diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md
index 173aa332de..237521654c 100644
--- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md
+++ b/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md
@@ -40,6 +40,8 @@ sqlite3 ./.config/gcloud/credentials.db "select value from credentials where acc
 ```
 {% endcode %}
 
+It's also possible to find refresh tokens in **`$HOME/.config/gcloud/application_default_credentials.json`** and in **`$HOME/.config/gcloud/legacy_credentials/*/adc.json`**.
+
 To get a new refreshed access token with the **refresh token**, client ID, and client secret run:
 
 {% code overflow="wrap" %}