PhantomRPC is a novel local privilege escalation (LPE) technique targeting the Windows Remote Procedure Call (RPC) architecture. By exploiting the mechanism where RPC clients attempt to connect to unavailable or disabled services using high impersonation levels, an attacker can deploy a malicious RPC server to capture and impersonate high-privileged security contexts. This architectural weakness allows escalation from Network Service or Local Service to SYSTEM or Administrator levels across various Windows versions, including Server 2025.
The research outlines a systematic methodology using Event Tracing for Windows (ETW) to identify vulnerable RPC calls. Five distinct exploitation paths were identified, involving services such as the Group Policy Client, Microsoft Edge, and the Diagnostic System Host (WDI). Despite formal disclosure, Microsoft classified the issue as moderate severity and has not issued a patch, citing the prerequisite of SeImpersonatePrivilege. Organizations are advised to monitor for RPC failures and minimize the assignment of impersonation privileges to mitigate risk.
Top comments (0)