S0102: nbtstat

nbtstat is a legitimate utility for troubleshooting NetBIOS name resolution, but ATT&CK links it to discovery behavior: collecting network configuration and connection information. For leaders, its significance is not the tool itself; it is whether the organization can tell normal support activity from post-compromise reconnaissance that helps an intruder understand the network.

Executive priority

Treat nbtstat as a low-cost validation point for SOC and incident response readiness. Because ATT&CK relates it to System Network Configuration Discovery and System Network Connections Discovery, and records use by Turla and MirrorFace, security leaders should ask whether command execution, user context, and name-resolution activity are logged well enough to support investigations. Priority should be based on where NetBIOS remains operationally necessary and where discovery activity would affect sensitive networks or business continuity.

Technical view

The ATT&CK object has no platform, tactic, or detection text of its own, so detection engineering should anchor on the related discovery techniques T1016 and T1049. Validate whether executions of nbtstat are captured with command line, parent process, user, host, and timing. Tune detections around unusual users, unusual hosts, execution from non-administrative workflows, repeated discovery across many systems, or proximity to other discovery commands. Avoid treating every nbtstat event as malicious because it is a legitimate troubleshooting utility.

Likely telemetry

Process execution events including executable name and command line
Parent process, child process, user account, host, and session context
Endpoint or EDR telemetry showing interactive versus scripted execution
Network or name-resolution telemetry related to NetBIOS activity where collected
Authentication and remote access context around the same host and user

Detection direction

Baseline legitimate help desk, administrator, and troubleshooting use before alerting on the utility alone.
Prioritize alerts where nbtstat appears with other network discovery behavior, especially on sensitive systems or outside normal administration windows.
Look for suspicious context: uncommon account, unusual parent process, remote session activity, repeated enumeration, or execution shortly after initial access indicators.
Document blind spots where endpoint command-line logging, EDR coverage, or NetBIOS/name-resolution telemetry is absent.
Use the Turla and MirrorFace relationships as threat-intelligence context, not as proof of attribution in any local alert.

Mitigation priorities

Inventory where NetBIOS name resolution is still required and reduce unnecessary dependency where business operations allow.
Ensure endpoint logging and command-line capture are enabled on systems where this utility may exist.
Restrict administrative troubleshooting paths to approved accounts, managed endpoints, and auditable remote access methods.
Use segmentation and access controls to limit the value of internal discovery from any single compromised host.
Prepare IR playbooks to triage legitimate administration versus discovery activity using user, host, parent process, and surrounding events.

Analyst notes and limits

This is a dual-use administrative utility, so the decision value is in context and correlation rather than simple tool presence. The most useful validation exercise is whether SOC analysts can reconstruct who ran nbtstat, from where, why, and what other discovery occurred nearby.

The supplied ATT&CK object is sparse: no official platforms, tactics, aliases, labels, or detection guidance are provided for nbtstat itself. Conclusions are limited to the official description, the Microsoft reference, and relationships to Turla, MirrorFace, T1016, and T1049. Local environment baselines are required before risk or detection coverage can be assessed.

Official MITRE ATT&CK definition

nbtstat

nbtstat is a utility used to troubleshoot NetBIOS name resolution. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 2 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1016	System Network Configuration Discovery	nbtstat can be used to discover local NetBIOS domain names.
Enterprise	T1049	System Network Connections Discovery	nbtstat can be used to discover current NetBIOS sessions.

Associated objects

Groups, software, and campaigns

G0010: Turla

Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]

G1054: MirrorFace

MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.[1][2][3][4][5][6]

Relationship explorer

All related ATT&CK context

uses · Group G0010: Turla Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1049: System Network Connections Discovery Enterprise uses · Group G1054: MirrorFace Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: May 31, 2017, 21:33 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: 256010d011f1da9a...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`256010d011f1…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
TechNet Nbtstat

Microsoft. (n.d.). Nbtstat. Retrieved April 17, 2016.
Open source URL
[2]
mitre-attack S0102
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams