S0590 NBTscan
NBTscan is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.1342
| Item | Value |
|---|---|
| ID | S0590 |
| Associated Names | |
| Type | TOOL |
| Version | 1.0 |
| Created | 17 March 2021 |
| Last Modified | 25 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1046 | Network Service Discovery | NBTscan can be used to scan IP networks.13 |
| enterprise | T1040 | Network Sniffing | NBTscan can dump and print whole packet content.13 |
| enterprise | T1018 | Remote System Discovery | NBTscan can list NetBIOS computer names.13 |
| enterprise | T1016 | System Network Configuration Discovery | NBTscan can be used to collect MAC addresses.13 |
| enterprise | T1033 | System Owner/User Discovery | NBTscan can list active users on the system.13 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0087 | APT39 | 2 |
| G1030 | Agrius | Agrius used NBTscan to scan victim networks for existing and accessible hosts.5 |
| G0135 | BackdoorDiplomacy | 6 |
| G0030 | Lotus Blossom | Lotus Blossom has used NBTscan during operations.7 |
| G0131 | Tonto Team | 8 |
| G0093 | GALLIUM | 9 |
| G0129 | Mustang Panda | 1011 |
| G1006 | Earth Lusca | 12 |
| G0010 | Turla | 4 |
| G0027 | Threat Group-3390 | 1314 |
References
-
Bezroutchko, A. (2019, November 19). NBTscan man page. Retrieved March 17, 2021. ↩↩↩↩↩↩
-
Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. ↩↩
-
SecTools. (2003, June 11). NBTscan. Retrieved March 17, 2021. ↩↩↩↩↩↩
-
Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019. ↩↩
-
Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024. ↩
-
Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 ↩
-
Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025. ↩
-
Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021. ↩
-
Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. ↩
-
Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. ↩
-
Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025. ↩
-
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. ↩
-
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. ↩
-
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. ↩