PhantomRPC: Windows RPC Privilege Escalation via Server Impersonation
Security researchers at Kaspersky discovered a fundamental design weakness in how Windows handles internal service communications. PhantomRPC exploits this weakness to let attackers who already have limited access on a system promote themselves to the highest privilege level on any Windows computer, including the latest server versions. Microsoft reviewed the finding and declined to release a fix.
Think of PhantomRPC as setting up a fake front desk in a hotel lobby. When trusted staff come to the desk expecting to hand over their master keys, the impostor collects them and gains access to every room. Because Windows does not verify who is running the desk, this trick works across five different service paths, some requiring no user action at all.
Organizations running any version of Windows face a persistent risk from this unpatched flaw. Attackers who gain even a basic foothold on a system can escalate to full administrative control, enabling credential theft, deeper network access, and exposure of sensitive data. Security teams cannot rely on patching to address this issue and need monitoring strategies to identify exploitation attempts.
Hunting Controls & Observations
Organizations can detect PhantomRPC exploitation attempts through multiple telemetry sources:
- Endpoint Controls: Event Tracing for Windows (ETW) with RPC provider (Event IDs 1 and 5), Sysmon process creation (Event ID 1), Sysmon named pipe events (Event IDs 17 and 18), EDR/XDR process monitoring, Windows Security Event logs (Event ID 4688 for process creation, Event ID 4672 for special privilege assignment)
- Identity & Access Controls: SeImpersonatePrivilege auditing, token manipulation event monitoring, Windows Security Event ID 4624 (logon events with impersonation logon types)
- Service & Configuration Controls: Service availability monitoring for targeted services (TermService, DHCP Client, Windows Time, WDI), RPC endpoint mapper auditing for unexpected server registrations
Behavioral Indicators of Attack
The following behavioral indicators signal potential PhantomRPC exploitation:
- Rogue RPC Server Registration: An unexpected process registers as an RPC server on well-known service interface UUIDs (e.g., TermService UUID bde95fdf-eee0-45de-9e12-e5a61cd0d4fe), indicating an attempt to intercept legitimate RPC traffic from privileged services.
- RPC_S_SERVER_UNAVAILABLE Exceptions from Privileged Processes: ETW Event ID 1 (RPC stop) events with status code 0x800706BA (error 1722) from SYSTEM or administrator-context processes indicate RPC calls failing to reach legitimate servers, a precondition for exploitation.
- Unexpected Privilege Escalation Chains: A process running as Network Service or Local Service suddenly obtains SYSTEM-level access tokens. This privilege boundary violation is a direct indicator of successful PhantomRPC exploitation.
- Named Pipe Hijacking on Service Endpoints: Creation of named pipes on known service endpoints (e.g., \PIPE\W32TIME) by processes that are not the legitimate Windows Time service. Attackers register these endpoints to intercept RPC calls from privileged callers.
- Coerced Group Policy Updates: Execution of gpupdate.exe /force from non-standard parent processes or service contexts, used to trigger Group Policy Client (gpsvc) RPC calls that can be intercepted by a fake server.
- ETW High-Impersonation RPC Events: ETW Event ID 5 (RPC start) entries showing "Impersonate" or "Delegate" impersonation levels from SYSTEM-context callers connecting to unexpected endpoints, indicating the caller is willing to share its full security context.
- WDI Diagnostic Service Anomalies: The WDI system host service (WdiSystemHost) polling at 5-15 minute intervals and connecting to unexpected or newly registered RPC endpoints instead of its legitimate server. This represents a fully automatic exploitation path requiring no user interaction.
MITRE Enterprise ATT&CK Tactics and Techniques
PhantomRPC maps to the following MITRE ATT&CK techniques, sorted by kill chain phase:
- Execution (T1559 - Inter-Process Communication): PhantomRPC abuses Windows Remote Procedure Call (RPC), a core inter-process communication mechanism, to redirect legitimate service requests to an attacker-controlled server. The fake server intercepts requests that privileged processes send to unavailable or non-existent RPC endpoints.
- Execution (T1106 - Native API): The exploitation chain uses native Windows APIs including RpcImpersonateClient and NtAlpcConnectPort to intercept and impersonate RPC connections. These low-level functions enable the attacker to assume the security context of the calling process.
