4816 RPC detected an integrity violation while decrypting an incoming message
Written when RPC detects an integrity violation while decrypting an incoming message. It can be a sign of communication tampering or of an attack targeting RPC.
Overview
The subcategory is Audit System Integrity. It is generated when RPC (Remote Procedure Call: a mechanism for invoking functions between processes/machines) detects an integrity violation (tampering) while decrypting an encrypted incoming message. The original docs give no example.
How it is triggered
- When an encrypted/signed RPC message was tampered with in transit, or failed an integrity check.
Security review points
- It can indicate tampering on the channel (such as a man-in-the-middle attack) or an illicit message injected in an attack abusing RPC. Check the source and target service.
- A sporadic one is often a network fault or implementation mismatch. If it recurs with a specific peer or service, investigate with the possibility of an attack in view.
Notes for log review
- It is normally rare. When it occurs, scrutinize it starting from the RPC endpoints and source involved.
- Separating a network-device/driver fault from an attack is needed.
Key fields
The documentation does not detail specific fields. Check the host and time of occurrence and the related RPC information.
Glossary
- RPC (Remote Procedure Call) — a mechanism for invoking functions of another process or machine as if local functions. It underlies much of Windows’ inter-service communication.