Microsoft Defender now audits inbound remote RPC calls at OpNum-level granularity through a Windows Filtering Platform integration, surfacing telemetry in Advanced Hunting and feeding detections like Impacket-style hands-on-keyboard, suspicious remote service creation, LSA secrets theft, RPC user / session discovery, and authentication coercion — with sample KQL queries for Remote Registry abuse, remote service creation, and NetrSessionEnum-based session discovery. core-jmp.org/2026/06/microso… #ActiveDirectory #AdvancedHunting #AuthenticationCoercion #DCSync #DefenderXDR #Impacket #KQL #LateralMovement #MicrosoftDefender #MicrosoftDefenderforEndpoint #MSRPC #NTLMCoercion #RemoteRegistry #RPC #secretsdump #ServiceControlManager #SharpHound #WFP

The Windows Process Journey — “sc.exe” (Service Control Manager Configuration Tool) medium.com/@boutnaru/the-win… #Windows #Microsoft #DevOps #DevSecOps #Security #infosec #Learning #TheWindowsProcessJourney #DFIR #Services #SCM #ServiceControlManager

The Windows Process Journey — “services.exe” (Service Control Manager) medium.com/@boutnaru/the-win… #Windows #Microsoft #Services #SCM #Learning #DevOps #DevSecOps #IT #Security #infosec #DFIR #TheWindowsProcessJourney #ServiceControlManager