A forwardable Kerberos ticket for delegation of a Protected User was observed
Gain special user Kerberos ticket to move laterally.
Check the initiating service account delegation privileges. Check the delegated account credentials and if it has high privileges. Check the ticket destination to verify whether it is a sensitive asset.