- Privilege Escalation (T1068 - Exploitation for Privilege Escalation): PhantomRPC exploits an architectural design flaw in the Windows RPC runtime (rpcrt4.dll) where the runtime does not verify the legitimacy of RPC servers. This enables privilege escalation from Network Service or Local Service to SYSTEM across all Windows versions.
- Privilege Escalation (T1134 - Access Token Manipulation): The attacker uses RpcImpersonateClient to manipulate access tokens, assuming the security context of a more privileged process that connects to the fake RPC server. This enables privilege escalation from service accounts to SYSTEM.
- Privilege Escalation (T1134.001 - Token Impersonation/Theft): When a SYSTEM-level process connects to the fake RPC server with an impersonation-level security quality of service, the attacker steals the process's token to gain SYSTEM privileges. Exploitation requires the compromised process to hold SeImpersonatePrivilege.
Controls' Observables
Endpoint Controls
Endpoint detection and response platforms, combined with ETW and Sysmon telemetry, provide the strongest detection surface for PhantomRPC exploitation:
- ETW RPC Exception Monitoring: Monitor ETW Event ID 1 (RPC stop) for status code 0x800706BA from processes running as SYSTEM, Network Service, or Local Service. Cross-correlate with Event ID 5 (RPC start) to identify the full call context including interface UUID and impersonation level.
Related MITRE Techniques: T1559, T1068
Detection Difficulty: MODERATE - Named Pipe Creation Monitoring: Track creation of named pipes on well-known service endpoints (\PIPE\W32TIME, \RPC Control\W32TIME_ALT, TermSrvApi) by processes other than the legitimate system services (svchost.exe, w32tm.exe).
Related MITRE Techniques: T1559, T1134
Detection Difficulty: MODERATE - Process Token Anomalies: Detect processes that transition from service account context (Network Service, Local Service) to SYSTEM or administrator tokens through impersonation. This privilege boundary crossing is abnormal outside of expected system operations.
Related MITRE Techniques: T1134, T1134.001
Detection Difficulty: HIGH - Suspicious Service Interaction Patterns: Monitor for gpupdate.exe /force execution followed by RPC activity to non-standard endpoints, or w32tm.exe and ipconfig.exe execution patterns that coincide with unusual RPC server registrations.
Related MITRE Techniques: T1068, T1559
Detection Difficulty: MODERATE
Identity & Access Controls
Identity-focused monitoring targets the privilege assignments and token operations central to PhantomRPC exploitation:
- SeImpersonatePrivilege Auditing: Monitor which processes hold and exercise SeImpersonatePrivilege. Baseline normal service accounts that require this privilege and alert on unexpected processes using impersonation capabilities.
Related MITRE Techniques: T1134, T1134.001
Detection Difficulty: MODERATE - Impersonation Token Events: Track Windows Security Event ID 4624 with Logon Type 9 (NewCredentials) or Type 3 (Network) from service accounts that typically do not perform impersonation operations.
Related MITRE Techniques: T1134.001
Detection Difficulty: HIGH
Service & Configuration Controls
Monitoring service state and RPC registration activity provides early warning of PhantomRPC setup activity:
- RPC Server Registration Monitoring: Audit the RPC endpoint mapper for unexpected server registrations on known service interface UUIDs. Compare registered servers against a baseline of legitimate RPC service registrations.
Related MITRE Techniques: T1559, T1068
Detection Difficulty: HIGH
Insights and Recommendation
Organizations compromised through PhantomRPC face complete system-level control by attackers who initially hold only service-account privileges. Five distinct exploitation paths provide attackers with flexibility: the Group Policy coercion path allows immediate escalation from Network Service to SYSTEM through a single gpupdate command, while the WDI diagnostic service path provides fully automatic escalation within 5-15 minutes without any user interaction. With SYSTEM access, attackers can extract credentials from memory, modify security configurations, disable protective controls, and establish persistent access across the network.
