5712 A Remote Procedure Call (RPC) was attempted
Written when a Remote Procedure Call (RPC) is attempted. It captures service invocations over RPC.
Overview
The subcategory is Audit RPC Events. It is generated when an RPC (Remote Procedure Call: a mechanism for invoking functions between processes/machines) call is attempted. Much remote management and inter-service communication uses RPC.
How it is triggered
- When an app or service invokes a remote/local function over RPC.
Security review points
- RPC can be abused as a path for remote operations (service control, Task Scheduler, WMI, etc.) and lateral movement. Note unexpected RPC callers and destinations.
- High-volume or broad RPC can indicate remote enumeration or lateral-movement reconnaissance. Evaluate it together with the process and source.
Notes for log review
- RPC occurs in volume during normal operation. Full volume always-on is impractical; monitor narrowed to specific interfaces or sources.
- Together with RPC integrity violation 4816, watch for anomalies around RPC.
Key fields
| Field | Meaning |
|---|---|
Interface information | The invoked RPC interface |
| Source/process | The caller |