1. Home
  2. Software
  3. NBTscan

NBTscan

NBTscan is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.[1][2][3][4]

ID: S0590
Type: TOOL
Platforms: Windows, Linux, macOS
Contributors: Daniyal Naeem, BT Security
Version: 1.0
Created: 17 March 2021
Last Modified: 24 April 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1033 系统所有者/用户发现

NBTscan can list active users on the system.[1][2]

Enterprise T1016 系统网络配置发现

NBTscan can be used to collect MAC addresses.[1][2]

Enterprise T1040 网络嗅探

NBTscan can dump and print whole packet content.[1][2]

Enterprise T1046 网络服务发现

NBTscan can be used to scan IP networks.[1][2]
Enterprise T1018 远程系统发现

NBTscan can list NetBIOS computer names.[1][2]

Groups That Use This Software

ID Name References
G0087 APT39

[4]
G1030 Agrius

Agrius used NBTscan to scan victim networks for existing and accessible hosts.[5]
G0135 BackdoorDiplomacy

[6]
G0131 Tonto Team

[7]
G0093 GALLIUM

[8]
G0129 Mustang Panda

[9]
G1006 Earth Lusca

[10]
G0010 Turla

[3]
G0027 Threat Group-3390

[11][12]

References

  1. Bezroutchko, A. (2019, November 19). NBTscan man page. Retrieved March 17, 2021.
  2. SecTools. (2003, June 11). NBTscan. Retrieved March 17, 2021.
  3. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  4. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  5. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  6. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  1. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
  2. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  3. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  4. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  5. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  6. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.