Summary

A newly identified architectural flaw in Windows RPC, called PhantomRPC, allows attackers to escalate privileges to SYSTEM by spoofing unavailable RPC servers. Microsoft has not released a patch, classifying the vulnerability as moderate because it requires existing impersonation privileges.

Take Action:

If you run Windows servers or workstations, enable ETW-based RPC monitoring to detect suspicious RPC_S_SERVER_UNAVAILABLE errors and restrict SeImpersonatePrivilege to only essential service accounts. Also keep services like TermService enabled so attackers can't spoof those unavailable endpoints.

Read the full article on BeyondMachines

This article was originally published on BeyondMachines