Trusted Folders

The default rules allow execution from anywhere within C:\Program Files and C:\Windows (including subdirectories)

Moving laterally to a protected machine via psexec is trivial, because the service executable is written into C:\Windows.

If you're on a protected machine as a standard user, there are several directories within C:\Windows that are writeable. One such example is C:\Windows\Tasks This would allow us to copy an executable into this directory and run it.

accesschk.exe "regular" C:\Windows -wus

icacls.exe C:\Windows\Tasks

When enumerating the rules, you may also find additional weak rules that system administrators have configured.