Vulnerabilities

PhantomRPC: A New Windows RPC Privilege Escalation Technique

The CyberSignal

The CyberSignal

3 min read
Share
Minimalist white line art on a forest green background showing a stylized computer tower with a ghost icon and an upward-pointing arrow, symbolizing the PhantomRPC privilege escalation.

Security researchers at Kaspersky have uncovered PhantomRPC, an architectural-level vulnerability in Windows Remote Procedure Call that lets attackers deploy a fake RPC server and escalate privileges from low-privileged contexts to SYSTEM or Administrator — without requiring a classic memory-corruption bug.

SINGAPORE — In the world of Windows exploitation, attackers usually hunt for "bugs": a buffer overflow, a race condition, or a logic error in a specific driver. However, newly disclosed research from Kaspersky Application Security Specialist Haidar Kabibo, presented at Black Hat Asia 2026, has exposed something much more difficult to patch: a structural design consequence.

Dubbed PhantomRPC, this technique allows an attacker who has already gained a "foothold" on a system — specifically through low-privileged service accounts like NETWORK SERVICE or LOCAL SERVICE — to vault themselves to the highest level of authority on a machine: NT AUTHORITY\SYSTEM.

PhantomRPC Vulnerability Breakdown
Metric Detail
Vulnerability Type Windows RPC Architectural Design Flaw
Core Technique Fake RPC Server Deployment + Client Impersonation
Max Elevation NT AUTHORITY\SYSTEM
Patch Status Disclosed at Black Hat Asia 2026; No official patch yet.

The Core Mechanism: The "Fake Server" Trap

Remote Procedure Call (RPC) is the backbone of Windows communication, allowing different processes to talk to one another. Under normal circumstances, a client process (like an updater or a diagnostic tool) reaches out to a legitimate RPC server (like the Terminal Services API).

PhantomRPC exploits the behavior of the RPC runtime when a legitimate server is unavailable. The attack chain works as follows:

  1. Deployment: An attacker with a low-privileged process deploys an attacker-controlled RPC server that mimics a legitimate, but currently inactive, RPC endpoint.
  2. The Coercion: A high-privileged process (such as a Group Policy update or a Windows Defender diagnostic) attempts to contact the real service.
  3. The Interception: Because the real service is unavailable, the Windows RPC runtime inadvertently connects to the attacker’s fake server instead.
  4. Impersonation: The attacker-server uses the legitimate RpcImpersonateClient() function to assume the security context of the high-privileged caller, instantly granting the attacker SYSTEM or Administrator access.

Five Known Escalation Paths

Kaspersky researchers identified five distinct vectors where this architectural weakness can be weaponized today:

  • Group Policy (gpupdate): Triggering gpupdate /force as a user causes the Group Policy Client (SYSTEM) to call Terminal Services. If the service is disabled, the fake RPC endpoint responds and steals the SYSTEM token.
  • Microsoft Edge: The browser's startup path triggers RPC calls that can be intercepted to elevate a NETWORK SERVICE process to a full local Administrator.
  • Windows Defender (WDI): Periodic diagnostic calls can be intercepted to gain SYSTEM access without any user interaction.
  • DHCP Client: A path from LOCAL SERVICE to Administrator through ipconfig-triggered RPC calls.
  • Background Services: Kaspersky notes the attack surface is effectively unbounded; any background service that acts as an RPC client to an unavailable endpoint is a potential target.

The CyberSignal Analysis: Strategic Signals

Signal 01 — Architecture is the New Exploit Surface

PhantomRPC represents a shift in researcher and attacker focus. Instead of looking for a "one-off" bug in an obscure driver, they are targeting core Windows security architecture. Because this is a design behavior rather than a simple coding error, it likely affects all modern versions of Windows NT.

Signal 02 — "Coercion" Without Interaction

Most modern privilege escalation requires a user to click a link or run a specific file. PhantomRPC vectors like WDI and Group Policy happen automatically in the background. This makes it a perfect tool for post-exploitation lateral movement where stealth is paramount.

Signal 03 — The "Low-Privilege" Jump-Point

This research highlights that NETWORK SERVICE and LOCAL SERVICE accounts — often viewed by defenders as "contained" — are actually high-risk jump-points. This follows a trend we’ve seen in kernel-driver abuse, where low-level system access is systematically converted into total environmental control.

Sources

Type Source
Forensic SecureList: PhantomRPC Technical Analysis
Press Kaspersky: PhantomRPC Official Disclosure
Industry CybersecurityNews: RPC-Based Privilege Escalation

Read more