To detect lateral movement on Windows infrastructure I recommend to collect the following events:
It’s based on events (4648 + 4672 from member servers, 8004 from DCs) + network traffic (AS/TGS).
Regarding both event 4648 (A logon was attempted using explicit credentials) and event 4672 (Special privileges assigned to new logon):
=> Collect events and send to a SIEM (splunk, logrythm …) or even Windows Event collector (WEF)
