Lateral Movement - Internal Host Port Sweep on Admin/Pivot Ports
06 CSL Lateral Movement Internal Port Sweep
Query
let LateralPorts = dynamic([22, 23, 135, 139, 445, 3389, 5985, 5986, 1433, 3306, 5432]);
CommonSecurityLog
| where TimeGenerated > ago(6h)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks")
| where ipv4_is_private(SourceIP) == true
| where ipv4_is_private(DestinationIP) == true
| where DestinationPort in (LateralPorts)
| summarize
UniqueTargets = dcount(DestinationIP),
UniquePorts = dcount(DestinationPort),
TotalAttempts = count(),
TargetIPs = make_set(DestinationIP, 30),
PortsUsed = make_set(DestinationPort, 10),
Actions = make_set(DeviceAction, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SourceIP, DeviceVendor
| where UniqueTargets > 5
| order by UniqueTargets descExplanation
This query is designed to detect potential lateral movement within a network by identifying internal hosts that connect to multiple distinct internal targets using specific ports commonly associated with administrative access or lateral movement. Here's a simplified breakdown:
-
Purpose: The query aims to identify internal hosts that connect to more than five different internal targets using ports typically used for administrative purposes or lateral movement, such as SMB, RDP, WinRM, SSH, Telnet, RPC, NetBIOS, and common database ports.
-
Data Sources: It primarily uses logs from Fortinet and Palo Alto Networks to monitor internal-to-internal traffic.
-
Time Frame: The query looks at data from the past 6 hours and runs every hour.
-
Detection Criteria:
- The source and destination IPs must be private/internal.
- The destination port must be one of the specified lateral movement ports.
- The query counts the number of unique internal targets a source IP connects to and flags any source IP that connects to more than five unique targets.
-
Output: For each source IP that meets the criteria, the query provides:
- The number of unique targets and ports accessed.
- The total number of connection attempts.
- A list of target IPs and ports used.
- The first and last time the activity was seen.
-
Alerting: If the criteria are met, an alert is generated with details about the source IP and the number of targets it connected to, indicating possible lateral movement or reconnaissance.
-
Incident Management: The query is configured to create incidents for detected activities, with options for grouping related alerts by IP to manage them more effectively.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 6h