Ncacn_http Exploit May 2026

Her hands flew. She isolated the DC’s HTTP listener port, but it was already too late. The exploit had not crashed the system—it was worse. It was silent. Using a crafted ncacn_http sequence, the attacker had tunneled a SchRpcRegisterTask call directly to the Task Scheduler service. No brute force. No malware dropper. Just a native Windows API call wrapped in an allowed web protocol.

Location: Network Deep Packet Inspection Array, Sector 7 ncacn_http exploit

From that night on, Maya pushed for a new rule at every cybersecurity conference she attended: Trust the protocol, not the port. And never, ever trust a wolf that knocks on port 80. If you're looking for a technical walkthrough of this vulnerability for defensive or educational purposes (e.g., how to detect or patch it), I can provide that instead — just let me know. Her hands flew

On the DC, a new scheduled task appeared: \Microsoft\Windows\Update\Orthrus . It would beacon out every 60 minutes over HTTPS, carrying domain credentials harvested from LSASS memory—exfiltrated inside the same allowed HTTP stream. It was silent

“That’s impossible,” she muttered. The company had spent two million dollars locking down SMB, blocking RPC direct ports, even micro-segmenting the domain controllers. But ncacn_http was the wolf in sheep’s clothing. It let RPC masquerade as a normal web request. And if an attacker had figured out how to weaponize it…

NCACN over HTTP. Microsoft’s remote procedure call, wrapped in web traffic to traverse firewalls.

She pulled the source IP. A coffee shop across town. Then the destination. The main Active Directory Primary Domain Controller.