nbtstat.exe

  • File Path: C:\Windows\system32\nbtstat.exe
  • Description: TCP/IP NetBios Information

Hashes

Type Hash
MD5 4D2930FE4EC73273FADB62A397E0C71C
SHA1 C9CBE229813163AE626925A27BFD101E25E3FA51
SHA256 28C46C4EE53050720E06C4BB0D1F64AEF651438E3A712398D488426355A330C7
SHA384 132F4BE41D7E5AF30E000AF8BAEF6865DBBC8FF41196177157E3AE347A60AC87B3A344EADBA3D4100485F6F49FD4B84A
SHA512 C3087515F715649B9C9C9C3BF250CCE1B40B315FD38EAA60851E364747F50E7130A1E2596681206B330C6A1BB1103A5377475C1412EEA01D5818F2006408A644
SSDEEP 384:eCli1f2vdVdViTxC06n9RllSNnNgwFI7JWWarW:eCi1+vTdIc0YPeNnNgQ
IMP 207F3D1F113DEB58D9E4C6ACA8E0FA3F
PESHA1 4E9D1798E8561F3701A0F7A2760BA08C220FBFB8
PE256 B413E6AF7D7BB44DD7D63BB1414753184EAF963CCBF32DCF2C9C50F5E72957DB

Runtime Data

Usage (stderr):


Displays protocol statistics and current TCP/IP connections using NBT
(NetBIOS over TCP/IP).

NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n]
        [-r] [-R] [-RR] [-s] [-S] [interval] ]

  -a   (adapter status) Lists the remote machine's name table given its name
  -A   (Adapter status) Lists the remote machine's name table given its
                        IP address.
  -c   (cache)          Lists NBT's cache of remote [machine] names and their IP addresses
  -n   (names)          Lists local NetBIOS names.
  -r   (resolved)       Lists names resolved by broadcast and via WINS
  -R   (Reload)         Purges and reloads the remote cache name table
  -S   (Sessions)       Lists sessions table with the destination IP addresses
  -s   (sessions)       Lists sessions table converting destination IP
                        addresses to computer NETBIOS names.
  -RR  (ReleaseRefresh) Sends Name Release packets to WINS and then, starts Refresh

  RemoteName   Remote host machine name.
  IP address   Dotted decimal representation of the IP address.
  interval     Redisplays selected statistics, pausing interval seconds
               between each display. Press Ctrl+C to stop redisplaying
               statistics.

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: nbtinfo.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/28c46c4ee53050720e06c4bb0d1f64aef651438e3a712398d488426355a330c7/detection/

Possible Misuse

The following table contains possible examples of nbtstat.exe being misused. While nbtstat.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_multiple_suspicious_cli.yml - nbtstat.exe DRL 1.0
sigma proc_creation_win_susp_commands_recon_activity.yml - nbtstat DRL 1.0
sigma proc_creation_win_susp_network_command.yml - 'nbtstat -n' DRL 1.0
malware-ioc misp_invisimole.json "description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).\n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", © ESET 2014-2018
malware-ioc misp-turla-lightneuron-event.json "description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Process command-line parameters, Process monitoring\n\nPermissions Required: User", © ESET 2014-2018
atomic-red-team T1016.md <blockquote>Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route. MIT License. © 2018 Red Canary
atomic-red-team T1016.md nbtstat -n MIT License. © 2018 Red Canary
signature-base apt_terracotta.yar $s3 = “\nbtstat.exe” fullword ascii CC BY-NC 4.0
signature-base gen_suspicious_strings.yar $ = “nbtstat” CC BY-NC 4.0
stockpile 14a21534-350f-4d83-9dd7-3c56b93a0c17.yml nbtstat -n Apache-2.0
stockpile 14a21534-350f-4d83-9dd7-3c56b93a0c17.yml plugins.stockpile.app.parsers.nbtstat: Apache-2.0
stockpile fdf8bf36-797f-4157-805b-fe7c1c6fc903.yml nbtstat -A #{remote.host.ip} Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

nbtstat

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local computer and remote computers, and the NetBIOS name cache. This command also allows a refresh of the NetBIOS name cache and the names registered with Windows Internet Name Service (WINS). Used without parameters, this command displays Help information.

