Deepening Endpoint Visibility: Microsoft Defender’s New RPC Function-Level Monitoring

Microsoft has announced a significant evolution in its threat detection capabilities within Microsoft Defender for Endpoint. By shifting from high-level interface monitoring to granular, function-specific inspection, the platform can now better detect and disrupt cyberattacks that weaponize the Remote Procedure Call (RPC) protocol—a fundamental Windows mechanism frequently exploited by sophisticated actors for lateral movement and credential harvesting.

Announced on June 8, 2026, this update moves beyond observing that an RPC connection occurred; it provides security analysts with the technical depth required to see exactly what an attacker is attempting to do once they have established a communication channel.

The Strategic Importance of RPC in Windows Environments

RPC serves as the backbone for communication between processes, both locally and across networked systems. Because it is deeply embedded in the fabric of Windows, it is indispensable for essential services such as the Service Control Manager, Remote Registry, Task Scheduler, and Windows Management Instrumentation (WMI).

This ubiquity is precisely what makes it a high-value target. Threat actors often hide their activities within these legitimate channels to bypass traditional security perimeters. Common attack vectors relying on RPC include:

• Lateral Movement: Utilizing remote service creation to execute code on distant hosts.
• Credential Access: Leveraging Remote Registry access or DCsync-based methods to dump sensitive secrets.
• Authentication Coercion: Manipulating RPC interfaces to force authentication and capture NTLM hashes.

Technical Breakthrough: OpNum-Level Inspection via WFP

To bridge the visibility gap, Microsoft has enhanced Defender’s integration with the Windows Filtering Platform (WFP). The core of this advancement lies in the ability to perform OpNum (Operation Number) level inspection. In the world of RPC, an interface defines a set of capabilities, but the OpNum identifies the specific function—the “verb”—being executed within that interface.

By inspecting the OpNum, Defender can distinguish between a benign administrative query and a malicious command. For instance, while an attacker and an administrator might both use the same RPC interface, the administrator might perform a “read” operation while the attacker invokes a “create” or “delete” function. This granularity significantly reduces false positives and increases detection fidelity.

A key architectural advantage of this approach is its efficiency. Unlike network-based inspection, which struggles with encrypted traffic (such as SMB3) and can introduce latency, Defender’s telemetry is collected directly on the endpoint using audit-only WFP filters. This ensures that security monitoring remains lightweight and does not interfere with critical system performance. It is important to note that this capability specifically targets remote inbound RPC calls, leaving local inter-process communication and outbound requests unaffected to maintain a focused security posture.

Advanced Hunting and Automated Response

According to Microsoft’s technical documentation, the platform dynamically monitors selected RPC operations across the most commonly abused interfaces. While the feature is currently generally available for workstations, the rollout for server environments is underway.

Security Operations Centers (SOC) can access this rich telemetry through the Advanced Hunting interface. This allows threat hunters to write complex Kusto Query Language (KQL) queries to correlate RPC calls with broader attack patterns. Specific examples of actionable intelligence include:

• Credential Dumping: Monitoring the BaseRegSaveKey operation within the Remote Registry interface.
• Lateral Movement: Identifying unauthorized service creation by tracking opcodes like RCreateServiceW.
• Reconnaissance: Analyzing session enumeration calls via the srvsvc interface to detect attackers mapping out user sessions.
• Tool Detection: Automated disruption of “hands-on-keyboard” activity from frameworks like Impacket.

Conclusion

As attackers increasingly move away from loud, custom malware in favor of “living-off-the-land” (LotL) techniques, the ability to inspect native protocols becomes paramount. By providing visibility into the functional intent of RPC calls, Microsoft is closing a critical visibility gap, making it much harder for attackers to blend into the background noise of a healthy Windows environment. Organizations are encouraged to integrate these new telemetry streams into their existing incident response and threat-hunting workflows to bolster their overall defense-in-depth strategy.