diff --git a/README.md b/README.md
index 60a8d00..2da97be 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,7 @@ My curated list of awesome links, resources and tools
- [Awesome](#awesome)
- [Anti Forensics](#anti-forensics)
- [Certifications](#certifications)
+ - [Digital Forensics and Incident Response](#digital-forensics-and-incident-response)
- [Exploitation](#exploitation)
- [Malware Analysis](#malware-analysis)
- [Reverse Engineering](#reverse-engineering)
@@ -52,6 +53,11 @@ My curated list of awesome links, resources and tools
- [Offensive Security Certified Professional (OSCP) Review](https://www.jimwilbur.com/2017/07/oscp-review/)
- [OSCP Course & Exam Preparation](https://411hall.github.io/OSCP-Preparation/)
+### Digital Forensics and Incident Response
+
+- [Windows Privileged Access Reference](https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ATLT_BM)
+ - Mirror copy of the table is available at [files/dfir/windows-privileged-access.md](files/dfir/windows-privileged-access.md)
+
### Exploitation
#### Software Exploitation
diff --git a/files/dfir/windows-privileged-access-reference.md b/files/dfir/windows-privileged-access-reference.md
new file mode 100644
index 0000000..9e8f62f
--- /dev/null
+++ b/files/dfir/windows-privileged-access-reference.md
@@ -0,0 +1,183 @@
+
+
+ Connectionmethod |
+ Logon type |
+ Reusable credentials on destination |
+ Comments |
+
+
+ Log on at console |
+ Interactive |
+ v |
+ Includes hardware remote access / lights-out cards and network KVMs. |
+
+
+ RUNAS |
+ Interactive |
+ v |
+ |
+
+
+ RUNAS /NETWORK |
+ NewCredentials |
+ v |
+ Clones current LSA session for local access, but uses new credentials when connecting to network resources. |
+
+
+ Remote Desktop (success) |
+ RemoteInteractive |
+ v |
+ If the remote desktop client is configured to share local devices and resources, those may be compromised as well. |
+
+
+ Remote Desktop (failure - logon type was denied) |
+ RemoteInteractive |
+ - |
+ By default, if RDP logon fails credentials are only stored very briefly. This may not be the case if the computer is compromised. |
+
+
+ Net use * \\SERVER |
+ Network |
+ - |
+ |
+
+
+ Net use * \\SERVER /u:user |
+ Network |
+ - |
+ |
+
+
+ MMC snap-ins to remote computer |
+ Network |
+ - |
+ Example: Computer Management, Event Viewer, Device Manager, Services |
+
+
+ PowerShell WinRM |
+ Network |
+ - |
+ Example: Enter-PSSession server |
+
+
+ PowerShell WinRM with CredSSP |
+ NetworkClearText |
+ v |
+ New-PSSession server-Authentication Credssp-Credential cred |
+
+
+ PsExec without explicit creds |
+ Network |
+ - |
+ Example: PsExec \\server cmd |
+
+
+ PsExec with explicit creds |
+ Network + Interactive |
+ v |
+ PsExec \\server -u user -p pwd cmdCreates multiple logon sessions. |
+
+
+ Remote Registry |
+ Network |
+ - |
+ |
+
+
+ Remote Desktop Gateway |
+ Network |
+ - |
+ Authenticating to Remote Desktop Gateway. |
+
+
+ Scheduled task |
+ Batch |
+ v |
+ Password will also be saved as LSA secret on disk. |
+
+
+ Run tools as a service |
+ Service |
+ v |
+ Password will also be saved as LSA secret on disk. |
+
+
+ Vulnerability scanners |
+ Network |
+ - |
+ Most scanners default to using network logons, though some vendors may implement non-network logons and introduce more credential theft risk. |
+
+
+ IIS "Basic Authentication" |
+ NetworkCleartext(IIS 6.0+)Interactive(prior to IIS 6.0) |
+ v |
+ |
+
+
+ IIS "Integrated Windows Authentication" |
+ Network |
+ - |
+ NTLM and Kerberos Providers. |
+
+
+
+
+
+ Logon type |
+ # |
+ Authenticators accepted |
+ Reusable credentials in LSA session |
+ Examples |
+
+
+ Interactive (a.k.a., Logon locally) |
+ 2 |
+ Password, Smartcard,other |
+ Yes |
+ Console logon;RUNAS;Hardware remote control solutions (such as Network KVM or Remote Access / Lights-Out Card in server)IIS Basic Auth (before IIS 6.0) |
+
+
+ Network |
+ 3 |
+ Password,NT Hash,Kerberos ticket |
+ No (except if delegation is enabled, then Kerberos tickets present) |
+ NET USE;RPC calls;Remote registry;IIS integrated Windows auth;SQL Windows auth; |
+
+
+ Batch |
+ 4 |
+ Password (usually stored as LSA secret) |
+ Yes |
+ Scheduled tasks |
+
+
+ Service |
+ 5 |
+ Password (usually stored as LSA secret) |
+ Yes |
+ Windows services |
+
+
+ NetworkCleartext |
+ 8 |
+ Password |
+ Yes |
+ IIS Basic Auth (IIS 6.0 and newer);Windows PowerShell with CredSSP |
+
+
+ NewCredentials |
+ 9 |
+ Password |
+ Yes |
+ RUNAS /NETWORK |
+
+
+ RemoteInteractive |
+ 10 |
+ Password, Smartcard,other |
+ Yes |
+ Remote Desktop (formerly known as "Terminal Services") |
+
+
+
+