Which attack uses Kerberos tickets stolen in memory to authenticate to services on a target system?

This question is testing the ability to recognize a Kerberos ticket reuse attack. When a valid Kerberos ticket is stolen from memory, an attacker can present that ticket to the target system to authenticate as the ticket’s user, without needing to re-enter credentials. This is known as the Pass the Ticket technique. By extracting a valid TGT or service ticket from memory (for example, from LSASS) and using it to access services, the attacker effectively impersonates the legitimate user across the network, enabling lateral movement and access to resources without cracking passwords. Kerberoasting, in contrast, involves obtaining service tickets and offline-cracking the service account’s password, not reusing live tickets for authentication. Credential stuffing relies on password lists and repeating logins, not on Kerberos tickets. Pass the hash uses NT hash material to authenticate, not actual Kerberos tickets.