diff --git a/README.md b/README.md
index 60a8d00..2da97be 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,7 @@ My curated list of awesome links, resources and tools
     - [Awesome](#awesome)
     - [Anti Forensics](#anti-forensics)
     - [Certifications](#certifications)
+    - [Digital Forensics and Incident Response](#digital-forensics-and-incident-response)
     - [Exploitation](#exploitation)
     - [Malware Analysis](#malware-analysis)
     - [Reverse Engineering](#reverse-engineering)
@@ -52,6 +53,11 @@ My curated list of awesome links, resources and tools
     - [Offensive Security Certified Professional (OSCP) Review](https://www.jimwilbur.com/2017/07/oscp-review/)
     - [OSCP Course & Exam Preparation](https://411hall.github.io/OSCP-Preparation/)
 
+### Digital Forensics and Incident Response
+
+- [Windows Privileged Access Reference](https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ATLT_BM)
+	- Mirror copy of the table is available at [files/dfir/windows-privileged-access.md](files/dfir/windows-privileged-access.md)
+
 ### Exploitation
 
 #### Software Exploitation
diff --git a/files/dfir/windows-privileged-access-reference.md b/files/dfir/windows-privileged-access-reference.md
new file mode 100644
index 0000000..9e8f62f
--- /dev/null
+++ b/files/dfir/windows-privileged-access-reference.md
@@ -0,0 +1,183 @@
+<table>
+  <tr>
+    <th>Connectionmethod</th>
+    <th>Logon type</th>
+    <th>Reusable credentials on destination</th>
+    <th>Comments</th>
+  </tr>
+  <tr>
+    <td>Log on at console</td>
+    <td>Interactive</td>
+    <td>v</td>
+    <td>Includes hardware remote access / lights-out cards and network KVMs.</td>
+  </tr>
+  <tr>
+    <td>RUNAS</td>
+    <td>Interactive</td>
+    <td>v</td>
+    <td></td>
+  </tr>
+  <tr>
+    <td>RUNAS /NETWORK</td>
+    <td>NewCredentials</td>
+    <td>v</td>
+    <td>Clones current LSA session for local access, but uses new credentials when connecting to network resources.</td>
+  </tr>
+  <tr>
+    <td>Remote Desktop (success)</td>
+    <td>RemoteInteractive</td>
+    <td>v</td>
+    <td>If the remote desktop client is configured to share local devices and resources, those may be compromised as well.</td>
+  </tr>
+  <tr>
+    <td>Remote Desktop (failure - logon type was denied)</td>
+    <td>RemoteInteractive</td>
+    <td>-</td>
+    <td>By default, if RDP logon fails credentials are only stored very briefly. This may not be the case if the computer is compromised.</td>
+  </tr>
+  <tr>
+    <td>Net use * \\SERVER</td>
+    <td>Network</td>
+    <td>-</td>
+    <td></td>
+  </tr>
+  <tr>
+    <td>Net use * \\SERVER /u:user</td>
+    <td>Network</td>
+    <td>-</td>
+    <td></td>
+  </tr>
+  <tr>
+    <td>MMC snap-ins to remote computer</td>
+    <td>Network</td>
+    <td>-</td>
+    <td>Example: Computer Management, Event Viewer, Device Manager, Services</td>
+  </tr>
+  <tr>
+    <td>PowerShell WinRM</td>
+    <td>Network</td>
+    <td>-</td>
+    <td>Example: Enter-PSSession server</td>
+  </tr>
+  <tr>
+    <td>PowerShell WinRM with CredSSP</td>
+    <td>NetworkClearText</td>
+    <td>v</td>
+    <td>New-PSSession server-Authentication Credssp-Credential cred</td>
+  </tr>
+  <tr>
+    <td>PsExec without explicit creds</td>
+    <td>Network</td>
+    <td>-</td>
+    <td>Example: PsExec \\server cmd</td>
+  </tr>
+  <tr>
+    <td>PsExec with explicit creds</td>
+    <td>Network + Interactive</td>
+    <td>v</td>
+    <td>PsExec \\server -u user -p pwd cmdCreates multiple logon sessions.</td>
+  </tr>
+  <tr>
+    <td>Remote Registry</td>
+    <td>Network</td>
+    <td>-</td>
+    <td></td>
+  </tr>
+  <tr>
+    <td>Remote Desktop Gateway</td>
+    <td>Network</td>
+    <td>-</td>
+    <td>Authenticating to Remote Desktop Gateway.</td>
+  </tr>
+  <tr>
+    <td>Scheduled task</td>
+    <td>Batch</td>
+    <td>v</td>
+    <td>Password will also be saved as LSA secret on disk.</td>
+  </tr>
+  <tr>
+    <td>Run tools as a service</td>
+    <td>Service</td>
+    <td>v</td>
+    <td>Password will also be saved as LSA secret on disk.</td>
+  </tr>
+  <tr>
+    <td>Vulnerability scanners</td>
+    <td>Network</td>
+    <td>-</td>
+    <td>Most scanners default to using network logons, though some vendors may implement non-network logons and introduce more credential theft risk.</td>
+  </tr>
+  <tr>
+    <td>IIS "Basic Authentication"</td>
+    <td>NetworkCleartext(IIS 6.0+)Interactive(prior to IIS 6.0)</td>
+    <td>v</td>
+    <td></td>
+  </tr>
+  <tr>
+    <td>IIS "Integrated Windows Authentication"</td>
+    <td>Network</td>
+    <td>-</td>
+    <td>NTLM and Kerberos Providers.</td>
+  </tr>
+</table>
+
+<table>
+  <tr>
+    <th>Logon type</th>
+    <th>#</th>
+    <th>Authenticators accepted</th>
+    <th>Reusable credentials in LSA session</th>
+    <th>Examples</th>
+  </tr>
+  <tr>
+    <td>Interactive (a.k.a., Logon locally)</td>
+    <td>2</td>
+    <td>Password, Smartcard,other</td>
+    <td>Yes</td>
+    <td>Console logon;RUNAS;Hardware remote control solutions (such as Network KVM or Remote Access / Lights-Out Card in server)IIS Basic Auth (before IIS 6.0)</td>
+  </tr>
+  <tr>
+    <td>Network</td>
+    <td>3</td>
+    <td>Password,NT Hash,Kerberos ticket</td>
+    <td>No (except if delegation is enabled, then Kerberos tickets present)</td>
+    <td>NET USE;RPC calls;Remote registry;IIS integrated Windows auth;SQL Windows auth;</td>
+  </tr>
+  <tr>
+    <td>Batch</td>
+    <td>4</td>
+    <td>Password (usually stored as LSA secret)</td>
+    <td>Yes</td>
+    <td>Scheduled tasks</td>
+  </tr>
+  <tr>
+    <td>Service</td>
+    <td>5</td>
+    <td>Password (usually stored as LSA secret)</td>
+    <td>Yes</td>
+    <td>Windows services</td>
+  </tr>
+  <tr>
+    <td>NetworkCleartext</td>
+    <td>8</td>
+    <td>Password</td>
+    <td>Yes</td>
+    <td>IIS Basic Auth (IIS 6.0 and newer);Windows PowerShell with CredSSP</td>
+  </tr>
+  <tr>
+    <td>NewCredentials</td>
+    <td>9</td>
+    <td>Password</td>
+    <td>Yes</td>
+    <td>RUNAS /NETWORK</td>
+  </tr>
+  <tr>
+    <td>RemoteInteractive</td>
+    <td>10</td>
+    <td>Password, Smartcard,other</td>
+    <td>Yes</td>
+    <td>Remote Desktop (formerly known as "Terminal Services")</td>
+  </tr>
+</table>
+
+

