Rpc — CraftedSignal Threat Feed

PhantomRPC: Windows RPC Privilege Escalation Vulnerability

hello@craftedsignal.io — Fri, 24 Apr 2026 08:00:12 +0000

Kaspersky researchers discovered a critical vulnerability in the Windows Remote Procedure Call (RPC) architecture, dubbed PhantomRPC, that enables local privilege escalation. The flaw allows an attacker to create a rogue RPC server and, by exploiting existing processes with impersonation privileges (such as those running as Local Service or Network Service), elevate their own permissions to SYSTEM. The vulnerability resides in the architectural design of RPC itself, making it potentially exploitable across all Windows versions. The researcher has demonstrated five different exploitation paths escalating privileges from various local or network service contexts. This issue has been disclosed to Microsoft, but a patch has not yet been released. Due to the fundamental nature of the vulnerability, the number of potential attack vectors is effectively unlimited.

Attack Chain

The attacker gains initial access to the system with low privileges.
The attacker identifies a service running with SeImpersonatePrivilege, such as Local Service or Network Service.
The attacker crafts a malicious RPC server application designed to exploit the PhantomRPC vulnerability.
The attacker triggers a connection from the target service (e.g., Group Policy Client service) to the attacker’s malicious RPC server via ALPC.
The malicious RPC server uses RpcImpersonateClient API to impersonate the SYSTEM account.
The attacker’s malicious RPC server executes code within the security context of the SYSTEM account.
The attacker leverages the elevated privileges to perform arbitrary actions, such as installing malware, creating new accounts, or accessing sensitive data.

Impact

Successful exploitation of PhantomRPC allows a low-privileged attacker to gain complete control over the affected system by escalating privileges to SYSTEM. This can lead to complete system compromise, including data theft, malware installation, and denial of service. The vulnerability affects all Windows versions and given the number of potential attack vectors, it poses a significant risk to a large number of systems. While the exact number of potential victims remains unknown, the widespread use of RPC in Windows makes this a highly critical issue.

Recommendation

Monitor for the creation of suspicious ALPC ports, especially those targeting services with SeImpersonatePrivilege. Use the Sigma rule Detect Suspicious ALPC Port Creation to identify potential exploitation attempts.
Monitor for processes calling the RpcImpersonateClient API, especially those originating from unusual or untrusted processes. Use the Sigma rule Detect RpcImpersonateClient API Call from Unusual Process to identify potential exploitation attempts.
Restrict access to services with SeImpersonatePrivilege where possible, limiting the potential attack surface.

CVE-2026-26183 Windows RPC API Local Privilege Escalation

hello@craftedsignal.io — Tue, 14 Apr 2026 18:26:47 +0000

CVE-2026-26183 is a vulnerability in the Windows RPC API that enables a local attacker with existing authorized access to elevate their privileges. This improper access control issue poses a significant risk as it allows a malicious actor to gain higher-level permissions on a compromised system. The vulnerability, reported on April 14, 2026, affects the Windows operating system. An attacker could potentially leverage this vulnerability to perform actions such as installing software, modifying data, or creating new accounts with full user rights, ultimately gaining complete control over the affected system. Microsoft has released a patch to address this vulnerability, and immediate patching is strongly recommended.

Attack Chain

The attacker gains initial access to the system with limited privileges via legitimate means, such as compromised credentials.
The attacker identifies the presence of CVE-2026-26183 in the Windows RPC API.
The attacker crafts a malicious RPC request designed to exploit the improper access control.
The attacker executes the crafted RPC request, targeting a vulnerable function within the Windows RPC API.
Due to the lack of proper access control checks, the RPC API processes the request with elevated privileges.
The attacker uses the elevated privileges to modify system configurations, install malicious software, or create new accounts with administrator rights.
The attacker escalates their privileges from a limited user to a system administrator.
The attacker now has full control of the system and can perform any desired actions.

Impact

A successful exploitation of CVE-2026-26183 can lead to complete system compromise. A local attacker can escalate their privileges to the highest level, allowing them to perform any action on the system. This could result in data theft, installation of malware, or denial of service. Given the widespread use of Windows, a successful exploit could affect a large number of systems if left unpatched.

Recommendation

Apply the security update released by Microsoft to patch CVE-2026-26183 on all affected Windows systems immediately. Refer to the Microsoft advisory [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26183].
Implement the provided Sigma rule to detect suspicious process creation events that might indicate exploitation attempts.
Monitor system logs for unusual RPC activity, especially originating from low-privileged accounts, and correlate with other suspicious events to identify potential exploitation.

Detecting External RPC Traffic for Initial Access

hello@craftedsignal.io — Tue, 09 Jan 2024 18:23:00 +0000

This detection rule identifies RPC traffic originating from the internet, which can indicate malicious activity. RPC is used for remote system administration and resource sharing but should rarely be exposed to the internet. Threat actors frequently target RPC for initial access or as a backdoor. This rule analyzes network traffic, specifically looking for TCP connections to port 135 (a common RPC port) originating from outside the internal network. The rule aims to detect unauthorized attempts to access or control systems via RPC from external sources, enhancing network security and preventing potential breaches. The rule was last updated on 2026-04-24.