Security teams should deploy ETW-based monitoring for RPC_S_SERVER_UNAVAILABLE (0x800706BA) errors from privileged process contexts, using Event IDs 1 and 5 from the Windows RPC ETW provider as the primary detection mechanism. Organizations should audit SeImpersonatePrivilege assignments through Group Policy and remove this privilege from service accounts that do not require impersonation for normal operations. Detection engineers should baseline legitimate RPC server registrations and named pipe endpoints across their environment, implementing alerts for new or unexpected registrations on known service interface UUIDs such as the TermService interface (bde95fdf-eee0-45de-9e12-e5a61cd0d4fe). Given that Microsoft has declined to patch this vulnerability, organizations should treat detection and privilege restriction as the only available countermeasures.
Source and Credits
This summary is based on Kaspersky/Securelist's research article "PhantomRPC" by Haidar Kabibo, published on April 24, 2026. The research was presented at Black Hat Asia 2026, and a complete detection toolkit including proof-of-concept code is available on the KL Security Services GitHub repository.
Additional context was drawn from Kaspersky's official press release, SecurityWeek's coverage including Microsoft's response statement, and CyberSecurityNews' technical overview.
Threat Hunting IOCs & Queries
Behavioral Detection Anchors
PhantomRPC is an architectural vulnerability in the Windows RPC runtime, not a malware family or campaign with static indicators. Traditional IOCs (file hashes, C2 domains, IP addresses) do not apply. Detection relies entirely on behavioral indicators. The following identifiers serve as detection anchors for the queries below:
- RPC Interface UUID (TermService): bde95fdf-eee0-45de-9e12-e5a61cd0d4fe
- ETW Provider GUID (RPC): {6ad52b32-d609-4be9-ae07-ce8dae937e39}
- RPC Error Code: 0x800706BA (RPC_S_SERVER_UNAVAILABLE / error 1722)
- Named Pipe (Windows Time): \PIPE\W32TIME
- ETW Event IDs: 1 (RPC stop), 5 (RPC start)
- Targeted Services: TermService, gpsvc (Group Policy Client), WdiSystemHost, DHCP Client, W32Time
Query 1: Group Policy Coercion via gpupdate.exe
Behavior Targeted: Detects execution of gpupdate.exe /force, which PhantomRPC uses to coerce the Group Policy Client (gpsvc) into making interceptable RPC calls for privilege escalation from Network Service to SYSTEM.
MITRE ATT&CK: T1068, T1559
Expected Results: Events showing gpupdate.exe /force execution from service account contexts or unexpected parent processes, indicating potential coercion of Group Policy RPC calls.
False Positive Likelihood: MEDIUM - IT administrators and Group Policy management tools routinely execute gpupdate /force.
Detection Difficulty: EASY - Process creation is widely logged across endpoint telemetry platforms.
Tuning Guidance: Add legitimate management tools and scheduled task paths to the parent process exclusion list. Correlate with named pipe creation events on TermSrvApi or Group Policy endpoints for higher confidence.
Splunk SPL Query
index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
earliest=-7d
Image="*\\gpupdate.exe"
CommandLine="*/force*"
| eval parent_suspicious=if(
NOT match(ParentImage, "(?i)(cmd\.exe|powershell\.exe|explorer\.exe|svchost\.exe)"),
"Yes", "No"
)
| eval user_context=case(
match(User, "(?i)NETWORK SERVICE"), "Network Service",
match(User, "(?i)LOCAL SERVICE"), "Local Service",
match(User, "(?i)SYSTEM"), "SYSTEM",
1=1, User
)
| stats count by ComputerName, ParentImage, Image, CommandLine, User, user_context, parent_suspicious
| table _time, ComputerName, ParentImage, Image, CommandLine, User, user_context, parent_suspicious, count
| sort - count
// TUNING: Adjust ParentImage exclusions based on legitimate admin tools in your environment
// TUNING: Add scheduled task or automation tool paths to expected parent processes
// FALSE POSITIVES: Administrators and management tools regularly run gpupdate /force
// CONTEXT: In PhantomRPC exploitation, gpupdate /force coerces the Group Policy Client
// (gpsvc) into making RPC calls interceptable by a fake serverMicrosoft KQL Query (Defender/Sentinel)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "gpupdate.exe"
| where ProcessCommandLine has "/force"
| extend UserContext = case(
AccountName has "NETWORK SERVICE", "Network Service",
AccountName has "LOCAL SERVICE", "Local Service",
AccountName has "SYSTEM", "SYSTEM",
AccountName
)
| extend ParentSuspicious = iff(
InitiatingProcessFileName !in~ ("cmd.exe", "powershell.exe", "explorer.exe", "svchost.exe"),
"Yes", "No"
)
| summarize Count = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp)
by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
FileName, ProcessCommandLine, AccountName, UserContext, ParentSuspicious
| project FirstSeen, LastSeen, DeviceName, InitiatingProcessFileName, FileName,
ProcessCommandLine, AccountName, UserContext, ParentSuspicious, Count
| order by Count desc
// TUNING: Add legitimate management tools to the ParentSuspicious exclusion list
// FALSE POSITIVES: IT administrators and Group Policy management tools routinely execute gpupdate /force
// CONTEXT: PhantomRPC uses gpupdate /force to coerce the Group Policy Client service into making
// interceptable RPC calls to a fake server for privilege escalationNote: These queries were generated with AI assistance. Test thoroughly in your environment before production use.
Query 2: Named Pipe Hijacking on Known Service Endpoints
Behavior Targeted: Detects creation of or connection to named pipes on well-known Windows service RPC endpoints by processes other than the legitimate system services. PhantomRPC requires the attacker to register a fake RPC server on endpoints like \PIPE\W32TIME or TermSrvApi.
MITRE ATT&CK: T1559, T1134
Expected Results: Events showing non-system processes creating or connecting to named pipes reserved for Windows Time, Terminal Services, DHCP Client, or WDI Diagnostic Host services.
False Positive Likelihood: LOW - These named pipes are specific to Windows services; non-service processes creating them is highly unusual.
Detection Difficulty: MODERATE - Requires Sysmon with pipe monitoring enabled (Event IDs 17 and 18).
Tuning Guidance: Add legitimate processes that interact with these pipes to the exclusion filter. Expand PipeName list to include additional RPC service endpoints relevant to your environment.
Splunk SPL Query
index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(EventCode=17 OR EventCode=18)
earliest=-7d
(PipeName="*W32TIME*" OR PipeName="*TermSrvApi*" OR PipeName="*dhcpcsvc*" OR PipeName="*wdiservicehost*")
| search NOT (
Image="C:\\Windows\\System32\\svchost.exe"
OR Image="C:\\Windows\\System32\\w32tm.exe"
OR Image="C:\\Windows\\System32\\lsass.exe"
)
| eval targeted_service=case(
match(PipeName, "(?i)W32TIME"), "Windows Time Service",
match(PipeName, "(?i)TermSrvApi"), "Remote Desktop / Terminal Services",
match(PipeName, "(?i)dhcpcsvc"), "DHCP Client Service",
match(PipeName, "(?i)wdiservicehost"), "WDI Diagnostic Host",
1=1, "Unknown Service"
)
| stats count, earliest(_time) as first_seen, latest(_time) as last_seen
by ComputerName, Image, User, PipeName, EventCode, targeted_service
| table first_seen, last_seen, ComputerName, Image, User, PipeName, EventCode, targeted_service, count
| sort - count
// TUNING: Add legitimate processes that interact with these pipes to the NOT clause
// TUNING: Expand PipeName list to include additional RPC service endpoints
// FALSE POSITIVES: LOW - These named pipes are specific to Windows services
// TELEMETRY: Requires Sysmon with PipeEvent logging enabled (Event IDs 17/18)Microsoft KQL Query (Defender/Sentinel)
Event
| where TimeGenerated > ago(7d)
| where Source == "Microsoft-Windows-Sysmon"
| where EventID in (17, 18)
| parse EventData with * '<Data Name="PipeName">' PipeName '</Data>' *
| parse EventData with * '<Data Name="Image">' Image '</Data>' *
| parse EventData with * '<Data Name="User">' User '</Data>' *
| where PipeName has_any ("W32TIME", "TermSrvApi", "dhcpcsvc", "wdiservicehost")
| where Image !has "svchost.exe" and Image !has "w32tm.exe" and Image !has "lsass.exe"
| extend TargetedService = case(
PipeName has "W32TIME", "Windows Time Service",
PipeName has "TermSrvApi", "Remote Desktop / Terminal Services",
PipeName has "dhcpcsvc", "DHCP Client Service",
PipeName has "wdiservicehost", "WDI Diagnostic Host",
"Unknown Service"
)
| summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated)
by Computer, Image, User, PipeName, EventID, TargetedService
| project FirstSeen, LastSeen, Computer, Image, User, PipeName, EventID, TargetedService, Count
| order by Count desc
// TUNING: Add legitimate pipe-accessing processes to the exclusion filter
// FALSE POSITIVES: LOW - Non-system processes should not create these service-specific named pipes
// TELEMETRY: Requires Sysmon with pipe monitoring (Event IDs 17/18) forwarded to SentinelNote: These queries were generated with AI assistance. Test thoroughly in your environment before production use.