Connectionmethod	Logon type	Reusable credentials on destination	Comments
Log on at console	Interactive	v	Includes hardware remote access / lights-out cards and network KVMs.
RUNAS	Interactive	v
RUNAS /NETWORK	NewCredentials	v	Clones current LSA session for local access, but uses new credentials when connecting to network resources.
Remote Desktop (success)	RemoteInteractive	v	If the remote desktop client is configured to share local devices and resources, those may be compromised as well.
Remote Desktop (failure - logon type was denied)	RemoteInteractive	-	By default, if RDP logon fails credentials are only stored very briefly. This may not be the case if the computer is compromised.
Net use * \\SERVER	Network	-
Net use * \\SERVER /u:user	Network	-
MMC snap-ins to remote computer	Network	-	Example: Computer Management, Event Viewer, Device Manager, Services
PowerShell WinRM	Network	-	Example: Enter-PSSession server
PowerShell WinRM with CredSSP	NetworkClearText	v	New-PSSession server-Authentication Credssp-Credential cred
PsExec without explicit creds	Network	-	Example: PsExec \\server cmd
PsExec with explicit creds	Network + Interactive	v	PsExec \\server -u user -p pwd cmdCreates multiple logon sessions.
Remote Registry	Network	-
Remote Desktop Gateway	Network	-	Authenticating to Remote Desktop Gateway.
Scheduled task	Batch	v	Password will also be saved as LSA secret on disk.
Run tools as a service	Service	v	Password will also be saved as LSA secret on disk.
Vulnerability scanners	Network	-	Most scanners default to using network logons, though some vendors may implement non-network logons and introduce more credential theft risk.
IIS "Basic Authentication"	NetworkCleartext(IIS 6.0+)Interactive(prior to IIS 6.0)	v
IIS "Integrated Windows Authentication"	Network	-	NTLM and Kerberos Providers.
Logon type	#	Authenticators accepted	Reusable credentials in LSA session	Examples
Interactive (a.k.a., Logon locally)	2	Password, Smartcard,other	Yes	Console logon;RUNAS;Hardware remote control solutions (such as Network KVM or Remote Access / Lights-Out Card in server)IIS Basic Auth (before IIS 6.0)
Network	3	Password,NT Hash,Kerberos ticket	No (except if delegation is enabled, then Kerberos tickets present)	NET USE;RPC calls;Remote registry;IIS integrated Windows auth;SQL Windows auth;
Batch	4	Password (usually stored as LSA secret)	Yes	Scheduled tasks
Service	5	Password (usually stored as LSA secret)	Yes	Windows services
NetworkCleartext	8	Password	Yes	IIS Basic Auth (IIS 6.0 and newer);Windows PowerShell with CredSSP
NewCredentials	9	Password	Yes	RUNAS /NETWORK
RemoteInteractive	10	Password, Smartcard,other	Yes	Remote Desktop (formerly known as "Terminal Services")