nbtstat.exe
- File Path:
C:\windows\system32\nbtstat.exe - Description: TCP/IP NetBios Information
Hashes
| Type | Hash |
|---|---|
| MD5 | 84A7CBB781FD1D02E8F1CC5E428BF321 |
| SHA1 | 6633FAFDA738097DD5EEB90F902D36DC951364DE |
| SHA256 | 778CD1EBFDC9FA6457497741DA5431E4DE16F2FAD490ED88ADE6E3BEC16096B1 |
| SHA384 | 66F1AEB28A34034021493DDC37BB4BDFF24BA5DC9E43AF92C22BAE9133C5A887D34464FC1E0DF73B34AAFA1720E7726B |
| SHA512 | 76D99AE928304BBB51B7E181B3097249963E1B50C83DF155E1C20D52E2F7323E5CF1926023DD1C4A75DF89C4C4CC88E2875F403B8BA3D0F12C631F624DC28C05 |
| SSDEEP | 384:3f9uU67jGzIG2Q5s84I8jQwdJBF4RDc+Ii95IQ5an9YWXrW:31uU6OI584IkBAhQT |
Signature
- Status: The file C:\windows\system32\nbtstat.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: nbtinfo.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
- Product Version: 6.3.9600.16384
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of nbtstat.exe being misused. While nbtstat.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_multiple_suspicious_cli.yml | - nbtstat.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_commands_recon_activity.yml | - nbtstat |
DRL 1.0 |
| sigma | proc_creation_win_susp_network_command.yml | - 'nbtstat -n' |
DRL 1.0 |
| malware-ioc | misp_invisimole.json | "description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).\n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", |
© ESET 2014-2018 |
| malware-ioc | misp-turla-lightneuron-event.json | "description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Process command-line parameters, Process monitoring\n\nPermissions Required: User", |
© ESET 2014-2018 |
| atomic-red-team | T1016.md | <blockquote>Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1016.md | nbtstat -n | MIT License. © 2018 Red Canary |
| signature-base | apt_terracotta.yar | $s3 = “\nbtstat.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_suspicious_strings.yar | $ = “nbtstat” | CC BY-NC 4.0 |
| stockpile | 14a21534-350f-4d83-9dd7-3c56b93a0c17.yml | nbtstat -n |
Apache-2.0 |
| stockpile | 14a21534-350f-4d83-9dd7-3c56b93a0c17.yml | plugins.stockpile.app.parsers.nbtstat: |
Apache-2.0 |
| stockpile | fdf8bf36-797f-4157-805b-fe7c1c6fc903.yml | nbtstat -A #{remote.host.ip} |
Apache-2.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
nbtstat
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local computer and remote computers, and the NetBIOS name cache. This command also allows a refresh of the NetBIOS name cache and the names registered with Windows Internet Name Service (WINS). Used without parameters, this command displays Help information.
This command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections.
Syntax
nbtstat [/a <remotename>] [/A <IPaddress>] [/c] [/n] [/r] [/R] [/RR] [/s] [/S] [<interval>]
Parameters
| Parameter | Description |
|---|---|
/a <remotename> |
Displays the NetBIOS name table of a remote computer, where remotename is the NetBIOS computer name of the remote computer. The NetBIOS name table is the list of NetBIOS names that corresponds to NetBIOS applications running on that computer. |
/A <IPaddress> |
Displays the NetBIOS name table of a remote computer, specified by the IP address (in dotted decimal notation) of the remote computer. |
| /c | Displays the contents of the NetBIOS name cache, the table of NetBIOS names and their resolved IP addresses. |
| /n | Displays the NetBIOS name table of the local computer. The status of registered indicates that the name is registered either by broadcast or with a WINS server. |
| /r | Displays NetBIOS name resolution statistics. |
| /R | Purges the contents of the NetBIOS name cache and then reloads the pre-tagged entries from the Lmhosts file. |
| /RR | Releases and then refreshes NetBIOS names for the local computer that is registered with WINS servers. |
| /s | Displays NetBIOS client and server sessions, attempting to convert the destination IP address to a name. |
| /S | Displays NetBIOS client and server sessions, listing the remote computers by destination IP address only. |
<interval> |
Displays selected statistics, pausing the number of seconds specified in interval between each display. Press CTRL+C to stop displaying statistics. If this parameter is omitted, nbtstat prints the current configuration information only once. |
| /? | Displays help at the command prompt. |
Remarks
-
The nbtstat command-line parameters are case-sensitive.
-
The column headings generated by the nbtstat command, include:
Heading Description Input The number of bytes received. Output The number of bytes sent. In/Out Whether the connection is from the computer (outbound) or from another computer to the local computer (inbound). Life The remaining time that a name table cache entry will live before it is purged. Local Name The local NetBIOS name associated with the connection. Remote Host The name or IP address associated with the remote computer. <03>The last byte of a NetBIOS name converted to hexadecimal. Each NetBIOS name is 16 characters long. This last byte often has special significance because the same name might be present several times on a computer, differing only in the last byte. For example, <20>is a space in ASCII text.type The type of name. A name can either be a unique name or a group name. Status Whether the NetBIOS service on the remote computer is running (registered) or a duplicate computer name has registered the same service (Conflict). State The state of NetBIOS connections. -
The possible NetBIOS connection states, include:
State Description Connected A session has been established. listening This endpoint is available for an inbound connection. Idle This endpoint has been opened but cannot receive connections. Connecting A session is in the connecting phase and the name-to-IP address mapping of the destination is being resolved. Accepting An inbound session is currently being accepted and will be connected shortly. Reconnecting A session is trying to reconnect (it failed to connect on the first attempt). Outbound A session is in the connecting phase and the TCP connection is currently being created. Inbound An inbound session is in the connecting phase. Disconnecting A session is in the process of disconnecting. Disconnected The local computer has issued a disconnect and it is waiting for confirmation from the remote system.
Examples
To display the NetBIOS name table of the remote computer with the NetBIOS computer name of CORP07, type:
nbtstat /a CORP07
To display the NetBIOS name table of the remote computer assigned the IP address of 10.0.0.99, type:
nbtstat /A 10.0.0.99
To display the NetBIOS name table of the local computer, type:
nbtstat /n
To display the contents of the local computer NetBIOS name cache, type:
nbtstat /c
To purge the NetBIOS name cache and reload the pre-tagged entries in the local Lmhosts file, type:
nbtstat /R
To release the NetBIOS names registered with the WINS server and re-register them, type:
nbtstat /RR
To display NetBIOS session statistics by IP address every five seconds, type:
nbtstat /S 5
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.