Live Active security incident? Get immediate response
MITRE ATT&CK® Tool

S0590: NBTscan

NBTscan is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.[1][2][3][4]

EnterpriseS0590ToolObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

NBTscan matters because it represents a common post-compromise question: “what else is on this network, who uses it, and what services are exposed?” MITRE describes it as an open source tool used for internal reconnaissance in compromised networks, with relationships to discovery and network-sniffing techniques. For leaders, the risk is not the tool by itself; it is what successful internal reconnaissance enables next—better targeting for lateral movement, credential access opportunities, and prioritization of high-value systems.

Executive priority

Treat NBTscan-style activity as a validation point for segmentation, monitoring, and incident response readiness. Executives should ask whether SOC teams can see internal discovery across Windows, Linux, and macOS environments, whether high-value network zones generate usable evidence when scanned, and whether IR playbooks treat reconnaissance as an early decision point for containment. This is especially relevant for organizations in sectors represented in the related group descriptions, including government, telecom, defense, technology, energy, education, healthcare, financial, and research environments, but local risk should be based on the organization’s own exposure and telemetry.

Technical view

MITRE does not provide a detection analytic for NBTscan, so defenders should map coverage through the linked techniques: System Network Configuration Discovery, Remote System Discovery, System Owner/User Discovery, Network Sniffing, and Network Service Discovery. Validate whether endpoint and network controls can identify unusual internal enumeration from Windows, Linux, and macOS hosts, especially when a non-administrative workstation or unexpected server begins querying multiple internal systems or services. Because NBTscan is open source and may resemble legitimate administration or assessment activity, detection should combine process, command-line, host role, source/destination scope, timing, and change-ticket context rather than rely on tool name alone.

Likely telemetry

  • Endpoint process execution and command-line telemetry on Windows, Linux, and macOS
  • Network connection metadata showing internal host-to-host discovery or scanning patterns
  • DNS, name-resolution, and local network discovery logs where available
  • Firewall, IDS/IPS, NDR, or flow records for east-west traffic
  • Authentication and account activity around the same host and time window

Detection direction

  • Baseline approved vulnerability scanners, administration hosts, and network assessment windows so NBTscan-like behavior from unexpected endpoints is easier to triage.
  • Correlate internal discovery bursts with process execution on the source host; network-only alerts may miss intent, while endpoint-only alerts may miss scan scope.
  • Tune for source role, destination count, subnet coverage, and timing rather than tool name alone because open source tools can be renamed or substituted.
  • Look for relationship-driven context: discovery of remote systems, network services, user/owner information, network configuration details, or sniffing behavior occurring close together.
  • Reduce false positives by checking patch-management, asset-discovery, helpdesk, and security-testing activity before escalating, but require evidence of authorization.

Mitigation priorities

  • Maintain accurate asset inventory and ownership so internal reconnaissance has clear expected and unexpected patterns.
  • Restrict unnecessary east-west visibility through segmentation and firewall policy, especially around sensitive systems and management networks.
  • Limit local administrative privileges and unnecessary tooling on endpoints to reduce the value of a compromised host used for reconnaissance.
  • Ensure endpoint and network logging are enabled before an incident; MITRE provides no built-in detection guidance for this tool.
  • Define IR playbook actions for internal discovery, including source-host isolation criteria, credential review, and scoping of contacted systems.
Analyst notes and limits

The supplied relationship context links NBTscan to multiple espionage and state-associated groups, but this should be used for threat-informed prioritization, not as proof of attribution in any local event. A local detection of NBTscan or similar behavior should be investigated based on host context, authorization, scope of internal enumeration, and adjacent activity.

MITRE’s object provides a short description and relationships but no official detection text, no aliases, and no tactics listed directly on the tool object. Any specific protocol, command, or signature-level guidance should be validated against local telemetry and the cited external references before operational use.

Official MITRE ATT&CK definition

NBTscan

NBTscan is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.[1][2][3][4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

5 rows
Domain ID Name Relationship / procedure
Enterprise T1033 System Owner/User Discovery

NBTscan can list active users on the system.CitationDebian nbtscan Nov 2019CitationSecTools nbtscan June 2003
Enterprise T1016 System Network Configuration Discovery

NBTscan can be used to collect MAC addresses.CitationDebian nbtscan Nov 2019CitationSecTools nbtscan June 2003
Enterprise T1040 Network Sniffing

NBTscan can dump and print whole packet content.CitationDebian nbtscan Nov 2019CitationSecTools nbtscan June 2003
Enterprise T1046 Network Service Discovery

NBTscan can be used to scan IP networks.CitationDebian nbtscan Nov 2019CitationSecTools nbtscan June 2003
Enterprise T1018 Remote System Discovery

NBTscan can list NetBIOS computer names.CitationDebian nbtscan Nov 2019CitationSecTools nbtscan June 2003
Associated objects

Groups, software, and campaigns

Group Enterprise

G0087: APT39

APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.[1][2][3][4][5]

Group Enterprise

G1030: Agrius

Agrius is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.[1][2] Public reporting has linked Agrius to Iran's Ministry of Intelligence and Security (MOIS).[3]

Group Enterprise

G0131: Tonto Team

Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).[1][2][3][4][5][6]

Group Enterprise

G0093: GALLIUM

GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.[1] Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[1][2][3]

Group Enterprise

G0129: Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]

Group Enterprise

G1006: Earth Lusca

Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.[1]

Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.[1]

Group Enterprise

G0010: Turla

Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]

Group Enterprise

G0027: Threat Group-3390

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]

Relationship explorer

All related ATT&CK context

uses · Group G0087: APT39 Enterprise uses · Technique T1033: System Owner/User Discovery Enterprise uses · Group G1030: Agrius Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1040: Network Sniffing Enterprise uses · Technique T1046: Network Service Discovery Enterprise uses · Group G0135: BackdoorDiplomacy Enterprise uses · Group G0030: Lotus Blossom Enterprise uses · Technique T1018: Remote System Discovery Enterprise uses · Group G0131: Tonto Team Enterprise uses · Group G0093: GALLIUM Enterprise uses · Group G0129: Mustang Panda Enterprise uses · Group G1006: Earth Lusca Enterprise uses · Group G0010: Turla Enterprise uses · Group G0027: Threat Group-3390 Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
7df831f02d4138ab...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 7df831f02d41…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Debian nbtscan Nov 2019

    Bezroutchko, A. (2019, November 19). NBTscan man page. Retrieved March 17, 2021.

    Open source URL
  2. [2]
    SecTools nbtscan June 2003

    SecTools. (2003, June 11). NBTscan. Retrieved March 17, 2021.

    Open source URL
  3. [3]
    Symantec Waterbug Jun 2019

    Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.

    Open source URL
  4. [4]
    FireEye APT39 Jan 2019

    Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.

    Open source URL
  5. [5]
    mitre-attack S0590
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use