Query 3: SeImpersonatePrivilege Assignment Monitoring
Behavior Targeted: Monitors for non-standard accounts receiving SeImpersonatePrivilege, which is a prerequisite for PhantomRPC exploitation. Identifying which accounts hold this privilege helps assess organizational exposure to the vulnerability.
MITRE ATT&CK: T1134, T1134.001
Expected Results: Non-machine and non-default service accounts that have been assigned SeImpersonatePrivilege, prioritized by accounts that also hold SeAssignPrimaryTokenPrivilege (the combination enables full token manipulation).
False Positive Likelihood: MEDIUM - Application service accounts (IIS, SQL Server) and some management tools legitimately hold this privilege.
Detection Difficulty: EASY - Windows Security Event ID 4672 is commonly logged in most environments.
Tuning Guidance: Adjust the count threshold (currently 3) based on your environment's baseline. Add known legitimate service accounts to the exclusion list. The goal is to identify unexpected accounts with impersonation capability.
Splunk SPL Query
index=windows sourcetype="WinEventLog:Security" EventCode=4672
earliest=-7d
Privileges="*SeImpersonatePrivilege*"
| search NOT (
SubjectUserName="*$"
OR SubjectUserName="SYSTEM"
OR SubjectUserName="LOCAL SERVICE"
OR SubjectUserName="NETWORK SERVICE"
)
| eval privilege_risk=if(
match(Privileges, "SeImpersonatePrivilege") AND match(Privileges, "SeAssignPrimaryTokenPrivilege"),
"HIGH - Both impersonation privileges", "MEDIUM - Impersonation privilege"
)
| stats count, earliest(_time) as first_seen, latest(_time) as last_seen
by ComputerName, SubjectUserName, SubjectDomainName, privilege_risk
| where count > 3
| table first_seen, last_seen, ComputerName, SubjectUserName, SubjectDomainName, privilege_risk, count
| sort - count
// TUNING: Adjust count threshold (currently 3) based on baseline activity
// TUNING: Add known service accounts (IIS AppPool, SQL Server) to the NOT clause
// FALSE POSITIVES: Application service accounts legitimately hold SeImpersonatePrivilege
// CONTEXT: SeImpersonatePrivilege is a prerequisite for PhantomRPC exploitationMicrosoft KQL Query (Defender/Sentinel)
SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID == 4672
| where PrivilegeList has "SeImpersonatePrivilege"
| where SubjectUserName !endswith "$"
| where SubjectUserName !in ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")
| extend PrivilegeRisk = iff(
PrivilegeList has "SeImpersonatePrivilege" and PrivilegeList has "SeAssignPrimaryTokenPrivilege",
"HIGH - Both impersonation privileges",
"MEDIUM - Impersonation privilege"
)
| summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated)
by Computer, SubjectUserName, SubjectDomainName, PrivilegeRisk
| where Count > 3
| project FirstSeen, LastSeen, Computer, SubjectUserName, SubjectDomainName, PrivilegeRisk, Count
| order by Count desc
// TUNING: Adjust Count threshold (currently 3) based on your environment's baseline
// TUNING: Add known legitimate service accounts to the exclusion list
// FALSE POSITIVES: IIS worker processes and SQL Server service accounts commonly hold this privilege
// CONTEXT: SeImpersonatePrivilege is a prerequisite for PhantomRPC exploitationNote: These queries were generated with AI assistance. Test thoroughly in your environment before production use.
