Added Windows privesc tools and info about unquoted services

privesc/windows/index.md

@@ -14,3 +14,33 @@ Command that can be executed from the context of a shell prompt that help escala
          * `net use \\[computername|IP] /user:DOMAIN\username password`
          * `net time \\[computername|IP]`
          * `at \\[computername|IP] 13:20 c:\temp\evil.bat`
+
+# Service security
+
+### Unquoted service names
+
+Services with unquoted binary paths may allow privilege escalation.
+
+ * Assume ServiceA refers to the unquoted path C:\Program Files\Some Service\service.exe
+ * Service is started with desirable privileges (e.g. domain, SYSTEM)
+ * If attacker can create files as c:\Program.exe or ''c:\Program Files\Some.bat'' the next time the service starts the attacker controlled binary will execute
+
+# Tools
+
+* [Windows Privesc Check](https://code.google.com/p/windows-privesc-check/)
+  * Python + PyInstaller
+  * No unicode support ([attempt to fix this](https://github.com/silentsignal/wpc))
+  * Awful code base
+* [Windows Privesc Check 2.0](https://github.com/silentsignal/wpc/tree/wpc-2.0)
+  * Python + PyInstaller
+  * Code is still very hard to maintain
+  * Still painful to use on non-English systems
+* [PowerUp](https://github.com/HarmJ0y/PowerUp)
+  * Smart PowerShell cmdlets (you can run these at remote hosts also!)
+  * Offensive approach
+  * Checks only the privileges of the executing user
+* [WPC-PS](https://github.com/silentsignal/wpc-ps)
+  * PowerShell
+  * Tends to check privileges for all accounts (thus identifying potential targets for privesc)
+  * Still experimental
+