Exploiting PhantomRPC: A Practical Guide to Windows Privilege Escalation

Introduction

Windows Remote Procedure Call (RPC) is a core mechanism for interprocess communication, enabling processes to call functions across different execution contexts. Its complexity has historically led to numerous vulnerabilities. PhantomRPC is a newly discovered architectural weakness in the RPC layer that allows processes with impersonation privileges to escalate to SYSTEM level on virtually all Windows versions. Unlike the Potato family of exploits, this flaw stems from how RPC handles authentication and impersonation. This guide walks through the prerequisites, step-by-step exploitation methodology, and key tips for detection and defense.

Exploiting PhantomRPC: A Practical Guide to Windows Privilege Escalation — Source: securelist.com

What You Need

Windows system (any version from Windows 7/Server 2008 R2 to Windows 11/Server 2022)
Low-privileged account with SeImpersonatePrivilege enabled (e.g., LOCAL SERVICE, NETWORK SERVICE, or IIS app pool identity)
Tools: RPC client library (e.g., Python with impacket or custom C++ code), debugger (WinDbg), and network monitor (Wireshark) for analysis
Knowledge: Basic understanding of RPC interfaces, UUIDs, and Windows token impersonation
Optional: A virtual machine for safe testing

Step-by-Step Exploitation Guide

Step 1: Identify a Vulnerable RPC Interface

Scan for RPC endpoints that expose interfaces accessible from the target process context. PhantomRPC exploits occur when a low-privileged RPC client can connect to a high-privileged RPC server and force it to impersonate the client. Focus on interfaces that:

Run under SYSTEM or a high-privileged account
Accept anonymous or authenticated connections from low-privileged callers
Use dynamic endpoints (e.g., ncacn_ip_tcp, ncacn_np) that can be captured or coerced

Common candidates include Task Scheduler (UUID: 0F7A3226-CE05-4a2a-8C12-98F4F36B0156) and DCOM interfaces. Use rpcdump.py from impacket to enumerate endpoints.

Step 2: Set Up an Impersonation Token

Ensure your current process holds an impersonation token with SecurityIdentification or higher level. PhantomRPC relies on the ability to duplicate and impersonate a token from an RPC connection. Use Windows API calls like ImpersonateNamedPipeClient or SeImpersonatePrivilege to obtain such a token. Verify with Whoami /all that the privilege is enabled.

Step 3: Coerce an RPC Connection from a SYSTEM Process

This step is the core of PhantomRPC. Trick a privileged service into connecting to your malicious RPC server. Five primary coercion paths exist:

Named pipe coercion: Set up a malicious named pipe with a well-known name (e.g., \\.\pipe\spoolss). The Print Spooler service (running as SYSTEM) will connect when triggered via RpcOpenPrinter.
DCOM activation: Call CoCreateInstance on a vulnerable CLSID that forces DCOM activation from SYSTEM context.
Task Scheduler: Create a scheduled task that runs under SYSTEM and uses an RPC backchannel to your controlled endpoint.
NT Kernel log collector: Abuse NtQuerySystemInformation with Event Tracing to trigger an RPC call from SYSTEM.
WebClient service: If WebDAV is enabled, force a SYSTEM service to resolve an attacker-controlled UNC path.

For each path, the attacker must listen on an appropriate endpoint. Use RpcServerUseProtseqEp in your code to bind to a dynamic TCP port or named pipe.

Step 4: Capture and Duplicate the SYSTEM Token

When the high-privileged service connects to your RPC server, the RPC runtime automatically performs impersonation on your server side. The incoming call context contains a token for the remote client (SYSTEM). Your code should:

Call RpcImpersonateClient to start impersonating the connecting client.
Use OpenThreadToken to get a handle to the impersonation token.
Call DuplicateTokenEx to create a primary token with SecurityImpersonation level and TOKEN_ALL_ACCESS.
Call CreateProcessAsUser with this duplicate token to spawn a new process (e.g., cmd.exe) running as SYSTEM.

HANDLE hToken;
RpcImpersonateClient(hBinding);
OpenThreadToken(GetCurrentThread(), TOKEN_DUPLICATE, FALSE, &hToken);
DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &hDupToken);
CreateProcessAsUser(hDupToken, "c:\\windows\\system32\\cmd.exe", NULL, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);

Step 5: Verify and Maintain Access

Confirm the new process runs with elevated privileges using Whoami or token elevation type check. In many scenarios, Windows User Account Control (UAC) may not block token duplication because the impersonation bypasses consent checks. You now have a SYSTEM shell. Use it to install persistence (e.g., service, scheduled task) or extract sensitive data.

Tips for Detection and Defense

Detection

Monitor for unusual RPC endpoint creation by low-privileged processes (Event ID 5189 from ETW-RPC).
Watch for duplicate token creation (Event ID 4624 with LogonType 3 or 9 and an unusual source process).
Alert on SeImpersonatePrivilege usage from non-authorized accounts.

Defense

Apply Microsoft's recommended mitigations: enable RPC firewall via rpcfw rules, restrict anonymous access, and limit impersonation privileges.
Patch your systems: although Microsoft hasn't issued an official fix, some security updates reduce attack surface (e.g., KB5028615 changes).
Use Protected Process Light (PPL) for critical services to prevent token manipulation.
Enable Windows Defender Credential Guard to isolate token storage.

PhantomRPC remains a potent local escalation threat because it exploits a fundamental design choice. Understanding the mechanics provides defenders with the ability to harden their environments and detect exploitation attempts early.

Tags: