{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/rpc/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","rpc","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eKaspersky researchers discovered a critical vulnerability in the Windows Remote Procedure Call (RPC) architecture, dubbed PhantomRPC, that enables local privilege escalation. The flaw allows an attacker to create a rogue RPC server and, by exploiting existing processes with impersonation privileges (such as those running as Local Service or Network Service), elevate their own permissions to SYSTEM. The vulnerability resides in the architectural design of RPC itself, making it potentially exploitable across all Windows versions. The researcher has demonstrated five different exploitation paths escalating privileges from various local or network service contexts. This issue has been disclosed to Microsoft, but a patch has not yet been released. Due to the fundamental nature of the vulnerability, the number of potential attack vectors is effectively unlimited.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system with low privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a service running with \u003ccode\u003eSeImpersonatePrivilege\u003c/code\u003e, such as Local Service or Network Service.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious RPC server application designed to exploit the PhantomRPC vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a connection from the target service (e.g., Group Policy Client service) to the attacker\u0026rsquo;s malicious RPC server via ALPC.\u003c/li\u003e\n\u003cli\u003eThe malicious RPC server uses \u003ccode\u003eRpcImpersonateClient\u003c/code\u003e API to impersonate the SYSTEM account.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s malicious RPC server executes code within the security context of the SYSTEM account.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to perform arbitrary actions, such as installing malware, creating new accounts, or accessing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of PhantomRPC allows a low-privileged attacker to gain complete control over the affected system by escalating privileges to SYSTEM. This can lead to complete system compromise, including data theft, malware installation, and denial of service. The vulnerability affects all Windows versions and given the number of potential attack vectors, it poses a significant risk to a large number of systems. While the exact number of potential victims remains unknown, the widespread use of RPC in Windows makes this a highly critical issue.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for the creation of suspicious ALPC ports, especially those targeting services with \u003ccode\u003eSeImpersonatePrivilege\u003c/code\u003e. Use the Sigma rule \u003ccode\u003eDetect Suspicious ALPC Port Creation\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor for processes calling the \u003ccode\u003eRpcImpersonateClient\u003c/code\u003e API, especially those originating from unusual or untrusted processes. Use the Sigma rule \u003ccode\u003eDetect RpcImpersonateClient API Call from Unusual Process\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eRestrict access to services with \u003ccode\u003eSeImpersonatePrivilege\u003c/code\u003e where possible, limiting the potential attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T08:00:12Z","date_published":"2026-04-24T08:00:12Z","id":"/briefs/2026-04-phantom-rpc-privesc/","summary":"A vulnerability in Windows RPC architecture allows an attacker to create a fake RPC server and escalate their privileges to SYSTEM level, leveraging processes with impersonation privileges.","title":"PhantomRPC: Windows RPC Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-phantom-rpc-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-26183"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","windows","rpc"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-26183 is a vulnerability in the Windows RPC API that enables a local attacker with existing authorized access to elevate their privileges. This improper access control issue poses a significant risk as it allows a malicious actor to gain higher-level permissions on a compromised system. The vulnerability, reported on April 14, 2026, affects the Windows operating system. An attacker could potentially leverage this vulnerability to perform actions such as installing software, modifying data, or creating new accounts with full user rights, ultimately gaining complete control over the affected system. Microsoft has released a patch to address this vulnerability, and immediate patching is strongly recommended.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system with limited privileges via legitimate means, such as compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the presence of CVE-2026-26183 in the Windows RPC API.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious RPC request designed to exploit the improper access control.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the crafted RPC request, targeting a vulnerable function within the Windows RPC API.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper access control checks, the RPC API processes the request with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the elevated privileges to modify system configurations, install malicious software, or create new accounts with administrator rights.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates their privileges from a limited user to a system administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker now has full control of the system and can perform any desired actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation of CVE-2026-26183 can lead to complete system compromise. A local attacker can escalate their privileges to the highest level, allowing them to perform any action on the system. This could result in data theft, installation of malware, or denial of service. Given the widespread use of Windows, a successful exploit could affect a large number of systems if left unpatched.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to patch CVE-2026-26183 on all affected Windows systems immediately. Refer to the Microsoft advisory [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26183].\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect suspicious process creation events that might indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor system logs for unusual RPC activity, especially originating from low-privileged accounts, and correlate with other suspicious events to identify potential exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T18:26:47Z","date_published":"2026-04-14T18:26:47Z","id":"/briefs/2026-04-windows-rpc-privesc/","summary":"CVE-2026-26183 allows a locally authenticated attacker to escalate privileges due to improper access control within the Windows RPC API.","title":"CVE-2026-26183 Windows RPC API Local Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-04-windows-rpc-privesc/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elasticsearch"],"_cs_severities":["high"],"_cs_tags":["initial-access","network","rpc"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies RPC traffic originating from the internet, which can indicate malicious activity. RPC is used for remote system administration and resource sharing but should rarely be exposed to the internet. Threat actors frequently target RPC for initial access or as a backdoor. This rule analyzes network traffic, specifically looking for TCP connections to port 135 (a common RPC port) originating from outside the internal network. The rule aims to detect unauthorized attempts to access or control systems via RPC from external sources, enhancing network security and preventing potential breaches. The rule was last updated on 2026-04-24.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker scans the internet for systems with exposed RPC services on TCP port 135.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a TCP connection to the target system\u0026rsquo;s port 135.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to negotiate an RPC connection, potentially exploiting vulnerabilities in the RPC service.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation allows the attacker to execute commands remotely on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to perform reconnaissance, gathering information about the internal network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts lateral movement to other systems within the network, using the initial foothold.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malware or creates a backdoor for persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of exposed RPC services can lead to complete system compromise, allowing attackers to execute arbitrary commands, install malware, and steal sensitive data. This can result in data breaches, financial loss, and reputational damage. The rule aims to prevent attackers from gaining initial access to internal systems, mitigating the risk of wider network compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect RPC from Internet\u0026rdquo; to your SIEM to identify potentially malicious connections to port 135.\u003c/li\u003e\n\u003cli\u003eReview and harden systems that provide RPC services to ensure they are not directly exposed to the internet, as detected by the rule \u0026ldquo;Detect RPC from Internet\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eEnforce network segmentation to limit the exposure of critical systems and services, preventing RPC services from being accessible from the Internet (reference: note section in the rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the source and destination IP addresses and related network traffic logs (reference: note section in the rule).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:23:00Z","date_published":"2024-01-09T18:23:00Z","id":"/briefs/2024-01-09-rpc-from-internet/","summary":"This brief focuses on detecting Remote Procedure Call (RPC) traffic originating from the internet, a common initial access vector, by monitoring network connections to TCP port 135 and filtering known internal IP ranges.","title":"Detecting External RPC Traffic for Initial Access","url":"https://feed.craftedsignal.io/briefs/2024-01-09-rpc-from-internet/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic License v2"],"_cs_severities":["high"],"_cs_tags":["network-traffic","initial-access","lateral-movement","rpc"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThe Remote Procedure Call (RPC) protocol, while essential for legitimate system administration tasks such as remote maintenance and resource sharing within internal networks, poses a significant security risk when exposed to the internet. Threat actors frequently target and exploit RPC services as an initial access vector or to establish backdoors within compromised systems. This exposure allows attackers to remotely execute commands, move laterally within the network, and potentially exfiltrate sensitive data. This brief provides detection strategies to identify such anomalous RPC traffic, enabling security teams to proactively mitigate potential threats. The detection focuses on identifying TCP traffic to port 135 from internal IP ranges to external IP addresses.