Query Details

Lateral Movement - Internal Host Port Sweep on Admin/Pivot Ports

06 CSL Lateral Movement Internal Port Sweep

Query

let LateralPorts = dynamic([22, 23, 135, 139, 445, 3389, 5985, 5986, 1433, 3306, 5432]);
CommonSecurityLog
| where TimeGenerated > ago(6h)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks")
| where ipv4_is_private(SourceIP) == true
| where ipv4_is_private(DestinationIP) == true
| where DestinationPort in (LateralPorts)
| summarize
    UniqueTargets   = dcount(DestinationIP),
    UniquePorts     = dcount(DestinationPort),
    TotalAttempts   = count(),
    TargetIPs       = make_set(DestinationIP, 30),
    PortsUsed       = make_set(DestinationPort, 10),
    Actions         = make_set(DeviceAction, 5),
    FirstSeen       = min(TimeGenerated),
    LastSeen        = max(TimeGenerated)
  by SourceIP, DeviceVendor
| where UniqueTargets > 5
| order by UniqueTargets desc

Explanation

This query is designed to detect potential lateral movement within a network by identifying internal hosts that connect to multiple distinct internal targets using specific ports commonly associated with administrative access or lateral movement. Here's a simplified breakdown:

  • Purpose: The query aims to identify internal hosts that connect to more than five different internal targets using ports typically used for administrative purposes or lateral movement, such as SMB, RDP, WinRM, SSH, Telnet, RPC, NetBIOS, and common database ports.

  • Data Sources: It primarily uses logs from Fortinet and Palo Alto Networks to monitor internal-to-internal traffic.

  • Time Frame: The query looks at data from the past 6 hours and runs every hour.

  • Detection Criteria:

    • The source and destination IPs must be private/internal.
    • The destination port must be one of the specified lateral movement ports.
    • The query counts the number of unique internal targets a source IP connects to and flags any source IP that connects to more than five unique targets.
  • Output: For each source IP that meets the criteria, the query provides:

    • The number of unique targets and ports accessed.
    • The total number of connection attempts.
    • A list of target IPs and ports used.
    • The first and last time the activity was seen.
  • Alerting: If the criteria are met, an alert is generated with details about the source IP and the number of targets it connected to, indicating possible lateral movement or reconnaissance.

  • Incident Management: The query is configured to create incidents for detected activities, with options for grouping related alerts by IP to manage them more effectively.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

LateralMovementInternalHostAdminPortsSMBRDPWinRMSSHTelnetRPCNetBIOSDatabasePortsFortinetPaloAltoMITREATTCKRemoteServicesLateralToolTransferCommonSecurityEventsCommonSecurityLogIPAddressSourceIPDestinationIPDeviceVendorDeviceActionTimeGenerated

Operators

letdynamicinagoipv4_is_privatesummarizedcountcountmake_setminmaxbyorder bydesc

Severity

High

Tactics

LateralMovement

MITRE Techniques

Frequency: 1h

Period: 6h

Actions

GitHub