lateral
lateral
Trace lateral movement paths across the network for a user or host, correlating authentication events, network connections, and remote process execution into a hop-by-hop timeline.
Description
The lateral command maps how an entity (user or host) moves across the network by correlating multiple event types: authentication (RDP, SSH, SMB logins), network connections on lateral movement ports, and remote process execution tools (PsExec, WinRM, PowerShell remoting). It uses BFS (breadth-first search) to expand from a seed entity hop by hop, building a directed graph of movement.
This is designed for SOC investigation workflows where you need to quickly answer "where did this user go?" or "what was accessed from this compromised host?" without manually pivoting across dozens of queries.
Syntax
... | lateral [seed=<type>] [entity=<field>] [maxhops=<N>] [window=<duration>] [methods=<list>]Optional Arguments
seed
Syntax: seed=<type>
Description: How to identify the seed entity for tracing.
Values: auto, user, host
Default: auto (checks for user first, then host/IP)
entity
Syntax: entity=<field>
Description: Specific field to use as the seed entity. Overrides seed auto-detection.
Values: Any UDM field (e.g., src_host, dest_ip, user)
Default: Auto-detected
maxhops
Syntax: maxhops=<N>
Description: Maximum number of hops to trace from the seed entity.
Values: 1 to 10
Default: 4
window
Syntax: window=<duration>
Description: Time window for lateral movement search. Overrides the search time range.
Default: Uses the search time range
methods
Syntax: methods=<comma-separated list>
Description: Categories of lateral movement evidence to search.
Values: auth, network, process
Default: All methods
Detection Methods
The command searches for three categories of lateral movement evidence:
| Method | What it Finds | Key Indicators |
|---|---|---|
auth | Authentication events | RDP, SSH, SMB logins, logon events, auth_type/auth_result fields |
network | Network connections on lateral ports | Ports 22 (SSH), 445 (SMB), 3389 (RDP), 5985/5986 (WinRM), 135 (DCOM) |
process | Remote execution tools | PsExec, WMIC, WinRS, PowerShell remoting, mstsc, schtasks, sc.exe |
Output Fields
Each row in the output represents a lateral movement edge (one connection from source to destination):
| Field | Description |
|---|---|
timestamp | When the movement occurred |
user | User associated with the movement |
src_host | Source hostname |
dest_host | Destination hostname |
src_ip | Source IP address |
dest_ip | Destination IP address |
method | Detection method (auth, network, process) |
method_detail | Specific technique (e.g., rdp, ssh, psexec, smb, winrm) |
hop_number | How many hops from the seed entity (0 = first hop) |
process_name | Process name (for process-based movement) |
auth_type | Authentication type (for auth-based movement) |
auth_result | Authentication result |
source_type | Log source that recorded the event |
Examples
Trace lateral movement for a user
user="jsmith" | lateralTrace from a specific host
src_host="WKS-0142" | lateralLimit to 2 hops
user="jsmith" | lateral maxhops=2Only look at authentication events
user="jsmith" | lateral methods=authAuth and network only, skip process execution
src_host="DC01" | lateral methods=auth,networkTrace from a specific IP
src_ip="10.1.1.50" | lateral seed=hostUse a specific field as seed
* | where dest_host="server-db01" | lateral entity=dest_hostFind multi-hop movement and filter
user="jsmith" | lateral | where hop_number > 1Count destinations per method
user="jsmith" | lateral | stats count by dest_host, methodSort by hop depth
user="jsmith" | lateral maxhops=5 | sort hop_number, timestampShow only RDP lateral movement
user="jsmith" | lateral | where method_detail="rdp"Tabular view of movement paths
user="jsmith" | lateral | table timestamp, src_host, dest_host, method_detail, hop_numberUsage Notes
Seed detection: With seed=auto (default), the command checks for a user field first, then src_host, dest_host, src_ip, dest_ip. Use entity=<field> if auto-detection picks the wrong entity.
Performance: Each hop issues up to 3 ClickHouse queries (one per method). With maxhops=4 and all methods, that's up to 12 queries. Narrow your time range and consider reducing maxhops or methods for large environments.
Deduplication: Edges are deduplicated per minute — if the same source-to-destination movement appears multiple times within the same minute via the same method, only the first is kept.
Hop expansion: The command uses BFS. For host-seeded queries, each hop expands to all traffic on reached hosts. For user-seeded queries, all hops stay scoped to that user's activity — you only see where that user went, not unrelated traffic on the same destinations.
Identity resolution: Destination hostnames are automatically resolved from IP addresses using identity observations. If dest_host is empty, the destination has no known hostname mapping (e.g., non-domain hosts, infrastructure devices, or external IPs).
SYSTEM-attributed connections: Some network connections (SMB, DCOM) are handled by the Windows kernel and attributed to SYSTEM rather than the logged-in user. The lateral command correlates these by matching source IPs from the user's authentication events, so SMB connections still appear in user-seeded traces.
Chainable: The output is structured rows, so you can pipe to any downstream command (where, stats, sort, table, head, etc.) for further analysis.
Related Commands
- asset - Asset investigation view with identity resolution and activity timeline
- resolve_identity - Resolve IPs to hostnames/users using identity observations
- sequence - Detect ordered event patterns across entities
- tree - Visualize hierarchical relationships (process trees, etc.)