Here is a short story inspired by that concept. The Silent Port
She pulled the source IP. A coffee shop across town. Then the destination. The main Active Directory Primary Domain Controller. ncacn_http exploit
On the DC, a new scheduled task appeared: \Microsoft\Windows\Update\Orthrus . It would beacon out every 60 minutes over HTTPS, carrying domain credentials harvested from LSASS memory—exfiltrated inside the same allowed HTTP stream. Here is a short story inspired by that concept
“That’s impossible,” she muttered. The company had spent two million dollars locking down SMB, blocking RPC direct ports, even micro-segmenting the domain controllers. But ncacn_http was the wolf in sheep’s clothing. It let RPC masquerade as a normal web request. And if an attacker had figured out how to weaponize it… Then the destination
It wasn't the payload that bothered her. It was the protocol .