Pass-the-Ticket (PtT) injects a stolen Kerberos ticket into memory to impersonate the victim user — unlike PtH, uses the actual ticket rather than the password hash.
Mimikatz: sekurlsa::tickets /export + kerberos::ptt [ticket.kirbi]. Requires admin to extract tickets from other sessions. Defense: short ticket lifetimes, Protected Users security group (no cached credentials), Credential Guard. Different from PtH — PtT uses tickets, PtH uses NTLM hashes.