When a Windows service has weak permissions such as ChangeConfig for all authenticated users, attacker can escalate privileges by pointing the service binary path to a payload.
To look for weak service permissions in Cobalt Strike:
SharpUp does not provide details on actual permissions, which we can get manually with Get-ServiceAcl:
For OPSEC purposes, we want to note the original service path so that we can restore it later:
A simple reconfiguration and upload of a Cobalt Strike payload does the trick: