S0590 NBTscan

NBTscan is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.¹²³⁴

Techniques Used

Domain	ID	Name	Use
enterprise	T1046	Network Service Discovery	NBTscan can be used to scan IP networks.¹²
enterprise	T1040	Network Sniffing	NBTscan can dump and print whole packet content.¹²
enterprise	T1018	Remote System Discovery	NBTscan can list NetBIOS computer names.¹²
enterprise	T1016	System Network Configuration Discovery	NBTscan can be used to collect MAC addresses.¹²
enterprise	T1033	System Owner/User Discovery	NBTscan can list active users on the system.¹²

Bezroutchko, A. (2019, November 19). NBTscan man page. Retrieved March 17, 2021. ↩↩↩↩↩↩
SecTools. (2003, June 11). NBTscan. Retrieved March 17, 2021. ↩↩↩↩↩↩
Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019. ↩↩
Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. ↩↩
Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. ↩
Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021. ↩
Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. ↩
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. ↩
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. ↩
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. ↩
Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 ↩