Summary:

PhantomRPC is a recently disclosed architectural weakness in the Windows Remote Procedure Call (RPC) framework that enables attackers with low-level access to escalate privileges to SYSTEM or Administrator across all supported Windows versions. Rather than exploiting a conventional software vulnerability, the technique abuses the way Windows handles RPC requests directed toward unavailable services, allowing a malicious local process to impersonate trusted system components and hijack privileged interactions.

Multiple real-world attack vectors require little or no user interaction and can operate using default service accounts such as Network Service or Local Service. Despite its broad impact, Microsoft has classified the issue as moderate severity and has not released an official patch, leaving enterprise environments exposed to continued abuse.

Organizations should therefore treat PhantomRPC as a high-risk architectural design issue and prioritize compensating controls such as restricting impersonation privileges, enabling advanced RPC monitoring, and ensuring that critical RPC-dependent services remain operational.

Technical Description:

PhantomRPC is an architectural flaw affecting the Windows RPC runtime (rpcrt4.dll) that occurs when a privileged client attempts to connect to an unavailable or disabled RPC server. Under these conditions, the runtime fails to properly validate the intended server endpoint, allowing a malicious local process to register a spoofed RPC server and intercept the connection request.

Once the privileged client authenticates to the attacker-controlled RPC endpoint using a high impersonation level, the malicious server invokes the RpcImpersonateClient API to inherit the client’s security context. This enables escalation from lower-privileged accounts such as NT AUTHORITY\NETWORK SERVICE or LOCAL SERVICE to SYSTEM or Administrator-level privileges.

Exploitation can be initiated through multiple legitimate Windows components and workflows, including gpupdate.exe, Microsoft Edge startup activity, Windows Diagnostic Infrastructure (WDI) scheduled operations, DHCP interactions via ipconfig.exe, and Windows Time service communications. Because the technique abuses expected RPC behavior rather than relying on memory corruption, it is highly reliable and difficult to identify using conventional detection approaches.

The complete attack chain is detailed below.

Delivery and Infection Chain:

PhantomRPC does not rely on traditional payload delivery methods such as exploit kits or phishing within the privilege escalation phase itself. Instead, the attacker must already possess local code execution on the target system, typically obtained through phishing, compromised credentials, malicious downloads, or exploitation of internet-facing services.

Once initial access is established, the attacker launches a userland process that registers a rogue RPC server and prepares to intercept connections initiated by privileged Windows processes. Because the technique does not require kernel-level access or exploit chaining, the operational barrier to entry is significantly reduced.

The delivery and infection sequence is as follows:

• The attacker gains local code execution on the target system using a low-privileged account such as NT AUTHORITY\NETWORK SERVICE or LOCAL SERVICE possessing SeImpersonatePrivilege.
• The attacker identifies or creates conditions where a legitimate RPC service becomes unavailable or disabled, then registers a malicious RPC server to spoof the expected endpoint.
• The attacker waits for or actively triggers a privileged process running as SYSTEM or Administrator to initiate an RPC connection to the spoofed service.
• The Windows RPC runtime connects the privileged client to the attacker-controlled server without proper endpoint validation, allowing high-level authentication to occur.
• The attacker invokes RpcImpersonateClient to inherit the privileged security token, achieving SYSTEM-level access and enabling full post-exploitation activity.

Technical Capabilities:

Rather than exploiting memory corruption or software logic flaws, PhantomRPC abuses how the Windows RPC runtime handles unavailable service endpoints to achieve reliable local privilege escalation. Attackers can register rogue RPC servers that impersonate legitimate endpoints and intercept connections from privileged Windows services and processes.

When these services authenticate using elevated impersonation levels, attackers can use the RpcImpersonateClient API to inherit privileged security contexts and escalate from low-privileged accounts such as NETWORK SERVICE or LOCAL SERVICE to SYSTEM or Administrator. Because the technique relies entirely on legitimate Windows functionality, it is highly stable and broadly applicable across enterprise environments.

The attack supports multiple execution pathways using native Windows binaries and built-in services. Adversaries may passively wait for scheduled or automated system activity to trigger RPC communications or actively coerce privileged processes into initiating RPC requests through legitimate system utilities. Since the activity blends into expected operating system behaviour and uses valid APIs, conventional detection mechanisms often struggle to differentiate malicious activity from normal system operations.