Query 4: Windows Time and DHCP Client Exploitation Triggers
Behavior Targeted: Detects execution patterns consistent with PhantomRPC exploitation paths 4 and 5, where w32tm.exe or ipconfig.exe trigger RPC calls to attacker-controlled endpoints. The w32tm.exe path is notable because the \PIPE\W32TIME named pipe does not exist by default, allowing attackers to register a fake endpoint without disabling any service.
MITRE ATT&CK: T1068, T1559
Expected Results: Execution of w32tm.exe with query/resync/stripchart parameters or ipconfig.exe with renew/release parameters, enriched with risk context based on the specific command flags used.
False Positive Likelihood: MEDIUM - Both w32tm.exe and ipconfig.exe have legitimate administrative uses. Risk context from surrounding events is critical for validation.
Detection Difficulty: EASY - Process creation is widely logged; however, correlating with named pipe events for confirmation requires MODERATE effort.
Tuning Guidance: Correlate with Sysmon Event ID 17 (pipe creation) on \PIPE\W32TIME for higher confidence. Cross-reference with DHCP Client service status; if the service is stopped, the ipconfig path becomes exploitable.
Splunk SPL Query
index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
earliest=-7d
(Image="*\\w32tm.exe" OR Image="*\\ipconfig.exe")
| eval tool_context=case(
match(Image, "w32tm"), "Windows Time Service query (PhantomRPC Path 5)",
match(Image, "ipconfig"), "DHCP Client interaction (PhantomRPC Path 4)",
1=1, "Unknown"
)
| eval risk_indicator=case(
match(Image, "w32tm") AND match(CommandLine, "(?i)(\/query|\/resync|\/stripchart)"),
"HIGH - W32Time RPC trigger",
match(Image, "ipconfig") AND match(CommandLine, "(?i)(\/renew|\/release|\/all)"),
"MEDIUM - DHCP RPC trigger",
1=1, "LOW - General usage"
)
| stats count, earliest(_time) as first_seen, latest(_time) as last_seen
by ComputerName, ParentImage, Image, CommandLine, User, tool_context, risk_indicator
| table first_seen, last_seen, ComputerName, ParentImage, Image, CommandLine, User, tool_context, risk_indicator, count
| sort - risk_indicator, - count
// TUNING: Correlate with named pipe creation events (Sysmon EventCode 17) on W32TIME pipe
// TUNING: High risk when w32tm.exe executes AND the DHCP Client service is stopped
// FALSE POSITIVES: Both w32tm.exe and ipconfig.exe have legitimate administrative uses
// CONTEXT: In PhantomRPC Path 5, w32tm.exe queries trigger RPC calls to \PIPE\W32TIME,
// which the attacker registers since the pipe does not exist by defaultMicrosoft KQL Query (Defender/Sentinel)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("w32tm.exe", "ipconfig.exe")
| extend ToolContext = case(
FileName =~ "w32tm.exe", "Windows Time Service query (PhantomRPC Path 5)",
FileName =~ "ipconfig.exe", "DHCP Client interaction (PhantomRPC Path 4)",
"Unknown"
)
| extend RiskIndicator = case(
FileName =~ "w32tm.exe" and ProcessCommandLine has_any ("/query", "/resync", "/stripchart"),
"HIGH - W32Time RPC trigger",
FileName =~ "ipconfig.exe" and ProcessCommandLine has_any ("/renew", "/release", "/all"),
"MEDIUM - DHCP RPC trigger",
"LOW - General usage"
)
| summarize Count = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp)
by DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine,
AccountName, ToolContext, RiskIndicator
| project FirstSeen, LastSeen, DeviceName, InitiatingProcessFileName, FileName,
ProcessCommandLine, AccountName, ToolContext, RiskIndicator, Count
| order by RiskIndicator desc, Count desc
// TUNING: Correlate with named pipe creation events on \PIPE\W32TIME for higher confidence
// TUNING: Cross-reference with DHCP Client service status (if stopped, ipconfig path is exploitable)
// FALSE POSITIVES: Both tools have legitimate uses; surrounding event context is critical
// CONTEXT: PhantomRPC Path 5 targets w32tm.exe because \PIPE\W32TIME does not exist by default,
// allowing the attacker to register a fake endpoint without disabling any serviceNote: These queries were generated with AI assistance. Test thoroughly in your environment before production use.