“with a specific rpc protocol sequence. for instance : ncacn _ ip _ tcp is used for rpc over tcp. ncacn _ np is used for rpc over named pipes. ncalrpc is used for rpc over alpc. in this research, i focus specifically on advanced local procedure call ( alpc ) as the rpc transport m…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1068Exploitation for Privilege Escalation
91%
“. this can hinder attackers from deploying malicious rpc servers that imitate legitimate endpoints. it is also good practice to reduce the use of the seimpersonateprivilege privilege in processes where it is not required. some system processes need this privilege for normal opera…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
79%
“that the rpc runtime ( rpcrt4. dll ) does not provide a mechanism to verify the legitimacy of rpc servers. moreover, windows allows another process to deploy an rpc server that exposes the same endpoint as a legitimate service. as a result, this architectural design introduces a …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1134.001Token Impersonation/Theft
79%
“thread to execute under the client ’ s security context. however, in some situations, a client may not want the server to be able to impersonate its identity. to control this behavior, windows introduces the concept of an impersonation level. this defines how much authority the c…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1068Exploitation for Privilege Escalation
66%
“- page technical report describing the issue and the various aforementioned exploitation scenarios. the report was submitted to the microsoft security response center ( msrc ) to report the vulnerability and request a fix. twenty days later, microsoft responded, indicating that t…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
66%
“center ( case 101749 ). - 2025 - 10 - 10 : msrc response – the case was assessed as moderate severity, not eligible for a bounty, no cve was issued, and the case was closed without further tracking. - 2026 - 04 - 24 : expected whitepaper publication date. detection and defense as…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.004Spearphishing Voice
65%
“as a result, the attacker is able to impersonate the administrator - level client and escalate privileges from network service to administrator. background services : from wdi to rdp some background windows services periodically attempt to make rpc calls to the rdp service withou…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1068Exploitation for Privilege Escalation
64%
“phantomrpc : a new privilege escalation technique in windows rpc intro windows interprocess communication ( ipc ) is one of the most complex technologies within the windows operating system. at the core of this ecosystem is the remote procedure call ( rpc ) mechanism, which can f…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1068Exploitation for Privilege Escalation
52%
“that the rpc runtime ( rpcrt4. dll ) does not provide a mechanism to verify the legitimacy of rpc servers. moreover, windows allows another process to deploy an rpc server that exposes the same endpoint as a legitimate service. as a result, this architectural design introduces a …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1134.002Create Process with Token
50%
“thread to execute under the client ’ s security context. however, in some situations, a client may not want the server to be able to impersonate its identity. to control this behavior, windows introduces the concept of an impersonation level. this defines how much authority the c…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1134.001Token Impersonation/Theft
39%
“by name, but by a numerical identifier called the operation number ( opnum ). depending on the requirements of the call, the request may also contain additional structures, such as security - related information. impersonation in windows in windows, impersonation enables a servic…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.004Spearphishing Voice
31%
“malicious rpc server. the attacker ’ s rpc server is designed to mimic the rpc interface exposed by the remote desktop service ( termservice ). specifically, it implements the same rpc interface uuid and exposes the same endpoint name : termsrvapi. once deployed, the malicious se…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Kaspersky researcher discovered a vulnerability in RPC architecture that enables an attacker to create a fake RPC server and escalate their privileges.