Unquoted Service Path

In simple terms, when a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).

Manual Checks

Check service without quotes:

Get-WmiObject -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select Name,DisplayName,StartMode,PathName | fl

Check File or Directory Permissions:

Check Service Permissions:

Unquoted Service Path with PowerUp

First, import PowerUp.ps1 to memory.

Then, check for privilege escalation vectors using this command:

Alternatively, for checking unquoted service paths specifically, use this command:

Example output:

For detail information about the vulnerable service, use this command:

Now, for abusing the service, you can use Write-ServiceBinary command:

Basically, the above command will replace the original files with a malicious file that contains a reverse shell command.

If you have ability to restart the service, you can run:

But, since you don't have the privilege to restart the service (CanRestart = False), you can reboot the machine since the service is set to autostart.

Now, your netcat listener will have a session with the NT\SYSTEM user.