Fancy NTLM Relay

Michael Haag
2 min readSep 6, 2023

In today’s episode of #RabbitHoleWednesday, I stumbled upon this tweet —

— about APT28’s activities. While several points were intriguing, two items particularly caught my eye:

  • The use of a headless browser (which isn’t exactly groundbreaking, but perhaps not widely recognized?).
  • The mention of mockbin sites.

I decided to delve deeper into the Mockbin aspect. Notably, none of the samples referenced in the tweet were available on VT.

However, my exploration on VT led me to a collection, pointing me to another intriguing APT28 PowerShell script:

If you examine the bottom of the CERT UA blog — — , you’ll spot a screenshot of a script bearing a striking resemblance.

On the right…

This particular PowerShell script establishes a local HTTP server leveraging .NET’s HttpListener. It’s designed to set up a byte array for NTLM Type 2 authentication, initiate a hidden process to map a network drive, and continuously listen for HTTP requests. It’s equipped to manage NTLM authentication, either by challenging clients or by routing messages to mockbin[.]org.

Upon closer inspection, I realized the script had been defanged. I fixed it, and you can review my modified version here

I modified it to write to disk + provided the original. Both work.

I noticed a lot of this appears to resemble Inveigh —

I suspect they incorporated enough to make a MVP (minimal viable product) to evade common signatures.

Why low/no scores on VT?

  • Most likely caused by scripts being defanged and not running.
  • No static signatures
  • Not sure 🤷

Additional finds on VT:

This seems pretty limited out there. Pivoting on some of the bytes, I found a bunch of Inveigh on VT.

Happy hunting!



Michael Haag

I write, sometimes, about InfoSec related topics and I love coffee.