Attack Chain

An attacker scans the internet for systems with exposed RPC services on TCP port 135.
The attacker establishes a TCP connection to the target system’s port 135.
The attacker attempts to negotiate an RPC connection, potentially exploiting vulnerabilities in the RPC service.
Successful exploitation allows the attacker to execute commands remotely on the target system.
The attacker uses the compromised system to perform reconnaissance, gathering information about the internal network.
The attacker attempts lateral movement to other systems within the network, using the initial foothold.
The attacker installs malware or creates a backdoor for persistent access.

Impact

Successful exploitation of exposed RPC services can lead to complete system compromise, allowing attackers to execute arbitrary commands, install malware, and steal sensitive data. This can result in data breaches, financial loss, and reputational damage. The rule aims to prevent attackers from gaining initial access to internal systems, mitigating the risk of wider network compromise.

Recommendation

Deploy the Sigma rule “Detect RPC from Internet” to your SIEM to identify potentially malicious connections to port 135.
Review and harden systems that provide RPC services to ensure they are not directly exposed to the internet, as detected by the rule “Detect RPC from Internet”.
Enforce network segmentation to limit the exposure of critical systems and services, preventing RPC services from being accessible from the Internet (reference: note section in the rule).
Investigate any alerts generated by the Sigma rule by examining the source and destination IP addresses and related network traffic logs (reference: note section in the rule).

Detecting RPC Traffic to the Internet

hello@craftedsignal.io — Wed, 03 Jan 2024 14:27:00 +0000

The Remote Procedure Call (RPC) protocol, while essential for legitimate system administration tasks such as remote maintenance and resource sharing within internal networks, poses a significant security risk when exposed to the internet. Threat actors frequently target and exploit RPC services as an initial access vector or to establish backdoors within compromised systems. This exposure allows attackers to remotely execute commands, move laterally within the network, and potentially exfiltrate sensitive data. This brief provides detection strategies to identify such anomalous RPC traffic, enabling security teams to proactively mitigate potential threats. The detection focuses on identifying TCP traffic to port 135 from internal IP ranges to external IP addresses.

Attack Chain

The attacker compromises a host within the internal network, potentially through phishing or exploiting a vulnerability.
The compromised host initiates an RPC connection to an external IP address on TCP port 135.
The attacker uses the RPC connection to enumerate network resources and identify potential targets for lateral movement.
Using the RPC connection, the attacker attempts to authenticate to other systems within the network.
Upon successful authentication, the attacker remotely executes commands on the target system via RPC.
The attacker installs malware or a backdoor on the target system for persistence.
The attacker leverages the established foothold to further propagate within the network, compromising additional systems.

Impact

Successful exploitation of RPC services exposed to the internet can lead to a complete compromise of the internal network. Attackers can gain initial access, move laterally, exfiltrate sensitive data, deploy ransomware, or disrupt critical business operations. A single exposed RPC service can serve as a gateway for widespread damage.

Recommendation

Implement the provided Sigma rule to detect RPC traffic from internal IP ranges to external destinations on TCP port 135, focusing on network traffic logs.
Investigate any alerts generated by the Sigma rule, prioritizing systems exhibiting suspicious RPC activity (Sigma rule, logsource: network_connection).
Ensure that RPC services are not directly exposed to the internet. Implement firewall rules to restrict access to authorized internal IP ranges only.
Continuously monitor network traffic for anomalous RPC activity and correlate with other security events (logsource: network_connection).
Review and update firewall configurations to block unauthorized outbound connections on port 135 (logsource: firewall).

Remote Registry Lateral Movement via RPC Firewall

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

This threat brief focuses on detecting lateral movement attempts that leverage remote procedure calls (RPC) to modify registry keys on target systems. The technique abuses the remote registry protocol to achieve persistence or execute arbitrary code. Defenders can use RPC Firewall logs to identify and block this activity, specifically by monitoring for calls to the Registry Remote Protocol (MS-RRP) interface with specific operation numbers indicative of registry manipulation. This activity is often associated with post-exploitation phases, where attackers attempt to gain a foothold and expand their control within a network. The RPC Firewall detailed in this brief allows for monitoring and blocking of this behavior.

Attack Chain

The attacker gains initial access to a system within the network (e.g., through phishing or exploiting a vulnerability).
The attacker discovers accessible target systems on the network.
The attacker attempts to connect to the target system’s RPC endpoint for the Remote Registry service (UUID 338cd001-2244-31f1-aaaa-900038001003).
The attacker uses RPC calls with operation numbers 6, 7, 8, 13, 18, 19, 21, 22, 23, or 35 to interact with the registry remotely.
The attacker modifies registry keys related to startup programs or services.
The attacker triggers the execution of malicious code through the modified registry keys, achieving persistence.
The malicious code executes, allowing the attacker to perform actions such as data exfiltration or further lateral movement.

Impact

Successful exploitation allows attackers to achieve persistence, escalate privileges, and move laterally within the network. This can lead to data theft, system compromise, and disruption of services. If lateral movement succeeds, attackers can gain control over critical assets, leading to significant financial and reputational damage.

Recommendation

Install and configure RPC Firewall on all critical systems, auditing RPC calls to the Registry Remote Protocol interface (UUID 338cd001-2244-31f1-aaaa-900038001003) as described in the definition within the logsource section.
Deploy the provided Sigma rule to your SIEM to detect anomalous RPC calls related to registry modification as outlined in the detection section.
Investigate and block any identified malicious RPC connections using RPC Firewall based on the logs generated and reviewed from the deployed Sigma rule.