Windows Lateral Movement via Explicit Credentials
Detect lateral movement in a Windows environment
Windows event logs (ID 4648 or 552)
Check your domain audit policy to ensure that these events are being generated. Also, they are typically generated only on the host on which the authentication occurs, so you need to collect from both servers and user endpoints for full visibility.
whitelisting / filtering
Examine event logs for instances of explicit credentials being used (as with the batch processes being spawned, users using the Runas command or via pass-the-hash attacks). Whitelist recurring instances that are known to be authorized, and keep that whitelist up to date over time. Investigate any instances of explicit credential authentication that may be left.
Seek Evil, and Ye Shall Find: A Guide to Cyber Threat Hunting Operations, Tim Bandos, Digital Guardian