RPCFW
3 events across 1 channel
| Event ID | Title | Channel |
|---|---|---|
| 1 | RPC Firewall protection added. | RPCFW |
| 2 | RPC Firewall protection removed. | RPCFW |
| 3 | An RPC server function was called. | RPCFW |
Event ID 1 — RPC Firewall protection added.
Fields #
| Name | Description |
|---|---|
Data_0 | Full image path of the RPC server process that was protected |
Data_1 | Process ID (PID) of the protected process |
Binary | — |
Example Event #
{
"system": {
"provider": "RPCFW",
"guid": "",
"event_source_name": "",
"event_id": 1,
"version": 0,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 45035996273704960,
"time_created": "2026-03-12T02:57:48.895060+00:00",
"event_record_id": 101847,
"correlation": {},
"execution": {
"process_id": 5912,
"thread_id": 0
},
"channel": "RPCFW",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "C:\\Windows\\system32\\svchost.exe",
"Data_1": "5912",
"Binary": ""
},
"message": ""
}
Event ID 2 — RPC Firewall protection removed.
Fields #
| Name | Description |
|---|---|
Data_0 | Full image path of the RPC server process that was unprotected |
Data_1 | Process ID (PID) of the unprotected process |
Binary | — |
Example Event #
{
"system": {
"provider": "RPCFW",
"guid": "",
"event_source_name": "",
"event_id": 2,
"version": 0,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 45035996273704960,
"time_created": "2026-03-12T02:59:48.113235+00:00",
"event_record_id": 101898,
"correlation": {},
"execution": {
"process_id": 5912,
"thread_id": 0
},
"channel": "RPCFW",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "C:\\Windows\\system32\\svchost.exe",
"Data_1": "5912",
"Binary": ""
},
"message": ""
}
Event ID 3 — An RPC server function was called.
Fields #
| Name | Description |
|---|---|
Data_0 | Name of the hooked RPCRT4 function that was called |
Data_1 | Process ID (PID) of the RPC server process handling the call |
Data_2 | Full image path of the RPC server process |
Data_3 | RPC protocol sequence used by the client (e.g. ncacn_np, ncacn_ip_tcp) |
Data_4 | RPC endpoint the server is listening on (e.g. \PIPE\wkssvc) |
Data_5 | Client network address (IP or hostname for named pipe connections) |
Data_6 | RPC interface UUID identifying the service being called |
Data_7 | RPC operation number (function ordinal within the interface) |
Data_8 | Authenticated client principal name (UNKNOWN if no authentication) |
Data_9 | RPC authentication level (e.g. NONE, CONNECT, PKT_PRIVACY) |
Data_10 | RPC authentication service (e.g. KERBEROS, NEGOTIATE, WINNT) |
Data_11 | Client source port number |
Data_12 | Server network address (defaults to 0.0.0.0 if not determinable) |
Data_13 | Server destination port number |
Data_14 | Windows Security Identifier (SID) of the authenticated caller |
Binary | — |
Example Event #
{
"system": {
"provider": "RPCFW",
"guid": "",
"event_source_name": "",
"event_id": 3,
"version": 0,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 45035996273704960,
"time_created": "2026-03-12T03:05:47.938130+00:00",
"event_record_id": 102054,
"correlation": {},
"execution": {
"process_id": 2640,
"thread_id": 0
},
"channel": "RPCFW",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "NdrStubCall2",
"Data_1": "2640",
"Data_2": "C:\\Windows\\System32\\svchost.exe",
"Data_3": "ncacn_np",
"Data_4": "\\\\PIPE\\\\wkssvc",
"Data_5": "LAB-WIN11",
"Data_6": "6bffd098-a112-3610-9833-46c3f87e345a",
"Data_7": "3",
"Data_8": "UNKNOWN",
"Data_9": "UNKNOWN",
"Data_10": "UNKNOWN",
"Data_11": "0",
"Data_12": "0.0.0.0",
"Data_13": "0",
"Data_14": "S-1-5-21-3407486967-1585450050-1838039599-1000",
"Binary": ""
},
"message": ""
}