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a host within the internal network, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe compromised host initiates an RPC connection to an external IP address on TCP port 135.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RPC connection to enumerate network resources and identify potential targets for lateral movement.\u003c/li\u003e\n\u003cli\u003eUsing the RPC connection, the attacker attempts to authenticate to other systems within the network.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the attacker remotely executes commands on the target system via RPC.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malware or a backdoor on the target system for persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the established foothold to further propagate within the network, compromising additional systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of RPC services exposed to the internet can lead to a complete compromise of the internal network. Attackers can gain initial access, move laterally, exfiltrate sensitive data, deploy ransomware, or disrupt critical business operations. A single exposed RPC service can serve as a gateway for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect RPC traffic from internal IP ranges to external destinations on TCP port 135, focusing on network traffic logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, prioritizing systems exhibiting suspicious RPC activity (Sigma rule, logsource: network_connection).\u003c/li\u003e\n\u003cli\u003eEnsure that RPC services are not directly exposed to the internet. Implement firewall rules to restrict access to authorized internal IP ranges only.\u003c/li\u003e\n\u003cli\u003eContinuously monitor network traffic for anomalous RPC activity and correlate with other security events (logsource: network_connection).\u003c/li\u003e\n\u003cli\u003eReview and update firewall configurations to block unauthorized outbound connections on port 135 (logsource: firewall).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:27:00Z","date_published":"2024-01-03T14:27:00Z","id":"/briefs/2024-01-rpc-internet-access/","summary":"This brief focuses on detecting Remote Procedure Call (RPC) traffic originating from internal networks and reaching the public internet, which is indicative of potential initial access or backdoor activity.","title":"Detecting RPC Traffic to the Internet","url":"https://feed.craftedsignal.io/briefs/2024-01-rpc-internet-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["lateral-movement","defense-impairment","persistence","rpc"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief focuses on detecting lateral movement attempts that leverage remote procedure calls (RPC) to modify registry keys on target systems. The technique abuses the remote registry protocol to achieve persistence or execute arbitrary code. Defenders can use RPC Firewall logs to identify and block this activity, specifically by monitoring for calls to the Registry Remote Protocol (MS-RRP) interface with specific operation numbers indicative of registry manipulation. This activity is often associated with post-exploitation phases, where attackers attempt to gain a foothold and expand their control within a network. The RPC Firewall detailed in this brief allows for monitoring and blocking of this behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system within the network (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker discovers accessible target systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to connect to the target system\u0026rsquo;s RPC endpoint for the Remote Registry service (UUID 338cd001-2244-31f1-aaaa-900038001003).\u003c/li\u003e\n\u003cli\u003eThe attacker uses RPC calls with operation numbers 6, 7, 8, 13, 18, 19, 21, 22, 23, or 35 to interact with the registry remotely.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies registry keys related to startup programs or services.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the execution of malicious code through the modified registry keys, achieving persistence.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes, allowing the attacker to perform actions such as data exfiltration or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve persistence, escalate privileges, and move laterally within the network. This can lead to data theft, system compromise, and disruption of services. If lateral movement succeeds, attackers can gain control over critical assets, leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInstall and configure RPC Firewall on all critical systems, auditing RPC calls to the Registry Remote Protocol interface (UUID 338cd001-2244-31f1-aaaa-900038001003) as described in the \u003ccode\u003edefinition\u003c/code\u003e within the \u003ccode\u003elogsource\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect anomalous RPC calls related to registry modification as outlined in the \u003ccode\u003edetection\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eInvestigate and block any identified malicious RPC connections using RPC Firewall based on the logs generated and reviewed from the deployed Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-remote-registry-lateral-movement/","summary":"This brief details detection of lateral movement attempts using remote RPC calls to modify the registry, potentially leading to code execution, detected via RPC Firewall logs.","title":"Remote Registry Lateral Movement via RPC Firewall","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-registry-lateral-movement/"}],"language":"en","title":"CraftedSignal Threat Feed — Rpc","version":"https://jsonfeed.org/version/1.1"}