PowerUp

Get services with unquoted paths and a space in their name.

Get-ServiceUnquoted -Verbose
Get-WmiObject -class win32_service | select pathname (wmi command/lists all paths)

Get services where the current user can write to its binary path or change arguments to the binary

Get-ModifiableServiceFile -Verbose

Get the services whose configuration current user can modify

Get-ModifiableService -Verbose

Run all checks from :

PowerUp

Invoke-Allchecks

BeRoot is an executable:

.\beRoot.exe

Privesc:

Invoke-PrivEsc