Adversaries may be using NBTScan to identify active hosts and potential targets within a network, indicating reconnaissance activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage network discovery efforts and prevent further compromise.
KQL Query
let nbtscan = pack_array("9af0cb61580dba0e380cddfe9ca43a3e128ed2f8",
"90da10004c8f6fafdaa2cf18922670a745564f45");
union DeviceProcessEvents , DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName =~ "nbtscan.exe" or SHA1 in (nbtscan)
| project FolderPath, FileName, InitiatingProcessAccountName,
InitiatingProcessFileName, ProcessCommandLine, Timestamp
id: 28ebbb87-535b-4ba0-80f4-6fbf80b7c55a
name: detect-nbtscan-activity
description: |
This query was originally published in the threat analytics report, Operation Soft Cell.
Operation Soft Cell is a series of campaigns targeting users' call logs at telecommunications providers throughout the world. These attacks date from as early as 2012.
Operation Soft Cell operators have been known to run nbtscan.exe, a legitimate MS-DOS command-line tool used to discover any NETBIOS nameservers on a local or remote TCP/IP network.
The following query detects any nbtscan activity on the system over the past seven days.
Reference - https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
- DeviceFileEvents
tactics:
- Discovery
query: |
let nbtscan = pack_array("9af0cb61580dba0e380cddfe9ca43a3e128ed2f8",
"90da10004c8f6fafdaa2cf18922670a745564f45");
union DeviceProcessEvents , DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName =~ "nbtscan.exe" or SHA1 in (nbtscan)
| project FolderPath, FileName, InitiatingProcessAccountName,
InitiatingProcessFileName, ProcessCommandLine, Timestamp
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled NBTScan Job for Network Inventory
Description: A system administrator runs a scheduled NBTScan job to inventory network devices and check for active NetBIOS services.
Filter/Exclusion: process.name != "nbtscan" OR process.parent.name == "task scheduler" OR process.args contains "inventory"
Scenario: Legitimate Network Discovery Tool Usage
Description: A security team uses the nbtscan tool as part of a routine network discovery and vulnerability assessment.
Filter/Exclusion: process.name == "nbtscan" AND process.args contains "scan" OR "discovery"
Scenario: Admin Task to Check NetBIOS Services
Description: An admin uses nbtscan to verify NetBIOS service status on internal servers during routine maintenance.
Filter/Exclusion: process.name == "nbtscan" AND process.parent.name == "cmd.exe" AND process.args contains "check" OR "status"
Scenario: Automated Patch Management Tool Scanning
Description: A patch management tool (e.g., Microsoft System Center Configuration Manager) performs a network scan using nbtscan to identify hosts for updates.
Filter/Exclusion: process.name == "nbtscan" AND process.parent.name contains "SCCM" OR process.args contains "patch"
Scenario: Internal Security Tool for Active Directory Enumeration
Description: A security tool (e.g., ADInsight or LDP) uses nbtscan as part of Active Directory enumeration to find NetBIOS-enabled hosts.
Filter/Exclusion: process.name == "nbtscan" AND process.parent.name contains "ADInsight" OR process.args contains "AD" OR "domain"