Additionally, the technique can be repeatedly reused for persistence, privilege re-escalation, and covert post-exploitation operations, making it adaptable for long-term attacker access within enterprise environments.

Attribution and Evolution:

Although PhantomRPC was publicly disclosed by Kaspersky researchers in 2026, there is currently no confirmed evidence linking exploitation activity to a specific threat actor or advanced persistent threat (APT) group.

However, the methodology closely resembles tradecraft historically used by red-team operators and sophisticated threat actors that abuse impersonation privileges such as SeImpersonatePrivilege to achieve privilege escalation. Given the public release of proof-of-concept tools and technical details, PhantomRPC-style techniques are likely to become incorporated into both advanced intrusion frameworks and commodity malware toolkits moving forward.

Active Campaign and Geographic Spread:

At present, there are no publicly confirmed large-scale campaigns specifically exploiting PhantomRPC. However, the underlying prerequisites for exploitation, namely, local low-privileged access combined with impersonation rights, are common within enterprise Windows environments worldwide.

Organizations operating in regions frequently targeted by advanced cyber activity, including North America, Europe, the Middle East, and parts of Asia, should exercise heightened caution, particularly where legacy configurations, disabled services, or weak privilege separation increase exposure to RPC-based abuse.

Conclusion:

PhantomRPC highlights a broader shift away from traditional software vulnerabilities toward abuse of architectural trust assumptions within core operating system components. Its reliability, low exploitation complexity, absence of a vendor patch, and use of legitimate Windows behavior make it a significant security concern for enterprise defenders.

Organizations should prioritize proactive defensive measures rather than relying solely on future vendor remediation. Recommended mitigation strategies include restricting impersonation privileges, maintaining availability of critical RPC-dependent services, strengthening RPC telemetry and monitoring, and improving detection of anomalous inter-process communication patterns.

Addressing PhantomRPC ultimately requires a defensive strategy focused on minimizing implicit trust relationships within the Windows operating environment rather than simply patching a standalone vulnerability.

Impact:

Despite being classified as a “moderate” issue, PhantomRPC carries severe operational and security implications. Successful exploitation enables attackers to obtain full SYSTEM-level privileges, allowing them to disable security tooling, access sensitive information, establish persistence, move laterally within enterprise networks, and conduct broader post-exploitation activity.

Because the technique leverages legitimate system behavior and trusted Windows APIs, traditional detection mechanisms may fail to identify malicious activity, increasing attacker dwell time and overall operational impact. The absence of an official vendor patch further elevates organizational risk and places responsibility for mitigation entirely on defenders.

IOC and Context Details:

Recommended Actions:

• Restrict and audit usage of SeImpersonatePrivilege, ensuring it is granted only to essential Windows system components and not to custom or third-party applications.
• Enable advanced RPC monitoring and telemetry collection, including ETW logging, to detect anomalous RPC behavior such as repeated RPC_S_SERVER_UNAVAILABLE events combined with elevated impersonation activity.
• Avoid unnecessarily disabling critical RPC-dependent services such as TermService and DHCP Client services, reducing opportunities for endpoint hijacking.
• Enforce least-privilege access principles and regularly review permissions assigned to service accounts such as NETWORK SERVICE and LOCAL SERVICE.
• Monitor for suspicious RPC server registrations, abnormal inter-process communication patterns, and unexpected service endpoint behavior.
• Deploy Endpoint Detection and Response (EDR) solutions capable of identifying token impersonation, privilege escalation attempts, and suspicious API abuse.
• Implement application control and allowlisting policies to prevent unauthorized binaries from executing and registering rogue RPC services.
• Conduct regular security assessments and proactive threat-hunting exercises focused on RPC misuse, impersonation abuse, and privilege escalation pathways within enterprise systems.

Reference:

https://www.kaspersky.com/about/press-releases/kaspersky-has-discovered-phantomrpc-a-windows-rpc-vulnerability-that-allows-attackers-to-create-a-fake-server-and-escalate-privileges