This command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections.

Syntax

nbtstat [/a <remotename>] [/A <IPaddress>] [/c] [/n] [/r] [/R] [/RR] [/s] [/S] [<interval>]
Parameters
Parameter Description
/a <remotename> Displays the NetBIOS name table of a remote computer, where remotename is the NetBIOS computer name of the remote computer. The NetBIOS name table is the list of NetBIOS names that corresponds to NetBIOS applications running on that computer.
/A <IPaddress> Displays the NetBIOS name table of a remote computer, specified by the IP address (in dotted decimal notation) of the remote computer.
/c Displays the contents of the NetBIOS name cache, the table of NetBIOS names and their resolved IP addresses.
/n Displays the NetBIOS name table of the local computer. The status of registered indicates that the name is registered either by broadcast or with a WINS server.
/r Displays NetBIOS name resolution statistics.
/R Purges the contents of the NetBIOS name cache and then reloads the pre-tagged entries from the Lmhosts file.
/RR Releases and then refreshes NetBIOS names for the local computer that is registered with WINS servers.
/s Displays NetBIOS client and server sessions, attempting to convert the destination IP address to a name.
/S Displays NetBIOS client and server sessions, listing the remote computers by destination IP address only.
<interval> Displays selected statistics, pausing the number of seconds specified in interval between each display. Press CTRL+C to stop displaying statistics. If this parameter is omitted, nbtstat prints the current configuration information only once.
/? Displays help at the command prompt.
Remarks

  • The nbtstat command-line parameters are case-sensitive.

  • The column headings generated by the nbtstat command, include:

    Heading Description
    Input The number of bytes received.
    Output The number of bytes sent.
    In/Out Whether the connection is from the computer (outbound) or from another computer to the local computer (inbound).
    Life The remaining time that a name table cache entry will live before it is purged.
    Local Name The local NetBIOS name associated with the connection.
    Remote Host The name or IP address associated with the remote computer.
    <03> The last byte of a NetBIOS name converted to hexadecimal. Each NetBIOS name is 16 characters long. This last byte often has special significance because the same name might be present several times on a computer, differing only in the last byte. For example, <20> is a space in ASCII text.
    type The type of name. A name can either be a unique name or a group name.
    Status Whether the NetBIOS service on the remote computer is running (registered) or a duplicate computer name has registered the same service (Conflict).
    State The state of NetBIOS connections.

  • The possible NetBIOS connection states, include:

    State Description
    Connected A session has been established.
    listening This endpoint is available for an inbound connection.
    Idle This endpoint has been opened but cannot receive connections.
    Connecting A session is in the connecting phase and the name-to-IP address mapping of the destination is being resolved.
    Accepting An inbound session is currently being accepted and will be connected shortly.
    Reconnecting A session is trying to reconnect (it failed to connect on the first attempt).
    Outbound A session is in the connecting phase and the TCP connection is currently being created.
    Inbound An inbound session is in the connecting phase.
    Disconnecting A session is in the process of disconnecting.
    Disconnected The local computer has issued a disconnect and it is waiting for confirmation from the remote system.

Examples

To display the NetBIOS name table of the remote computer with the NetBIOS computer name of CORP07, type:

nbtstat /a CORP07

To display the NetBIOS name table of the remote computer assigned the IP address of 10.0.0.99, type:

nbtstat /A 10.0.0.99

To display the NetBIOS name table of the local computer, type:

nbtstat /n

To display the contents of the local computer NetBIOS name cache, type:

nbtstat /c

To purge the NetBIOS name cache and reload the pre-tagged entries in the local Lmhosts file, type:

nbtstat /R

To release the NetBIOS names registered with the WINS server and re-register them, type:

nbtstat /RR

To display NetBIOS session statistics by IP address every five seconds, type:

nbtstat /S 5

Additional References

MIT License. Copyright (c) 2020-2021 Strontic.