PhantomRPC: A new privilege escalation technique in Windows RPC

What Happened

A new security flaw called PhantomRPC has been discovered in the way Windows handles internal communications. All modern Windows systems are likely affected by this issue. This flaw allows an attacker who already has limited access to a system to trick Windows into granting them full administrative control. Because this is a fundamental design issue, Microsoft has not yet released a patch for it. To protect against this, organizations should monitor their systems for unusual internal communication errors and ensure unnecessary services are not granted impersonation rights.

Key Takeaways

• A novel, unpatched local privilege escalation (LPE) technique named PhantomRPC exploits an architectural weakness in Windows RPC.
• Attackers with SeImpersonatePrivilege can deploy malicious RPC servers mimicking unavailable legitimate services to steal SYSTEM or Administrator tokens.
• Five distinct attack paths were identified, involving services like TermService, DHCP Client, and W32Time, triggered by actions like gpupdate, msedge.exe, or background tasks.
• Microsoft classified the vulnerability as moderate severity (MSRC Case 101749) and declined to issue a CVE or immediate patch.
• Detection requires monitoring Event Tracing for Windows (ETW) for specific RPC exceptions (RPC_S_SERVER_UNAVAILABLE) from high-privileged clients.

Affected Systems

• Windows Server 2022
• Windows Server 2025
• Likely all Windows versions

Vulnerabilities (CVEs)

• Unpatched RPC architectural vulnerability (MSRC Case 101749, no CVE assigned)

Attack Chain

An attacker compromises a service account with SeImpersonatePrivilege (e.g., Network Service or Local Service). The attacker deploys a malicious RPC server mimicking a legitimate, unavailable service endpoint like TermService or DHCP Client. A high-privileged process (like gpsvc, msedge.exe, or WdiSystemHost) attempts to connect to the spoofed endpoint using a high impersonation level. The malicious server intercepts the call, invokes RpcImpersonateClient, and steals the SYSTEM or Administrator token to execute arbitrary commands.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: Yes
• Platforms: ETW (Event Tracing for Windows)

The article outlines a methodology using ETW (Event ID 1 and 5) and a Python script to filter for RPC_S_SERVER_UNAVAILABLE exceptions with high impersonation levels.

Detection Engineering Assessment

EDR Visibility: Medium — EDRs monitor process creation and token manipulation, but deep visibility into specific ALPC/RPC endpoint spoofing and impersonation levels often requires dedicated ETW tracing. Network Visibility: None — The vulnerability exploits local inter-process communication (ALPC) and does not generate network traffic. Detection Difficulty: Hard — Requires correlating ETW Event ID 1 (RPC Stop) and Event ID 5 (RPC Start) to identify specific status codes (0x800706BA) and impersonation levels, which can be noisy in production environments.

Required Log Sources

• ETW Microsoft-Windows-RPC Provider

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Identify RPC calls failing with RPC_S_SERVER_UNAVAILABLE (0x800706BA) originating from SYSTEM or Administrator processes using the 'Impersonate' level.	ETW Microsoft-Windows-RPC	Privilege Escalation	High
Detect unusual processes running under Network Service or Local Service binding to known high-value RPC endpoints like TermSrvApi or dhcpcsvc.	ETW / EDR API Monitoring	Privilege Escalation	Medium

Control Gaps

• Lack of RPC server authentication and verification in the Windows RPC runtime architecture.

Key Behavioral Indicators

• RPC Stop events (Event ID 1) with status 0x800706BA
• RPC Start events (Event ID 5) indicating high impersonation levels (Impersonate/Delegate)

False Positive Assessment

• High, as legitimate RPC failures (RPC_S_SERVER_UNAVAILABLE) occur frequently in Windows environments during normal operation. Strict filtering by client privilege and impersonation level is required.

Recommendations

Immediate Mitigation

• Enable disabled services like Remote Desktop (TermService) or DHCP Client if they are targeted in your environment, to prevent attackers from spoofing their endpoints.

Infrastructure Hardening

• Audit and restrict the assignment of SeImpersonatePrivilege to custom or unnecessary service accounts.
• Implement ETW-based monitoring to identify RPC exceptions and unauthorized RPC server deployments.

User Protection

• Ensure EDR solutions are configured to monitor for token theft and abnormal child processes spawning from service accounts.

Security Awareness

• Educate administrators on the risks of running unpatched architectural vulnerabilities and the importance of least privilege for service accounts.

MITRE ATT&CK Mapping

• T1068 - Exploitation for Privilege Escalation
• T1134.001 - Access Token Manipulation: Token Impersonation/Theft
• T1559 - Inter-Process Communication

Additional IOCs

• File Paths:
  • C:\Windows\System32\svchost.exe - Host process for various targeted Windows services.
• Command Lines:
  • Purpose: Trigger Group Policy update to coerce an RPC call to TermService | Tools: gpupdate.exe | Stage: Execution/Coercion | gpupdate.exe /force
  • Purpose: Trigger RPC call to DHCP Client service | Tools: ipconfig.exe | Stage: Execution/Coercion | ipconfig.exe
  • Purpose: Trigger RPC call to Windows Time service | Tools: w32tm.exe | Stage: Execution/Coercion | w32tm.exe