πŸ”¬ Assessment

PhantomRPC β€” Unpatched Windows Privilege Escalation Technique Abuses COM Server Activation

Security researchers have disclosed PhantomRPC, an unpatched local privilege escalation technique in Windows that abuses the COM server activation mechanism to elevate from standard user to SYSTEM without triggering standard EDR alerts. Microsoft has acknowledged the report but not committed to a patch timeline. Defenders should implement mitigation controls; red teams should incorporate this technique into assessments.

4 min read
#windows#com#privilege-escalation#lpe#unpatched#red-team#edr-evasion#post-exploitation

Researchers at SafeBreach Labs have publicly disclosed PhantomRPC, an undocumented local privilege escalation technique that exploits the Windows COM (Component Object Model) server activation subsystem to elevate from a standard user account to SYSTEM without exploiting a traditional memory corruption vulnerability, using legitimate Windows mechanisms that are not flagged by most endpoint detection and response tools. Microsoft has acknowledged the researcher report but has not issued a patch or committed to a remediation timeline.

How PhantomRPC Works

PhantomRPC targets the COM server activation infrastructure β€” the Windows subsystem responsible for instantiating COM objects when requested by applications. When a process requests activation of a COM class registered as a LocalServer (a COM server that runs as a separate process), the Windows COM infrastructure handles the activation request via the RPC-based COM Activator service.

The technique exploits a gap in how the COM Activator validates the identity of the requesting process against the security descriptor of the requested COM class. By constructing a specially crafted COM activation request that references a specific class of β€œout-of-process” COM servers registered to SYSTEM-level services β€” combined with a token manipulation operation that the COM Activator performs during activation β€” an attacker can cause the activation process to launch a controlled payload in the context of a SYSTEM-level service process.

The critical characteristic that makes PhantomRPC particularly relevant to defenders and red teams is that it uses only documented Windows API calls in its execution path. There is no shellcode, no memory corruption, and no kernel-mode component. The technique is therefore not detected by signature-based EDR rules looking for memory exploitation patterns, and behavioural detection requires understanding of the specific COM activation sequence being abused.

Affected Windows Versions

PhantomRPC has been confirmed to work on:

  • Windows 10 (all versions through current)
  • Windows 11 (all versions)
  • Windows Server 2019, 2022, 2025

The technique does not work on systems running in S mode (Windows 10 S/11 S) due to AppContainer restrictions on COM activation. It is also blocked by strict application control policies (WDAC in full enforcement mode) that prevent loading of the required COM server components.

Relevance for Red Teams and Defenders

PhantomRPC does not enable remote exploitation β€” it requires an attacker to already have local code execution as a standard user. In a penetration testing or red team context, this positions it as a reliable post-exploitation privilege escalation technique for use after phishing, web application exploitation, or credential abuse grants initial access.

For blue teams, the disclosure highlights a class of COM-based privilege escalation techniques that EDR vendors have not historically prioritised detection for. Published and community-contributed detection logic for PhantomRPC specifically is emerging, but generic COM-based LPE detection is not standard across most enterprise EDR configurations.

Red team relevance:

  • Suitable for use after gaining standard user code execution via phishing or initial access payloads
  • Does not require elevated privileges, special group membership, or vulnerable software beyond Windows itself
  • Execution chain is sufficiently distinct from known EoP exploits that threat intelligence overlap with existing detections is low

Defender mitigations (until a patch is available):

  • Enable and enforce Windows Defender Application Control (WDAC) β€” a WDAC policy in full enforcement mode blocks the COM server loading step that PhantomRPC requires; this is the most effective current mitigation
  • Apply Microsoft’s COM hardening registry settings β€” the COM infrastructure has hardening settings available via Group Policy and registry that restrict out-of-process COM server instantiation; consult Microsoft’s COM security hardening documentation for the relevant keys
  • Deploy EDR behavioural rules for anomalous COM activation patterns β€” work with your EDR vendor to determine whether PhantomRPC-specific detection logic is available; as of publication, several major EDR vendors have indicated rules are in development
  • Monitor for unusual SYSTEM process spawning β€” process creation events where a SYSTEM-level parent spawns an unexpected child process are detectable; review current detection coverage for this parent-child pattern in your SIEM
  • Include PhantomRPC in penetration testing scope β€” add this technique to your internal penetration testing and red team assessment scope to verify whether your defensive controls would detect a real attacker using it

Share this article