Query Details
06 CSL Lateral Movement Internal Port Sweep
Query
id: f6a7b8c9-d0e1-4f2a-3b4c-5d6e7f8a9b0c
name: "Lateral Movement - Internal Host Port Sweep on Admin/Pivot Ports"
version: 1.0.0
kind: Scheduled
description: |
Detects an internal host connecting to more than 5 distinct internal targets on ports
commonly used for lateral movement: SMB (445), RDP (3389), WinRM (5985/5986), SSH (22),
Telnet (23), RPC (135), NetBIOS (139), and common database ports. Fortinet and Palo Alto
inter-zone logs are primary sources for internal-to-internal traffic visibility.
MITRE ATT&CK: T1021 (Remote Services), T1570 (Lateral Tool Transfer)
severity: High
requiredDataConnectors:
- connectorId: CommonSecurityEvents
dataTypes:
- CommonSecurityLog
queryFrequency: 1h
queryPeriod: 6h
triggerOperator: gt
triggerThreshold: 0
tactics:
- LateralMovement
relevantTechniques:
- T1021
- T1570
query: |
let LateralPorts = dynamic([22, 23, 135, 139, 445, 3389, 5985, 5986, 1433, 3306, 5432]);
CommonSecurityLog
| where TimeGenerated > ago(6h)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks")
| where ipv4_is_private(SourceIP) == true
| where ipv4_is_private(DestinationIP) == true
| where DestinationPort in (LateralPorts)
| summarize
UniqueTargets = dcount(DestinationIP),
UniquePorts = dcount(DestinationPort),
TotalAttempts = count(),
TargetIPs = make_set(DestinationIP, 30),
PortsUsed = make_set(DestinationPort, 10),
Actions = make_set(DeviceAction, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SourceIP, DeviceVendor
| where UniqueTargets > 5
| order by UniqueTargets desc
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIP
customDetails:
UniqueTargets: UniqueTargets
UniquePorts: UniquePorts
TotalAttempts: TotalAttempts
alertDetailsOverride:
alertDisplayNameFormat: "Lateral Movement - {{SourceIP}} swept {{UniqueTargets}} internal hosts"
alertDescriptionFormat: "Host {{SourceIP}} connected to {{UniqueTargets}} internal targets on {{UniquePorts}} admin/pivot ports. Possible lateral movement or reconnaissance."
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT6H
matchingMethod: Selected
groupByEntities:
- IP
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect potential lateral movement within a network by identifying internal hosts that connect to multiple distinct internal targets using specific ports commonly associated with administrative access or lateral movement. Here's a simplified breakdown:
-
Purpose: The query aims to identify internal hosts that connect to more than five different internal targets using ports typically used for administrative purposes or lateral movement, such as SMB, RDP, WinRM, SSH, Telnet, RPC, NetBIOS, and common database ports.
-
Data Sources: It primarily uses logs from Fortinet and Palo Alto Networks to monitor internal-to-internal traffic.
-
Time Frame: The query looks at data from the past 6 hours and runs every hour.
-
Detection Criteria:
- The source and destination IPs must be private/internal.
- The destination port must be one of the specified lateral movement ports.
- The query counts the number of unique internal targets a source IP connects to and flags any source IP that connects to more than five unique targets.
-
Output: For each source IP that meets the criteria, the query provides:
- The number of unique targets and ports accessed.
- The total number of connection attempts.
- A list of target IPs and ports used.
- The first and last time the activity was seen.
-
Alerting: If the criteria are met, an alert is generated with details about the source IP and the number of targets it connected to, indicating possible lateral movement or reconnaissance.
-
Incident Management: The query is configured to create incidents for detected activities, with options for grouping related alerts by IP to manage them more effectively.
Details
David Alonso
Released: March 2, 2026
Tables
Keywords
Operators