Using lowpriv credentials, bind to lsarpc :
: Although many firewalls blocked the traditional ports (135, 139, 445), the ncacn-http protocol allowed similar malformed RPC messages to be tunneled via port 80/443, potentially bypassing perimeter defenses if an RPC proxy was misconfigured or exposed. Modern Risks and Mitigations ncacn-http microsoft windows rpc over http 1.0 exploit
The original ncacn-http exploitation came via the and RPC. Attackers could send malformed RPC packets over HTTP to trigger a heap overflow. Public exploits targeted port 593 with crafted rpcproxy.dll requests. Using lowpriv credentials, bind to lsarpc : :
: IIS receives the request, establishes a TCP/IP socket with the internal RPC server, and forwards the data. Using lowpriv credentials
This design allows RPC to traverse corporate firewalls that only permit HTTP/HTTPS egress.