This detection rule is designed to identify potential abuses of the Remote Encrypting File System (EFS) through remote procedure calls (RPC). Specifically, it monitors for RPC calls that target the EFS service via the Microsoft EFS Remote Protocol (MS-EFSR). The rule aims to detect any unauthorized attempts to initiate remote encryption processes, which could signify lateral movement or exploitation tactics by an attacker within a network. The implementation of the RPC Firewall with specific criteria ensures that only valid encapsulated calls are processed, allowing for the identification of suspicious RPC traffic that seeks to exploit vulnerabilities described in reference materials, including CVE-2021-36942. The rule utilizes Windows Event Logs pertaining to the RPC Firewall and filters by specified UUIDs associated with EFS to trigger alerts when abuse is suspected. It is recommended that organizations enhance their awareness of RPC usage in their network environment to bolster security measures effectively.