Detection signals: Event ID 4648 (logon with explicit credentials), unusual SMB/RDP connections between workstations, authentication from unexpected source hosts, new admin tool usage on non-admin systems.
Lateral movement is the gap between initial access and domain compromise. Detect it here to limit damage. Network segmentation limits movement; monitoring detects it. Honey credentials in password vaults alert when tried on other systems.