Nssm-2.24 Privilege Escalation

: Monitoring tools (like Sysmon) triggering alerts when nssm.exe spawns unexpected shells like cmd.exe or powershell.exe with SYSTEM privileges.

: The vulnerability involves manipulating the service configuration to execute commands with higher privileges than those granted to the user executing the NSSM service.

: Always wrap service paths in double quotes to prevent unquoted path attacks. nssm-2.24 privilege escalation

: An attacker with low-level access replaces the nssm.exe binary with a malicious file (e.g., a reverse shell). Because NSSM usually runs as the LocalSystem account, the next time the service restarts, the attacker's code executes with full administrative power. Unquoted Service Paths :

Attackers can install a NSSM service pointing to cmd.exe /c net user backdoor P@ssw0rd /add & net localgroup administrators backdoor /add . After the next reboot, the backdoor user is created. : Monitoring tools (like Sysmon) triggering alerts when nssm

This simple process highlights how a single misconfigured permission can lead to a full system compromise.

# As standard user bob sc qc vuln_svc :: Output shows SERVICE_CHANGE_CONFIG permission present. : An attacker with low-level access replaces the nssm

NSSM 2.24 – Weak Default Service Permissions Allow Local Privilege Escalation

: The attacker waits for the associated service to restart. This can occur through: a system reboot, an administrator restarting the service, a scheduled service maintenance window, or even by forcing a service crash (though this may require additional techniques).

Instead of running every NSSM service as "LocalSystem," use a Managed Service Account (MSA) with the minimum permissions required to perform its task. Summary Table Security Risk Discovery Find nssm.exe services Information gathering Analysis Check folder permissions Identifying weak ACLs Exploitation Replace binary with shell Execution of malicious code Escalation Service restarts Full SYSTEM compromise