Organizations should combine RPC monitoring with network segmentation, authentication hardening, and principle of least privilege
- Advanced hunting queries enable proactive threat hunting for RPC-based attack patterns
- This enhancement significantly raises the bar for attackers relying on RPC-based techniques in their operations
References
- Microsoft Defender for Endpoint Platform Update Documentation
- Microsoft 365 Defender Advanced Hunting Schema Reference
- MITRE ATT&CK Technique T1021 – Remote Services
- Microsoft Security Blog – RPC Security Hardening Guidance
- Windows RPC Protocol Technical Specification (MS-RPCE)
- CISA Guidance on Securing Remote Procedure Call Services
Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/
